Upgrade using ROM Monitor Mode

Upgrade using ROM Monitor Mode

If you try to upgrade PIX 515 (not PIX 515E) and PIX 535 from Version 6.3 to 7.0, you might run into a problem with the Flash as shown in Example 3-15. The problem is that PIX Version 6.3 can access only 8 MB of onboard Flash out of 16 MB Flash under normal mode of operation. This means that if you have PIX 515 and 535 that have a PDM images installed, you will not be able to upgrade via "copy tftp flash", because there is not enough available space in Flash. You must copy the image over from Monitor mode, and then boot up into 7.0, which will convert the file system, and then you will have to copy the same 7.0 image over again to save it in Flash. If you attempt to upgrade via "copy tftp flash", you will receive the following error:

Example 3-15. Insufficient flash

PIX# copy tftp://20.1.1.100/cdisk flash:
copying tftp://20.1.1.100/cdisk to flash:image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!
! Output is suppressed
!!!!!!!!!!!!
Received 4902912 bytes
Erasing current image
! Insufficient flash space available for this request:
Size info:request:4849720 current:1941560 delta:2908160 free:1310720
Image not installed
PIX#

Work through the following steps to upgrade the PIX firewall to Version 7.0 from ROM Monitor mode on PIX 515 and PIX 535:

1.
Download the PIX 7.x image from the following location and copy it to the root directory of the TFTP server: http://www.cisco.com/cgi-bin/tablebuild.pl/pix
2.
Enter into Monitor Mode.

Work through the following steps to enter into the Monitor mode:

a. Connect a console cable to the console port on the PIX using the following communication settings:

9600 bits per second
8 data bits
no parity
1 stop bit
no flow control

b. Power cycle or reload the PIX. During bootup you will be prompted to use BREAK or ESC to interrupt Flash boot. You have 10 seconds to interrupt the normal boot process.

c. Press the ESC key or send a BREAK character to enter monitor mode. If you are using Windows Hyper Terminal, you can press the ESC key or send a BREAK character by pressing Ctrl+Break. If you are telnetting through a terminal server to access the console port of the PIX, you will need to press Ctrl+] (Control + Right bracket) to get to the Telnet command prompt. Then enter the send break command.

d. This will bring the monitor mode with the monitor> prompt.

e. Define interface settings in the ROM Monitor mode.

Enter the interface number that the TFTP server is connected to. The default is interface 1 (Inside).

monitor> interface

The command to use the inside interface should look like the following:

monitor> interface 1

Remember that in Monitor Mode, the interface will always auto-negotiate the speed and duplex. The interface settings cannot be hard-coded. Therefore, if the PIX interface is plugged into a switch that is hard-coded for speed and duplex, you must reconfigure it to auto-negotiate while you are in Monitor Mode. Also be aware that the PIX firewall cannot initialize a Gigabit Ethernet interface from Monitor Mode. You must use a Fast Ethernet interface instead.

Enter the IP address of the interface just defined with the following command:

monitor> address

To assign IP address 10.1.1.1, use the following command:

monitor> address 10.1.1.1

3.
(Optional) Enter the IP address of your gateway. A gateway address is required if the PIX's interface is not on the same network as the TFTP server.

monitor> gateway

If your TFTP server is on a different network (for example, the 172.16.171.0/24 network) define the default gateway so that you know how to get there.

monitor> gateway 10.1.1.100
4.
Enter the IP Address of the TFTP server with the following command:

monitor> server

If the TFTP server IP address is 172.16.171.1, configure the following:

monitor> server 172.16.171.50

5.
Enter the name of the file on the TFTP server that you wish to load. This will be the PIX binary image file name.

monitor> file

For example, if you are trying to install Version pix702.bin, your configuration will look like this:

Monitor> file pix702.bin

6.
Verify IP connectivity by pinging from the PIX to the TFTP server. If the pings fail, double-check the cables, IP address of the PIX interface, and the TFTP server, and the IP address of the gateway (if needed). The pings must succeed before continuing.

monitor> ping

For example, if you have the TFTP server with IP address 20.0.0.101, you can ping as follows:

monitor> ping 172.16.171.50
Sending 5, 100-byte 0xc56 ICMP Echoes to 20.0.0.101, timeout is 4 sec
!!!!!
Success rate is 100 percent (5/5)
monitor>

7.
Start the TFTP download by typing "tftp" as follows:

monitor> tftp

The PIX will download the image into RAM and will automatically boot it. During the boot process, the file system will be converted along with your existing configuration. However, you are not finished yet. Note the following warning message after booting.

************************************************************************
**                                                                    **
**   *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***  **
**                                                                    **
**          ----> Current image running from RAM only! <----          **
**                                                                    **
**  When the PIX was upgraded in Monitor mode the boot image was not  **
**  written to Flash.  Please issue "copy tftp: flash:" to load and   **
**  save a bootable image to Flash. Failure to do so will result in   **
**  a boot loop the next time the PIX is reloaded.                    **
**                                                                    **
************************************************************************

After the image has been copied, wait for the PIX to return to the normal prompt. (This may take from 3 minutes on a PIX 525 to 10 minutes on a PIX 515.)
8.
Once booted, you enter enable mode and copy the same image over to the PIX again, but this time using the copy tftp flash command. This will save the image into the Flash file system. Failure to perform this step will result in a boot loop the next time the PIX is reloaded.

PIX> enable
PIX# configure terminal
PIX(config)# interface ethernet 1
PIX(config-if)# ip address 10.1.1.1 255.255.255.0
PIX(config-if)# exit
PIX(config)# exit

Use the following command to upgrade the PIX with the following command:

copy tftp[:[[//location] [/tftp_pathname]]] flash[:[image | pdm]]

The following command will show the upgrade procedure:

PIX# copy tftp://20.0.0.101/cdisk.7.0.80.245 flash:
Address or name of remote host [20.0.0.101]?
Source filename [cdisk.7.0.80.245]?
Destination filename [cdisk.7.0.80.245]?

9.
Once the image is copied over using the copy tftp: flash: command, the upgrade process is complete.

10.
Execute the following command to verify that the image file is loaded in Flash:

PIX# show flash
Directory of flash:/
-rw- 2024 05:31:23 Apr 23 2004 downgrade.cfg
-rw- 4644864 06:13:53 Apr 22 2004 cdisk.7.0.80.245

11.
Set the boot system flash:/ command with the following command:

PIX# configure terminal
! In this case "boot system flash:cdisk.7.0.80.245" to boot from the new image.
PIX(config)# boot system flash:/cdisk.7.0.80.245
! Enter the write memory command to update the flash configuration file.
PIX(config)# write memory

12.
Enter the reload command:

PIX(config)# reload

13.
Execute the show version command and make sure the new version is shown in Flash.