Upgrading PIX Firewall in a Failover Setup
Upgrading the PIX Appliance from 6.x to 7.x is a major upgrade. It cannot be accomplished without downtime, even for PIXen in a failover set. Note that many of the failover commands change with the upgrade. The recommend upgrade path is to power down one of the PIXen in the failover set. Then follow the preceding instructions to upgrade the powered-on PIX. Once the upgrade is complete, verify that traffic is passing, and also reboot the PIX once to verify it comes back up without issue. Once you are satisfied that everything is working properly, power off the newly upgraded PIX and power on the other PIX. Then follow the instructions above to upgrade the PIX. Once the upgrade is complete, verify that traffic is passing, and also reboot the PIX once to verify that it comes back up without issue. Once you are satisfied that everything is working properly, power on the other PIX. Both PIXen should now be upgraded to 7.0 and powered on. Verify that they establish failover communications properly by issuing the show failover command.
Note
The PIX now enforces the restriction that any interface passing data traffic cannot also be used as the LAN failover interface, or the stateful failover interface. If your current PIX configuration has a shared interface that is being used to pass normal data traffic and the LAN failover information or the stateful information, then if you upgrade, the data traffic will no longer pass through this interface. All commands associated with that interface also will fail.
From PIX 6.x to 7.x upgrade, you require a minimum downtime of the network because of the incompatibility between different image versions. From 7.0 to 7.0x, you can upgrade without downtime if the stateful failover is configured.
Connection Issues Across PIX Firewall
Figure 3-4 shows a typical deployment of the PIX firewall in the network.