Cisco PIX Firewall and VPN Configuration Guide, Version 6.3
Changing Feature Licenses and System Software
Downloads: This chapterpdf (PDF - 310.0KB) The complete bookPDF (PDF - 11.78MB) | Feedback

Changing Feature Licenses and System Software

Table Of Contents

Changing Feature Licenses and System Software

Verifying Your Current Software Version

Upgrading Your License by Entering a New Activation Key

Obtaining an Activation Key

Entering a New Activation Key

Troubleshooting the License Upgrade

Using HTTP to Copy Software and Configurations

Copying PIX Firewall Configurations

Copying a PIX Firewall Image or PDM Software

Downloading the Current Software

Getting a TFTP Server

Downloading Software from the Web

Downloading Software with FTP

Installing and Recovering PIX Firewall Software

Installing Image Software from the Command Line

Using Monitor Mode to Recover the PIX Firewall Image

Using Boothelper

Get the Boothelper Binary Image

Preparing a Boothelper Diskette with UNIX, Solaris, or LINUX

Preparing a Boothelper Diskette on a Windows System

Downloading an Image with Boothelper

Downgrading to a Previous Software Version

Upgrading Failover Systems from a Previous Version

Upgrading Failover Systems from the CLI

Upgrading Failover Systems Using Monitor Mode

Upgrading Failover Systems Using Boothelper

TFTP Download Error Codes


Changing Feature Licenses and System Software


This chapter describes how to change (upgrade or downgrade) the feature license or software image on your Cisco PIX Firewall. It contains the following sections:

Verifying Your Current Software Version

Upgrading Your License by Entering a New Activation Key

Using HTTP to Copy Software and Configurations

Downloading the Current Software

Installing and Recovering PIX Firewall Software

Downgrading to a Previous Software Version

Upgrading Failover Systems from a Previous Version

TFTP Download Error Codes

PIX Firewall displays a warning message if the configuration file (stored in Flash memory) is newer than the PIX Firewall software version currently being loaded. This message warns you of the possibility of unrecognized commands in the configuration file. For example, if you install Version 6.0 software when the current version is 6.2, the following message appears at startup:

Configuration Compatibility Warning:
 The config is from version 6.2(1).
 but the image is version 6.0(1).

In the message, "config" is the version in Flash memory and "image" is the version you are installing.


Caution Before upgrading from a previous version, save your configuration and write down your activation key.

Verifying Your Current Software Version

To verify your current sofware version, enter the following command in User EXEC mode:

hostname> show version

Cisco PIX Firewall Version 6.3(5)

Compiled on Thu 04-Aug-05 21:40 by morlee
...

The first line in the show output displays the current sofware version running on the device.

Upgrading Your License by Entering a New Activation Key

This section describes how to upgrade your PIX Firewall license and includes the following topics:

Obtaining an Activation Key

Entering a New Activation Key

Troubleshooting the License Upgrade

Obtaining an Activation Key

To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps:


Step 1 Connect a web browser to one of the following websites (the URLs are case-sensitive):

Use the following website if you are a registered user of Cisco Connection Online:

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet

Use the following website if you are not a registered user of Cisco Connection Online:

https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet

Step 2 Obtain the serial number for your PIX Firewall by entering the following command:

show version

Step 3 Enter the following information, when prompted:

Your Product Authorization Key

The serial number for your PIX Firewall.

Your email address.

The activation key will be automatically generated and sent to the email address that you provide.


Entering a New Activation Key

PIX Firewall Version 6.2 or higher provides a method of upgrading or changing the license for your PIX Firewall remotely without entering monitor mode and without replacing the software image. With this feature, you can enter a new activation key for a different PIX Firewall license from the command-line interface (CLI).

Before entering the activation key, ensure that the image in Flash memory and the running image are the same. You can do this by rebooting the PIX Firewall before entering the new activation key.


Note You must reboot the PIX Firewall after entering the new activation key for the change to take effect in the running image.


To enter an activation key, enter the following command:

activation-key activation-key-four-tuple

In this command, replace activation-key-four-tuple with the activation key you obtained with your new license.

For example:

activation-key 0x12345678 0xabcdef01 0x2345678ab 0xcdef01234

The leading "0x" hexadecimal indicator is optional. If it is omitted, the parameter is assumed to be a hexadecimal number, as in the following example.

activation-key   12345678   abcdef01   2345678ab   cdef01234

After you enter the activation key, the system displays the following output when the activation key has been successfully changed:

pixfirewall(config)# activation-key 0x01234567 0x89abcdef01 0x23456789 0xabcdef01
Serial Number: 12345678 (0xbc614e)

Flash activation key: 0xyadayada 0xyadayada 0xyadayada 0xyadayada
Licensed Features:
Failover:       yada
VPN-DES:        yada
VPN-3DES:       yada
Maximum Interfaces:     yada
Cut-through Proxy:      yada
Guards:         yada
Websense:       yada
Throughput:     yada
ISAKMP peers:   yada

The flash activation key has been modified.
The flash activation key is now DIFFERENT than the running key.
The flash activation key will be used when the unit is reloaded.
pixfirewall(config)#
-----

As indicated by this message, after entering the new activation key, you must reboot the PIX Firewall to enable the new license.

If you are upgrading the image to a newer version and the activation key is also being changed, reboot the system twice, as shown in the following procedure:

1. Install the new image.

2. Reboot the system.

The newer image can use the old key because all license keys are backward compatible, so the reload should not fail because of a bad activation key.

3. Update the new activation key.

4. Reboot the system.

After the key update is complete, the system is reloaded a second time, so the updated licensing scheme can take effect in a running image.

If you are downgrading an image, you only need to reboot once, after installing the new image. In this situation, the old key is both verified and changed with the current image, then the image can be updated and finally the system is reloaded.

Troubleshooting the License Upgrade

Table 11-1 lists the messages that the system displays when the activation key has not been changed:

Table 11-1 Troubleshooting the License Upgrade

System Message Displayed
Resolution

The activation key you entered is the same as the Running key.

Either the activation key has already been upgraded or you need to enter a different key.

The Flash image and the Running image differ.

Reboot the PIX Firewall and reenter the activation key.

The activation key is not valid.

Either you made a mistake entering the activation key or you need to obtain a valid activation key.


Problems may occur if an image is copied to Flash memory using the copy tftp flash:image command that is not compatible with the activation key in the Flash memory. You may need to use a different activation key and/or install from monitor mode or Boothelper to restore the unit if this happens.

To view your current activation key, enter the following command:

show activation-key

Example 11-1, Example 11-2, and Example 11-3 show the output from this command under different circumstances.

Example 11-1 Show activation-key—Flash Key and Image Same as Running

pixfirewall(config)# show activation-key
Serial Number: 12345678 (0xbc614e)

Running activation key: 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited

The flash activation key is the SAME as the running key.

Example 11-2 Show activation-key—Flash Key Differs from Running Key

pixfirewall(config)# show activation-key
Serial Number: 12345678 (0xbc614e)

Running activation key: 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited

Flash activation key: 0xyadayada 0xyadayada 0xyadayada 0xyadayada
Licensed Features:
Failover:       yada
VPN-DES:        yada
VPN-3DES:       yada
Maximum Interfaces:     yada
Cut-through Proxy:      yada
Guards:         yada
Websense:       yada
Throughput:     yada
ISAKMP peers:   yada

The flash activation key is DIFFERENT than the running key.
The flash activation key takes effect after the next reload.

Example 11-3 Show activation-key—Flash Image Differs from Running Image

pixfirewall(config)# show activation-key
Serial Number: 12345678 (0xbc614e)

Running activation key: 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited

The flash image is DIFFERENT than the running image.
The two images must be the same in order to examine the flash activation key.
pixfirewall(config)#
------------

Using HTTP to Copy Software and Configurations

PIX Firewall Version 6.2 or higher includes an HTTP client that lets you use the copy command to retrieve PIX Firewall configurations, software images, or Cisco PIX Device Manager (PDM) software from any HTTP server. This section describes how to do this and includes the following topics:

Copying PIX Firewall Configurations

Copying a PIX Firewall Image or PDM Software

Copying PIX Firewall Configurations

To retrieve a configuration from an HTTP server, enter the following command:

configure http[s]://[user:password@]location[:port]/pathname

SSL will be used when https is entered. The user and password options are used for basic authentication when logging in to the server. The location option is the IP address (or a name that resolves to the IP address) of the server. The port option specifies the port to contact on the server. It will default to 80 for HTTP and 443 for HTTPS. The pathname option is the name of the resource that contains the configuration to retrieve.

Copying a PIX Firewall Image or PDM Software

To copy a PIX Firewall software image or PDM software from an HTTP server, enter the following command:

copy http[s]://[user:password@]location[:port]/pathname flash[:[image | pdm]]

SSL will be used when https is entered. The user and password options are used for basic authentication when logging in to the server. The location option is the IP address (or a name that resolves to the IP address) of the server. The port option specifies the port to contact on the server. It will default to 80 for HTTP and 443 for HTTPS. The pathname option is the name of the resource that contains the image or PDM file to copy.

The output of this command is the same as that from the copy tftp command. For an image, the success and failure responses, respectively, are as follows:

Image installed

Image not installed

Downloading the Current Software

This section includes the following topics:

Getting a TFTP Server

Downloading Software from the Web

Downloading Software with FTP

If you have a Cisco.com account, you can obtain software from the following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

The software available at this website includes the following items (replace nn with the latest version available):

bhnnn.bin—Lets you create a "Boothelper" installation diskette required to download PIX Firewall software from a TFTP server.

pix6nn.bin—The latest software image. Place this image in the TFTP directory so it can be downloaded to the PIX Firewall unit.

pfss512.exe—Contains the PIX Firewall Syslog Server (PFSS), supported on Windows NT, 2000, or XP. After installation, this receives syslog messages from the PIX Firewall and store them in daily log files. The PIX Firewall sends messages to the PFSS via TCP or UDP and can receive syslog messages from up to 10 PIX Firewall units.

rawrite.exe—A program you use to create a Boothelper diskette for the PIX Firewall.

Getting a TFTP Server


Note If you are using a PIX Firewall unit that contains a diskette drive, use a "Boothelper" diskette to download the PIX Firewall image with TFTP. If your site has a Cisco router, the use of TFTP is similar to the way you download Cisco IOS software to your router.


You should have a TFTP server to install the PIX Firewall software.


Note If the PIX Firewall hangs during a TFTP file transfer, press Esc to abort the TFTP session and return to the command prompt.


Cisco.com account, you can download a TFTP server from Cisco from the Web or by FTP.

You can download the server software from the following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/tftp

Follow these steps to download the server by FTP:


Step 1 Start your FTP client and connect to ftp.cisco.com. Use your Cisco.com username and password.

Step 2 Enter the command cd /cisco/web/tftp and use the ls command to view the directory contents.

Step 3 Use the get command to copy the TFTP executable file to your directory.


Downloading Software from the Web

You can obtain PIX Firewall software by downloading it from Cisco's website or FTP site. If you are using FTP, refer to "Downloading Software with FTP."

Before downloading software, you need to have a Cisco.com username and password. If you do not have these, register at the following website:

http://tools.cisco.com/RPF/register/register.do

Follow these steps to install the latest PIX Firewall software:


Step 1 Use a network browser, such as Netscape Navigator to access http://www.cisco.com.

Step 2 If you are a registered Cisco.com user, click LOGIN in the upper area of the page. If you have not registered, click REGISTER and follow the steps to register.

Step 3 After you click LOGIN, a dialog box appears requesting your username and password. Enter these and click OK.

Step 4 Access Cisco.com at http://www.cisco.com and log in. Then access the PIX Firewall software downloads at the following website:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Step 5 Obtain the software you need. If you have a PIX Firewall unit with a diskette drive, obtain the Boothelper binary image file bh512.bin so you can store a PIX Firewall image on a diskette. If you have a PIX 501, PIX 506E, PIX 515E, PIX 525, or PIX 535, you can skip the discussion of the Boothelper diskette.


Downloading Software with FTP

Before using FTP, you need to have a Cisco.com username and password. If you do not have these, register now at the following website:

http://tools.cisco.com/RPF/register/register.do

Once you have registered, set your FTP client for passive mode. If you are not running in passive mode, you can log in and view the Cisco presentation messages, but entering commands will cause your client to appear to suspend execution.

The Windows 95 and Windows NT command line FTP programs do not support passive mode.

Follow these steps to get the most current software with FTP:


Step 1 Start your FTP client and connect to ftp.cisco.com. Use your Cisco.com username and password.

Step 2 You can view the files in the main directory by entering the ls command.

Step 3 Enter the cd /cisco/ciscosecure/pix command and then use the ls command to view the directory contents.

Step 4 Use the get command to copy the proper file to your workstation as described at the start of the current section.

Step 5 Enter the cd /cisco/web/tftp command. Then use the get command to copy the TFTP executable file to your directory.


Installing and Recovering PIX Firewall Software

This section contains the following topics:

Installing Image Software from the Command Line

Using Monitor Mode to Recover the PIX Firewall Image

Using Boothelper

Downloading an Image with Boothelper

Installing Image Software from the Command Line

To use TFTP to install a software image from the PIX Firewall command line, enter the following command:

copy tftp flash

You can use this command with any PIX Firewall running Version 5.1 or higher. When you enter this command, the PIX Firewall prompts for the specific values required to complete the operation. You can also use a colon (:) to take the parameters from the tftp-command settings, or you can explicitly specify each parameter. For details, refer to the copy tftp flash command in the Cisco PIX Firewall Command Reference.


Caution Never download a PIX Firewall image earlier than Version 4.4 with TFTP. Doing so will corrupt the PIX Firewall Flash memory unit.

Using Monitor Mode to Recover the PIX Firewall Image

You can use monitor mode to recover the PIX Firewall image when it has been lost or corrupted and you do not have access to the PIX Firewall command line.


Note You must use a 1FE or 4FE card installed in a 32-bit slot for installing image software with monitor mode. You cannot use monitor mode to connect to a TFTP server through a Gigabit Ethernet card, a 4FE-66 card, or a Fast Ethernet card installed in a 64-bit slot.


Perform the following steps to download an image over TFTP using monitor mode:


Step 1 Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the Esc (Escape) key.

The monitor> prompt appears.

Step 2 If desired, enter a question mark (?) to list the available commands.

Step 3 Use the address command to specify the IP address of the PIX Firewall unit's interface on which the TFTP server resides.

Step 4 Use the server command to specify the IP address of the host running the TFTP server.

Step 5 Use the file command to specify the filename of the PIX Firewall image. In UNIX, the file needs to be world readable for the TFTP server to access it.

Step 6 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.

Step 7 If needed, use the ping command to verify accessibility. Use the interface command to specify which interface the ping traffic should use. If the PIX Firewall has only two interfaces, the monitor mode defaults to the inside interface. If this command fails, fix access to the server before continuing.

Step 8 Use the tftp command to start the download.

An example follows:

Rebooting....
PIX BIOS (4.0) #47: Sat May 8 10:09:47 PDT 2001
Platform PIX-525
Flash=AT29C040A @ 0x300

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Flash boot interrupted.
0: i8255X @ PCI(bus:0 dev:13 irq:11)
1: i8255X @ PCI(bus:0 dev:14 irq:10)

Using 1: i82558 @ PCI(bus:0 dev:14 irq:10), MAC: 0090.2722.f0b1
Use ? for help.
monitor> addr 192.168.1.1
address 192.168.1.1
monitor> serv 192.168.1.2
server 192.168.1.2
monitor> file pix601.bin
file cdisk
monitor> ping 192.168.1.2
Sending 5, 100-byte 0x5b8d ICMP Echoes to 192.168.1.2, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp pix601.bin@192.168.1.2................................
Received 626688 bytes

PIX admin loader (3.0) #0: Mon Aug 7 10:43:02 PDT 1999
Flash=AT29C040A @ 0x300
Flash version 6.0.1, Install version 6.0.1

Installing to flash
...

Using Boothelper

If your PIX Firewall unit has a diskette drive, you need to obtain the Boothelper binary image file and create a diskette.

This section contains the following topics:

Get the Boothelper Binary Image

Preparing a Boothelper Diskette with UNIX, Solaris, or LINUX

Preparing a Boothelper Diskette on a Windows System

Get the Boothelper Binary Image

Use the following steps to download the Boothelper binary image:


Step 1 Log in to Cisco.com and continue to the PIX Firewall software directory, as described in the previous section, "Downloading Software from the Web" or "Downloading Software with FTP."

Step 2 Download the latest Boothelper image (bh5nn.bin; where nn is the latest version available) from Cisco.com and prepare a diskette as described in the sections that follow.


Note The Boothelper installation only supports PIX Firewall Version 5.1, 5.2, 5.3, 6.0, and later. After Boothelper downloads the PIX Firewall image via TFTP, it verifies the checksum of the image. If it is not Version 5.1 or later, it displays the message "Checksum verification on flash image failed" and reboots the PIX Firewall.


Step 3 Download the PIX Firewall software binary image file pix6nn.bin (where nn is the latest version available) from Cisco.com and store this file in a directory accessible by your TFTP server.


Preparing a Boothelper Diskette with UNIX, Solaris, or LINUX

Follow these steps to prepare a Boothelper diskette:


Step 1 To prepare a UNIX, Solaris, or LINUX TFTP server to provide an image to the PIX Firewall, edit the inetd.conf file to remove the # (comment character) from the start of the "tftp" statement.

Step 2 Determine the process ID of the current inetd process.

Step 3 Use the kill -HUP process_id command to kill the process. The process will restart automatically.

Step 4 Use the dd command to create the Boothelper diskette for the PIX Firewall unit. For example, if the diskette device name is rd0, use the following command.

dd bs=18b if=./bh510.bin of=/dev/rd0

This command copies the binary file to the output device file with a block size of 18 blocks.


Note The diskette may have a name other than rd0 on some UNIX systems.


Step 5 Eject the diskette, insert it in the PIX Firewall diskette drive, and power cycle the unit. Alternately, if available, use your unit's Reset switch, or enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.


Preparing a Boothelper Diskette on a Windows System

Follow these steps to create the Boothelper diskette from a Windows system:


Step 1 Locate an IBM formatted diskette that does not contain useful files. Do not use the PIX Firewall boot diskette that came with your original PIX Firewall purchase—you will need this diskette for system recovery should you need to downgrade versions.

Step 2 Enter rawrite at the MS-DOS command prompt and you are prompted for the name of the .bin binary file, the output device (a: or b: for a 3.5-inch diskette), and to insert a formatted diskette. A sample rawrite session follows.

C:\pix> rawrite
RaWrite 1.2 - Write disk file to raw floppy diskette

Enter source file name: bh512.bin
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18
Writing image to drive A:. Press ^C to abort.
Track: 78 Head: 1 Sector: 16
Done.
C:\pix>

Ensure that the binary filename is in the "8.3" character format (8 characters before the dot; 3 characters after the dot).


Step 3 When you are done, eject the diskette, insert it in the PIX Firewall diskette drive, and power cycle the unit. Alternately, if available, use your unit's Reset switch, or enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.


Downloading an Image with Boothelper

Follow these steps to use the Boothelper diskette to download an image from a TFTP server:


Step 1 Download a PIX Firewall image from Cisco.com and store it on the host running the TFTP server.

Step 2 Start the TFTP server on the remote host and point the TFTP server to the directory containing the PIX Firewall image. On the Cisco TFTP Server, access the View>Options menu and enter the name of the directory containing the image in the TFTP server root directory box.

Step 3 Connect a console to the PIX Firewall and ensure that it is ready.

Step 4 Put the Boothelper diskette you prepared in the PIX Firewall and reboot it. When the PIX Firewall starts, the pixboothelper> prompt appears.

Step 5 You can now enter commands to download the binary image from the TFTP server. In most cases, you need only specify the address, server, and file commands, and then enter the tftp command to start the download. The commands are as follows:

a. If needed, use a question mark (?) or enter the help command to list the available commands.

b. Use the address command to specify the IP address of the network interface on which the TFTP server resides.

c. Use the server command to specify the IP address of the host running the TFTP server.

d. Use the file command to specify the filename of the PIX Firewall image.

e. If needed, use the gateway command to specify the IP address of a router gateway through which the server is accessible.

f. If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing. You can use the interface command to specify which interface the ping traffic should use. The Boothelper defaults to the interface 1 (one).

g. Use the tftp command to start the download.

Step 6 After the image downloads, you are prompted to install the new image. Enter y.

Step 7 When you are prompted, enter your activation key.

Step 8 After you enter your activation key, PIX Firewall prompts you to remove the Boothelper diskette. You have 30 seconds to remove the diskette. During this time you have three options:

a. Remove the diskette and reboot the unit with the reboot switch.

b. Use the reload command while the diskette is in the unit.

c. After the interval, the PIX Firewall will automatically boot from the Boothelper diskette.

After Boothelper downloads the PIX Firewall image via TFTP, it verifies the checksum of the image. If it is not Version 5.1 or later, it displays the message "Checksum verification on flash image failed" and reboots the PIX Firewall.

Keep the Boothelper diskette available for future upgrades. You will need to repeat these steps whenever you download an image to your PIX Firewall unit. Alternatively, you can use the copy tftp flash command to download an image directly from the PIX Firewall command line.


Downgrading to a Previous Software Version

This section describes how to change the PIX Firewall to an earlier version of the software than the version currently running on your PIX Firewall unit. You can only downgrade the PIX Firewall software if your platform supports the earlier version.


Note Always use the most recent version of the PIX Firewall software to take advantage of the latest security features and functionality. Earlier versions of the PIX Firewall will not support the configuration of features introduced in a later version.


To downgrade to an earlier version, enter the following command:

flash downgrade version

Replace version with one of the following values:

4.2

5.0

5.1

You do not need to use the flash downgrade command when downgrading to Versions 5.2 or 5.3 from Version 6.1.

Upgrading Failover Systems from a Previous Version

This section describes how to upgrade PIX Firewall units configured for the failover feature. It includes the following topics:

Upgrading Failover Systems Using Monitor Mode

Upgrading Failover Systems Using Boothelper

Upgrading Failover Systems from the CLI

Upgrading Failover Systems from the CLI

Complete the following steps to upgrade a PIX Firewall failover set from the CLI:


Step 1 To copy the new PIX Firewall image to be installed to the flash of the primary PIX Firewall, enter the following command from the CLI of the primary unit:

copy tftp flash

Step 2 To copy the new PIX Firewall image to be installed to the flash of the secondary PIX Firewall, enter the following command from the CLI of the secondary unit:

copy tftp flash

Step 3 Once both units have the new image in their flash, power cycle the primary unit, and then in close succession, power cycle the secondary unit.


Note The secondary must be power cycled before the primary begins running the new image. Otherwise, the two units could be running different versions, and this could cause problems.


Upgrading Failover Systems Using Monitor Mode


Note If possible, avoid using monitor mode for upgrading the PIX Firewall. If using monitor is necessary and rebooting an extra time does not solve any problem that may occur, contact Cisco technical support.


Complete the following steps for a PIX Firewall without a floppy diskette drive, using TFTP from the monitor mode:


Step 1 Connect a separate console to the primary unit and one to the secondary unit.

Step 2 Reload both PIX Firewall units, and bring them to monitor mode.

Step 3 On the primary unit, use monitor mode TFTP to load the new PIX Firewall image. You will want to save the image to Flash memory and let it boot up. Enter a show failover command to ensure everything looks fine.

Step 4 Repeat Step 3 on the secondary unit.

Step 5 Once the standby (secondary) unit completes booting and is up, the active (primary) unit will start to synchronize the configuration from the primary unit to the secondary. Wait until the configuration replication is finished, then use the show failover command on both PIX Firewall units to ensure the failover is running correctly.


Upgrading Failover Systems Using Boothelper

Complete the following steps for a PIX Firewall with a floppy diskette drive:


Step 1 Connect a separate console to the primary unit and one to the secondary unit.

Step 2 Place the boothelper diskette in the diskette drive of the primary unit and reboot the system.

When the PIX Firewall starts, the pixboothelper> prompt appears.

Step 3 As the primary unit reboots, PIX Firewall prompts you to write the image to Flash memory. Before entering a reply, read the next three substeps and be ready to move quickly to complete them. When ready, enter y for yes at the prompt.

a. Immediately remove the diskette from the primary unit and insert it into the standby unit. Locate the reset button on the front of the standby unit.

b. When the PIX Firewall Cisco banner appears on the primary unit's console, press the reset button on the standby unit to load the new image.

c. On the primary unit, enter the show failover command to make sure the primary unit is active and the secondary unit is in standby mode after the upgrade of the primary unit.

Step 4 Wait for the standby unit to finish booting. Once the standby unit is up, the two units synchronize during which time the primary unit's console does not accept input. On the standby unit, use the show failover command to monitor progress. When both PIX Firewall units report Normal, the replication is done.


TFTP Download Error Codes


Note If the PIX Firewall hangs during a TFTP file transfer, press Esc to abort the TFTP session and return to the command prompt.


During a TFTP download, if tracing is on, non-fatal errors appear in the midst of dots that display as the software downloads. The error code appears inside angle brackets. Table 11-2 lists the error code values.

For example, random bad blocks appear as follows:

....<11>..<11>.<11>......<11>...

Also, tracing will show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.

Table 11-2 Error Code Numeric Values 

Error Code
Description

-1

Timeout between the PIX Firewall and TFTP server.

2

The packet length as received from the Ethernet device was not big enough to be a valid TFTP packet.

3

The received packet was not from the server specified in the server command.

4

The IP header length was not big enough to be a valid TFTP packet.

5

The IP protocol type on the received packet was not UDP, which is the underlying protocol used by TFTP.

6

The received IP packet's destination address did not match the address specified by the address command.

7

The UDP ports on either side of the connection did not match the expected values.  This means either the local port was not the previously selected port, or the foreign port was not the TFTP port, or both.

8

The UDP checksum calculation on the packet failed.

9

An unexpected TFTP code occurred.

10

A TFTP transfer error occurred.

-10

The image filename you specified cannot be found. Check the spelling of the filename and that permissions permit the TFTP server to access the file. In UNIX, the file needs to be world readable.

11

A TFTP packet was received out of sequence.


Error codes 9 and 10 cause the download to stop.