- Preface
- Overview
- Configuring and Monitoring the Cisco PAM Server
- Getting Started With the Cisco PAM Desktop Software
- Configuring User Access for the Cisco PAM Desktop Client
- Understanding Door Configuration
- Configuring Doors
- Configuring Door and Device Templates
- Configuring Personnel and Badges
- Configuring Cisco Access Policies
- Events & Alarms
- Configuring Automated Tasks
- System Integration
- Video Monitoring
- System Configuration Settings
- Backing Up and Restoring Data
- Upgrading Software and Firmware
- Troubleshooting
- Security
- Glossary
Cisco Physical Access Manager Appliance User Guide, Release 1.2.0
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- November 23, 2017
Chapter: Upgrading Software and Firmware
- Contents
- Upgrade Notes for Release 1.2.0
- Credential Download Frequency Must be 60 Minutes or Higher
- The Door Groups Feature Added to Device Groups
- Enabling the Password Recovery Feature
- Upgrading From Release 1.0.3 to Release 1.2.0
- Split Holiday Schedule Configurations By Month
- Select the Following Options When Upgrading Gateway Firmware
- Generic Output Devices Installed Prior to Release 1.1.0 Must Be Rewired
- Generic Output Device Command and Event Name Changes
- Browser Time-out
- Upgrade the Cisco PAM Desktop Client Software
- Java Requirements
- Stop EDI Projects Before Upgrading Cisco PAM
- Change the Database Password Message
- Obtaining Software Images and Other Tools
- Obtaining Release Notes and Other Related Documentation
- Upgrading the Cisco PAM Desktop Software
- Upgrading the Cisco PAM Server Software
- Upgrading to the Cisco Multi Services Platform (MSP) Appliance
- Reinstalling the Cisco PAM Server Software from a Recovery CD
- Upgrading Gateway Firmware Images Using Cisco PAM
Upgrading Software and Firmware
This appendix describes how to upgrade or reinstall the Cisco PAM server software, desktop client software, and Gateway module firmware.
Contents
•
Upgrade Notes for Release 1.2.0
•Obtaining Software Images and Other Tools
•Obtaining Release Notes and Other Related Documentation
•Upgrading the Cisco PAM Desktop Software
•Upgrading the Cisco PAM Server Software
•Upgrading to the Cisco Multi Services Platform (MSP) Appliance
–Replacing a Single (Non-Redundant) Server with an MSP
–Replacing Redundant HA Servers with MSPs
•Reinstalling the Cisco PAM Server Software from a Recovery CD
•Upgrading Gateway Firmware Images Using Cisco PAM
–Uploading Firmware Images to a TFTP Server
–Updating the Firmware on All Gateway Modules
–Updating the Firmware on Individual Gateway Modules
Upgrade Notes for Release 1.2.0
•Credential Download Frequency Must be 60 Minutes or Higher
•The Door Groups Feature Added to Device Groups
•Enabling the Password Recovery Feature
•Upgrading From Release 1.0.3 to Release 1.2.0
•Split Holiday Schedule Configurations By Month
•Select the Following Options When Upgrading Gateway Firmware
•Generic Output Devices Installed Prior to Release 1.1.0 Must Be Rewired
•Generic Output Device Command and Event Name Changes
•Upgrade the Cisco PAM Desktop Client Software
•Stop EDI Projects Before Upgrading Cisco PAM
•Change the Database Password Message
Credential Download Frequency Must be 60 Minutes or Higher
The Credential download frequency cannot be set lower than 60 minutes. If a number less than 60 is entered, the setting will be reset to 60.
Note The Credential download frequency defines how often (in minutes) credential information is downloaded to the Gateways.
To access the Credential download frequency setting, see Cisco Settings, page 14-20.
The Door Groups Feature Added to Device Groups
In Release 1.2.0 and higher, the Door Groups module is included in the Device Groups module.
Any Door Group configurations from previous releases are automatically included in the Device Groups module following an upgrade.
Select Device Groups from the Doors menu to access the module.
Enabling the Password Recovery Feature
To enable the Cisco PAM Server Administration utility password recovery feature, the following fields must be configured (if not already set):
•Email Address
•SMTP Server Address
•SMTP Email Address from
See Enabling the Password Recovery Feature for instructions.
Upgrading From Release 1.0.3 to Release 1.2.0
To upgrade to Cisco PAM Release 1.2.0 from Release 1.0.3, you must first upgrade to Cisco PAM Release 1.1.0. For more information see the caveat CSCte56355.
Split Holiday Schedule Configurations By Month
Holiday schedules that span two months (for example, December 25 through January 4) do not operate correctly. Cisco PAM Release 1.2.0 prevents this configuration, and you must split the Holiday into two entries: one that covers the first month and the second that covers the following month.
For example, if a holiday schedule is required for December 25 through January 4, create one entry for December 25 through December 31, and a second entry for January 1 through January 4.
For more information, see the caveat CSCsq04020.
Select the Following Options When Upgrading Gateway Firmware
When upgrading Gateway firmware images to Cisco PAM Release 1.2.0 from any earlier release, select the following options:
–Set as active image: (checked by default) make the firmware file new active image.
–Delete configuration: delete the module configuration. The configuration is automatically reloaded when the module established communication with the Cisco PAM appliance.
–Delete events: delete all events stored on the module.
–Reset Gateway: (checked by default) perform a soft reset to powercycle the module. Changes to the active image are applied only after the Gateway is reset.
Note When all options are selected, wait approximately 10-15 minutes for the firmware upgrade to complete.
See the Upgrading Gateway Firmware Images Using Cisco PAM for instructions, or refer to the Cisco Physical Access Gateway User Guide.
Generic Output Devices Installed Prior to Release 1.1.0 Must Be Rewired
All Generic Output devices installed in Cisco PAM systems prior to release 1.1.0, were connected to the Gateway, Reader, or Output modules with the wiring reversed. In Cisco PAM release 1.1.0, the wires for these Output devices must be reinstalled to match the device manufactures recommended connections.
Required Generic Output Device Connections in Cisco PAM release 1.1.0
Disconnect all Generic Output devices installed with Cisco PAM release 1.0.0, 1.0.1, or 1.0.3, and do the following:
•Connect Normally Open devices to the N.O. and C connectors on the Gateway, Reader, or Output module.
•Connect Normally Closed devices to the N.C. and C connectors on the Gateway, Reader, or Output module.
Failure to re-wire these devices will cause the devices to act in the opposite way intended.
See Cisco Physical Access Gateway User Guide for more information on module and device wiring.
Generic Output Device Command and Event Name Changes
The following generic output device command names were changed for Release 1.1.0 and higher. The functionality is the same:
|
|
|
|---|---|
Turn output off |
Activate Relay |
Turn output on |
Deactivate Relay |
The following generic output device event names were changed for Release 1.1.0. The functionality is the same:
|
|
|
|---|---|
Output Off |
Output Deactivated |
Output On |
Output Activated |
Browser Time-out
When upgrading to Cisco PAM Release 1.2.0 and higher, the web browser may display an error such as "Page Not Found" while the upgrade is in process. Wait approximately five minutes for the upgrade to complete, then refresh the browser to display the login page.
Upgrade the Cisco PAM Desktop Client Software
Always upgrade the Cisco PAM desktop client when the server software is upgraded. If the versions are not the same, an error will occur when launching the desktop client. See Installing or Updating the Cisco PAM Desktop Software, page 3-2.
Java Requirements
Before upgrading the Cisco PAM server, upgrade your PC to Java 6.0 or higher (JDK 1.6 or higher), if necessary.
•To install Java 1.6, log on to the Cisco PAM appliance, select Downloads, and then select JRE 1.6 (Windows).
•To download the latest Java, go to http://www.java.com/en/download/manual.jsp
Stop EDI Projects Before Upgrading Cisco PAM
Stop any running EDI projects before upgrading the Cisco PAM appliance software. After the upgrade, re-import the project to EDI Administration and start it again. See Importing, Starting, and Monitoring EDI Projects in Cisco PAM, page 12-33 for instructions to stop, start and import EDI projects.
If EDI projects are not stopped before a Cisco PAM upgrade, the project execution (or run) will not be successful. If this occurs, contact your Cisco support representative for assistance.
Change the Database Password Message
When the server restarts, a message appears asking if you want to change the database password. Click Cancel or OK. This password is a security measure used for troubleshooting and technical support. It does not impact user operation,
Obtaining Software Images and Other Tools
To access the self-service portal and obtain software, documents, and tools, do the following:
1. Go to the following URL:
http://www.cisco.com/en/US/partner/products/ps9688/tsd_products_support_series_home.html
2. Click the Download Software link.
3. Log in to the Cisco Support Center. You must be a registered user of Cisco.com to access this page. You must have a current Cisco support contract that is linked to your Cisco.com account to download software and obtain help from the Cisco Technical Assistance Center.
4. Click the link for the correct release, or use the search function to locate the software release.
Tip You can also log in to the Cisco Support Center at http://www.cisco.com/support/.
Obtaining Release Notes and Other Related Documentation
To obtain the latest documentation, including release notes, do the following:
Step 1 Go to one of the following URLs:
–Cisco Physical Access Manager Release Notes
http://www.cisco.com/en/US/products/ps9688/prod_release_notes_list.html
–Cisco Physical Access Gateway Documentation
http://www.cisco.com/en/US/products/ps9687/tsd_products_support_series_home.html
–Cisco Physical Access Manager Documentation
http://www.cisco.com/en/US/products/ps9688/tsd_products_support_series_home.html
Step 2 Click the link for the appropriate guide.
For example: Install and Upgrade Guides or End-User Guides.
Step 3 Use these publications to learn how to install, upgrade and use the Cisco Physical Access Control hardware and software.
Upgrading the Cisco PAM Desktop Software
Always upgrade the Cisco PAM desktop client when the server software is upgraded. If the versions are not the same, an error will occur when launching the desktop client. See Installing or Updating the Cisco PAM Desktop Software, page 3-2 for instructions.
Upgrading the Cisco PAM Server Software
To upgrade the Cisco PAM server software, you must first stop the server. If you are upgrading redundant (HA) servers, you must stop both servers, upgrade the server that was originally designated as the Active server, and then upgrade the Standby server.
Before You Begin
•The following conditions apply when upgrading the Cisco PAM server software:
–Upgrading either a single appliance or redundant servers causes system downtime. All servers must be placed in Down state to perform the upgrade.
–System downtime can result in a temporary loss of data. Log and other system messages sent from the Cisco Physical Access Gateways and other hardware devices may be dropped during the upgrade process. Cisco recommends performing a manual upgrade only when system usage is low.
–Software downgrades are not supported.
•Review the Upgrade Notes for Release 1.2.0
•Obtain the correct software image. See Obtaining Software Images and Other Tools.
Tip The Cisco PAM server software is different from the desktop client software. The server software runs the appliance and provides a web administration interface used to configure and manage the server. The desktop (client) software runs on a PC and is used to configure devices and access control settings.
Procedure
To upgrade the Cisco PAM server software, do the following:
Step 1 Review the notes in Before You Begin.
Step 2 Backup either the Active or Standby server, as described in Backing up the Cisco PAM Database, page A-2. This backup is not required, but ensures the latest system data is preserved in case an error occurs.
Step 3 Stop the Standby server, if configured:
a. Log on to the Standby appliance, as described in Logging on to the Cisco PAM Server Administration Utility, page 2-2.
b. Click the Monitoring tab and verify the Server Mode is Standby (Figure B-1).
c. Select the Commands tab, and then select Stop Server.
d. Select the Monitoring tab and verify that the Admin State is Down.
Figure B-1 Monitoring Window in the Cisco PAM Server Administration Utility
Step 4 Stop the Active server.
a. Log on to the Active appliance.
b. Click the Monitoring tab and verify the Server Mode is Active (Figure B-1).
c. Select the Commands tab, and then select Stop Server.
d. Verify that the Admin State is Down.
Step 5 On the Active server, select the Setup tab, and then select Upgrade, as shown in Figure B-2.
Figure B-2 Upgrade Window in the Cisco PAM Server Administration Utility
Step 6 Click Browse to locate and select the upgrade image.
Step 7 Click the Upgrade button.
A pop-up message appears informing you that the Web administrator utility is restarting. If the Cisco PAM Server Administration utility disconnects, a browser error message may be shown. Wait approximately five minutes for the server to restart, and then refresh your browser.
Step 8 Verify the upgrade process is complete, and the Active server is in Down state:
a. Log on to the Active Cisco PAM appliance.
b. Select the Monitoring tab and then select Status.
c. Verify the Server Version is correct. For example: 1.2.0
d. Verify the Admin State is Down.
e. Verify the Server Mode is N/A.
Figure B-3 Server Admin State for the Active Server
Step 9 (HA configurations only) Upgrade the Standby server, if configured.
Note The Active server must be in Down state when you upgrade the Standby server, as described in Step 8. If a Standby server is not installed, skip to Step 10.
a. Log on to the Standby server.
b. Select the Monitoring tab and then select Status.
c. Verify that the Admin State is Down, as shown in Figure B-3
d. Select the Setup tab, and then select Upgrade.
e. Click Browse to locate and select the upgrade image, as shown in Figure B-2.
f. Click Upgrade.
Note Although the Standby server is upgraded, it is still in Down state. Start the Active server before starting the Standby server, as described in the following steps. Otherwise, the Standby server assume the Active role.
Step 10 Restart the Active server.
a. Log on to the Active Cisco PAM appliance.
b. Select the Commands tab, and then select Start Server.
Note When the server restarts, a message appears asking if you want to change the database password. Click Cancel or OK. This password is a security measure used for troubleshooting and technical support. It does not impact user operation,
c. Select the Monitoring tab and then select Status, as shown in Figure B-4.
d. Verify the following:
–Verify the Server Version is correct. For example: 1.2.0
–Verify the Admin State is Up.
–Verify the Server Mode is Active.
Figure B-4 Server Admin State (Up) for the Active Server
Step 11 (HA configurations only) Start the Standby server.
Note Only start the Standby server after the Active server is Up, as described in Step 10.
a. Log on to the Active Cisco PAM appliance.
b. Select the Commands tab, and then select Start Server.
c. Click Cancel or OK for the database password message.
d. A pop-up message appears informing you that the Web administrator utility is restarting. If the Cisco PAM Server Administration utility disconnects, a browser error message may be shown. Wait approximately five minutes for the server to restart, and then refresh your browser.
e. Verify the upgrade was successful.
–Log on to the Standby server.
–Select the Monitoring tab and then select Status.
–Verify the Server Version is correct. For example: 1.2.0
–Verify the Admin State is Up.
–Verify the Server Mode is Standby.
Step 12 Upgrade the Cisco PAM desktop client, as described in Installing or Updating the Cisco PAM Desktop Software, page 3-2. If the versions are not the same, an error will occur when launching the desktop client.
Upgrading to the Cisco Multi Services Platform (MSP) Appliance
This section describes the process to replace an existing Cisco 1125 appliance with a Cisco Multi Services Platform (MSP) appliance.
Complete one of the following procedures:
•Replacing a Single (Non-Redundant) Server with an MSP
•Replacing Redundant HA Servers with MSPs
Replacing a Single (Non-Redundant) Server with an MSP
When replacing a single, non-redundant server, backup the system data from the old server immediately before bringing the new server online. You can only restore the data on the new server using the most recent backup: all data and configurations added to the system since the backup will be lost.
Procedure
Step 1 Backup the old server, as described in Backing up the Cisco PAM Database, page A-2. This backup is used to restore the system data to the new server.
Step 2 Copy the backup file to a local disk, as described in Backing up the Cisco PAM Database, page A-2.
Step 3 Physically install the new appliance, as described in the Cisco Physical Security Multi Services Platform User Guide.
Step 4 Boot the new server and complete the instructions in Entering the Initial Server Configuration, page 2-4.
Step 5 Restore the backup file to the new server, as described in Restoring a Server Backup File, page A-6.
Replacing Redundant HA Servers with MSPs
To replace one or both HA servers, complete the following tasks:
Note This procedure results in system downtime.
Procedure
Step 1 Back up the Active or Standby server.
The backup file is used to restore the system data on the new server.
a. Log in to the Active or Standby appliance.
b. Backup the system data, as described in Backing up the Cisco PAM Database, page A-2.
c. Copy the backup file to a local disk.
Step 2 Stop the Active server.
a. Log on to the Active appliance, as described in Logging on to the Cisco PAM Server Administration Utility, page 2-2.
b. Select the Monitoring tab and then select Status.
c. Verify the Server Mode is Active.
d. Select the Commands tab, and then select Stop Server.
e. Verify the following on the Monitoring > Status window, as shown in Figure B-5:
–Verify the Admin State is Down.
–Verify the Server Mode is N/A.
Figure B-5 Server in Admin State "Down"
Step 3 Stop the Standby server.
Note Stopping the Standby server results in system downtime since both servers are offline.
a. Select the Commands tab, and then select Stop Server.
b. Verify the Standby server is down in the Monitoring > Status window (Figure B-5):
–Verify the Admin State is Down.
–Verify the Server Mode is N/A.
Step 4 Physically remove the old servers and install the new Active and/or Standby servers, as described in the Cisco Physical Security Multi Services Platform User Guide.
Step 5 Boot the new Active appliance and complete the initial configuration, as described in Entering the Initial Server Configuration, page 2-4.
•Be sure to follow the instructions for a Active server and enter the correct Shared IP address. See Understanding IP Addresses on the Cisco PAM Server, page 2-3.
•You must obtain and install new Cisco PAM licenses, including the HA license. See Licensing: Frequently Asked Questions, page C-1 and Obtaining and Installing Optional Feature Licenses, page 2-21 for more information.
Step 6 Boot the new Standby appliance and complete the initial configuration, as described in Entering the Initial Server Configuration, page 2-4.
•Be sure to follow the instructions for a Standby server and enter the correct Shared IP address.
•You must reinstall the HA license on the Standby server. All other optional licenses are installed on the Active server only.
Step 7 Verify that the redundant servers are in sync.
a. Log in to each server.
b. Open the Monitoring > Status window.
c. Verify that there are entries for Peer Address and Hostname, as shown in Figure B-6.
If the HA servers are not in sync, the fields will be blank.
Figure B-6 HA Status: Peer Address and Hostname
Step 8 Restore the backup file to the Active server, as described in Restoring a Server Backup File, page A-6.
Reinstalling the Cisco PAM Server Software from a Recovery CD
Use the recovery CD/DVD included with the Cisco PAM appliance to completely erase the server hard disk and re-install the Cisco PAM server software.
Reinstalling the server software from a CD/DVD using these instructions permanently erases all data and configurations on the Cisco PAM appliance. You must have at least one backup to restore the server software using the recovery CD. See
Appendix A, "Backing Up and Restoring Data" for more information.
Note To boot from the recovery CD/DVD, you must change the boot device order using the BIOS utility, as described in the following procedure.
Procedure
Step 1 Backup the data on your appliance. See Appendix A, "Backing Up and Restoring Data" for more information.
Tip Backup and restore the server data to preserve critical system information and configurations.
Step 2 Insert the Cisco PAM recovery CD into the server DVD-ROM drive.
Step 3 Reboot the Cisco PAM appliance:
a. Log on to the Cisco PAM appliance, as described in Logging on to the Cisco PAM Server Administration Utility, page 2-2.
a. Select the Commands tab, and then select Reboot.
Step 4 Press and hold the Delete key while the appliance is restarting to open the BIOS setup utility, as shown in Figure B-7.
Figure B-7 BIOS Setup Utility
Step 5 Change the priority order of the boot devices so the CD/DVD drive is first boot priority, and the SCSI hard drive is second priority.
Note If you are using the Cisco Physical Access 1125 Appliance installed with Cisco PAM release 1.1.0 and earlier, you do not need to set the boot device using the BIOS setup utility. Skip to Step 6.
a. Use the arrow keys to select the Boot menu, as shown in Figure B-8.
Figure B-8 BIOS Boot Settings
b. Select Boot Device Priority.
c. Use the arrow keys to select the 1st Boot Device, and then press Enter.
A list of available devices appears, as shown in Figure B-9.
Figure B-9 Boot Device Priority Options
d. Use the arrow keys to select the CD/DVD device, and then press the Enter key.
e. Verify that the CD/DVD device is the 1st Boot Device, and the SCSI hard drive is the 2nd Boot Device, as shown in Figure B-10.
Figure B-10 1st Boot Device = CD/DVD
f. Press the F10 function key to save the changes and exit the BIOS utility.
Step 6 Wait for the CD to install the Cisco PAM server software. When finished, the server will reboot again.
Step 7 After the server reboots, remove the Cisco PAM recovery CD from the server DVD-ROM drive.
Step 8 Configure the server as described in Entering the Initial Server Configuration, page 2-4.
Step 9 Restore the system, as described in Restoring a Server Backup File, page A-6.
Upgrading Gateway Firmware Images Using Cisco PAM
The firmware image on all Gateways must be the same version as the Cisco PAM server software release. For example, if the Cisco PAM appliance is upgraded to release 1.2.0, then all Gateway modules must also be upgraded to firmware release 1.2.0. If the firmware release is different than the Cisco PAM appliance release, the Gateway will not operate and the Gateway status in the Cisco PAM Hardware module is Mismatch.
To ensure the Gateway firmware is the same release as the Cisco PAM appliance software version, complete the instructions in this section. You can upgrade all the Gateway modules at the same time, or individual Gateways.
Firmware images must be located on a TFTP server, such as the built-in Cisco PAM TFTP server). The firmware image file is then copied to the Gateway from the TFTP server. Since Gateways can store more than one firmware image, you must define which image is the active image, and then reset the Gateway module. When the module resets, the new firmware image is called the running image.
Tip•To upgrade the firmware, activate a higher number release. To downgrade, activate a lower number release.
•You can also upgrade firmware using a PC directly connected to a Gateway module. See the Cisco Physical Access Gateway User Guide for more information.
This section includes the following information:
•Uploading Firmware Images to a TFTP Server
•Updating the Firmware on All Gateway Modules
•Updating the Firmware on Individual Gateway Modules
Uploading Firmware Images to a TFTP Server
Firmware images used to update Gateway modules must be located on a TFTP server. You can load the images to the built-in Cisco PAM TFTP server, or to another TFTP server as described in this section.
Once the Firmware is copied to the TFTP server, you can load it to one or more Gateway modules, as described in Updating the Firmware on Individual Gateway Modules and Updating the Firmware on All Gateway Modules.
Tip You can use the built-in Cisco PAM TFTP server to store firmware images, or use a remote TFTP server. If using the built-in TFTP server, the server must be running. See Disabling the Cisco PAM TFTP Server, page D-2 for more information.
To load images to a TFTP server using Image Manager, do the following:
Step 1 (Optional) Enable the built-in Cisco PAM TFTP server, if necessary.
Note•The Cisco PAM TFTP server is enabled by default. Complete these steps only if the server was manually disabled, as described in Disabling the Cisco PAM TFTP Server, page D-2.
•If you are using firmware images located on another TFTP server (not the Cisco PAM server), skip to Step 2.
a. Log in to the Cisco PAM Server Administration utility.
See Logging on to the Cisco PAM Server Administration Utility, page 2-2.
b. Select the Monitoring tab and then select Status, as shown in Figure B-11.
c. If the TFTP Service is Down, click Start.
d. Verify that the TFTP service is Up.
Figure B-11 TFTP Service in "Up" State
Step 2 Log in to the Cisco PAM desktop client.
See Logging in to Cisco PAM, page 3-3.
Step 3 Select Image Manager from the Admin menu
Figure B-12 shows the Image Manager window. Table B-1 describes each field.
Figure B-12 Image Manager
Step 4 Upload firmware images to either the Cisco PAM TFTP server, or another TFTP server:
Uploading images to the Cisco PAM TFTP Server
a. Click Default to enter the Cisco PAM TFTP server IP address in the TFTP server field.
b. Select the file to be uploaded from the Local file browser. The selected file is automatically entered in the Local Image File field.
c. Use the Remote Browser to select the directory on the Cisco PAM TFTP server where files will be uploaded. This field is inactive if you are using a TFTP server other than the build-in Cisco PAM server.
Right-click within the Remote Browser to select the following menu options:
–Create Directory: Creates a new directory on the Cisco PAM TFTP server.
–Delete File/Directory: Deletes a selected file or directory.
d. Click Upload to add the file to the TFTP server specified in the TFTP server field.
Uploading Images to a Different TFTP Server (Not the Cisco PAM TFTP Server)
a. Enter the server IP address in the TFTP server field.
b. In the Remote Directory field, enter the TFTP server directory path where the image will be stored. If this field is left blank, then the root TFTP directory is used by default. The default Unix TFTP root directory is /tftpboot.
Note The TFTP server directory path entered in the Remote Directory field must be valid. Cisco PAM does not validate the existence of remote server directories.
c. In the Local file browser field, select the firmware file on a local drive to be uploaded. The directory path and filename are displayed in the Image File field.
d. Click Upload to add the file to the TFTP server specified in the TFTP server field.
Step 5 Continue to Updating the Firmware on Individual Gateway Modules.
Tip To download an image from the TFTP server to a local directory, select the image and local directory, then click the Download button.
Updating the Firmware on All Gateway Modules
This section describes how to upgrade or downgrade all the Gateways configured in a Cisco PAM server.
Tip To upgrade the firmware for a single Gateway module, see Updating the Firmware on Individual Gateway Modules.
Before You Begin
Review the following before using the instructions to upgrading all Gateways.
•This procedure loads the same firmware image to all Gateway modules configured in Cisco PAM. If you check the options Set as active image and Reset Gateway, the Gateways will reset with the new image as the active running image.
•An Active image is the image that will be operational when the Gateway is reset. A Running image is the firmware image currently used to operate the Gateway.
•Gateways operate normally while the firmware image is being copied from the TFTP server, but are out of service while being reset. When a Gateway is down, the doors for that Gateway remain locked if the lock is fail-secure, and unlocked otherwise. See Understanding Door Modes, Door Schedules, and the First Unlock Feature, page 5-25 for more information.
•If you deselect the options Set as active image and Reset Gateway, then the firmware image is copied to the Gateways, but is not made the Active or Running image. You must use the File Manager to manually activate the image on each Gateway module, as described in Step 9, and then reset the Gateway as described in Step 10.
•Review the recommendations in Select the Following Options When Upgrading Gateway Firmware.
•Gateways not configured in Cisco PAM are not impacted by this procedure.
•Gateways are upgraded in batches of 5, with a 15 minute delay between batches.
•10 minutes after all the Gateways are updated, a summary event is posted to Cisco PAM. Any Gateways that are still in the Issued state are described as upgrade still in progress.
•You cannot issue another Bulk Image Upgrade command until the summary event is posted.
Procedure
To upgrade or downgrade the firmware images for all Gateway modules, complete the following steps.
Step 1 Complete the instructions in Uploading Firmware Images to a TFTP Server
Step 2 Log in to the Cisco PAM desktop client.
See Logging in to Cisco PAM, page 3-3.
Step 3 Select Hardware from the Doors menu.
Step 4 Right-click the Access GW Driver and select Bulk Image Upgrade (Figure B-13).
Figure B-13 Bulk Image Upgrade Menu
Tip You can also access the Bulk Image Upgrade command using the Locations & Doors module. Select Locations & Doors from the Doors menu, and then select Gateway Controllers from the View menu. Right-click a location or site and select Bulk Image Upgrade from the menu.
Step 5 In the Bulk Image Upgrade window (Figure B-14), enter the image location and select the upgrade options.
a. Enter the Image Name.
–If the image is located on the Cisco PAM TFTP server, click Browse to select a firmware image name.
–If the image is located on a different TFTP server, enter the filename manually.
Figure B-14 Bulk Image Upgrade Window
b. Enter the TFTP Server IP address.
The Cisco PAM appliance TFTP server IP address is entered by default.
c. Enter the directory Path on the TFTP server for the firmware image.
–Leave this field blank if using the default location for the built-in Cisco PAM TFTP server.
–Be sure the path and filename are valid. The administration tool does not verify remote server paths.
d. Select the following options to define what that will occur after the image is loaded to the Gateway:
–Set as active image: (checked by default) make the firmware file new Active image for all Gateways. The Active image is the firmware that will become the Running image when the Gateway is reset (see Figure B-18).
–Delete configuration: delete the module configuration on all Gateways. The configuration is automatically reloaded when the module establishes communication with the Cisco PAM appliance.
–Delete events: delete all events stored on all Gateways.
–Reset Gateway: perform a soft reset to powercycle all Gateways. Resetting the Gateway changes the Active image to the Running image. All Gateways will be down during the reset. Uncheck this box to reset the Gateways individually.
–Reset time: enter the time in 24-hour notation that the Gateways will begin to reset with the new firmware image. If this field is left blank, the Gateways will begin to reload in batches of 5 when you click OK.
Note See Select the Following Options When Upgrading Gateway Firmware.
Step 6 Click OK to close the window and begin copying the firmware image to the Gateway modules.
•Any actions selected in Step 5d are initiated. For example, the default option Set as active image makes the new image Active. The Gateways must still be reset for the image to become the Running image.
•Gateways are upgraded in batches of 5, with a 15 minute delay between batches.
•When all options are selected, wait an additional 10-15 minutes for the firmware upgrade to complete on each Gateway.
Note If you did not check the Reset Gateway option, the firmware image is copied to the Gateways and defined as Active, but is not made the Running image. See Step 10 and Step 9 to manually activate the image and reset each Gateway module.
Step 7 Verify the upgrade status.
a. In the Hardware module, select the Access GW Driver.
b. In the Extended Status field for the driver, select the Command Status tab, as shown in Figure B-15.
Figure B-15 Bulk Image Upgrade Status
c. Expand the Bulk Image Upgrade entry to view the upgrade status for each Gateway. The possible states include the following:
–ISSUED: The upgrade command was issued to the Gateway.
–SUCCEEDED: The Gateway image upgrade was successfully completed.
–FAILED: The Gateway image upgrade Failed for the reason in the description.
–COMPLETED: Cisco PAM cannot determine if the upgrade SUCCEEDED or FAILED. Completed indicates the command execution is complete, but you must manually verify the success or failure of the image upgrade using the File Manager.
Note The status is shown as COMPLETED if the Gateway reboots, and the status is still ISSUED. This can happen if the Gateway has a large number of events in its queue when the module reboots, so the final status is not reported. Right-click the Gateway icon in the Hardware module and select File Manager to view the status of the loaded firmware images.
Step 8 Review the summary event posted to the Cisco PAM Events module.
a. Select Events from the Events & Alarms menu, under the Monitoring sub-menu.
b. Double click the summary event to view details of the Bulk Image Upgrade, as shown in Figure B-16.
Figure B-16 Summary Event for Bulk Upgrade Command
Note•The summary event is posted 10 minutes after all the Gateways are updated.
•Any Gateways that are still in the Issued state are shown as Upgrade in progress in the Data field.
•You cannot issue another Bulk Image Upgrade command until all the summary event is posted.
Step 9 (Optional) Use the File Manager to verify the Active and Running firmware image for a Gateway module.
Tip You can also change the Active image using the File Manager.
a. Right-click a Gateway Controller (blue icon) and select File Manager, as shown in Figure B-17.
Figure B-17 File Manager Menu
b. Select the Image tab to display a list of the firmware images currently loaded on the Gateway module, as shown in Figure B-18.
Figure B-18 File Manager Window: Image Tab
Each row displays the following information about the firmware image:
–Name: the image filename.
–Version: the firmware version number.
–Download Time: the time and date when the image was downloaded to the Gateway module.
–Active: The Active image will become the Running image when the Gateway is reset. The image marked Yes is the active image on the Gateway.
–Running: The Running image is the image currently used to operate the Gateway. The image marked Yes is the current running image on the Gateway.
c. To change the active image, select an image name and click the Active Image button.
This button is available only if the selected file is not the Active image.
d. To make the Active image the Running image, you must reset the Gateway. Right-click on the Gateway icon and select Reset Gateway, as described in Step 10.
e. Click Close to accept the changes and close the window.
Step 10 (Optional) Reset individual Gateways.
This step is necessary if you did not select the option to Reset Gateway in Step 5d. The Active image becomes the Running image only after the Gateway is reset.
To reset the Gateway, do the following:
a. In the Hardware module, right-click a Gateway controller (blue icon).
b. Select Reset Gateway, as shown in Figure B-19.
Figure B-19 Reset Gateway Command
Updating the Firmware on Individual Gateway Modules
You can load more than one firmware image to a Gateway module, and then upgrade or downgrade the firmware by selecting the active image and resetting the Gateway. Select a higher release to upgrade the firmware, or a lower release to downgrade.
Note This section includes instructions for individual Gateways. To upgrade the firmware for all Gateways, see Updating the Firmware on All Gateway Modules.
Before You Begin
Review the following before using the instructions to upgrading an individual Gateway.
•This procedure loads the same firmware image to all Gateway modules configured in Cisco PAM. If you check the options Set as active image and Reset Gateway, the Gateways will reset with the new image as the active running image.
•An Active image is the image that will be operational when the Gateway is reset. A Running image is the firmware image currently used to operate the Gateway.
•Gateways operate normally while the firmware image is being copied from the TFTP server, but are out of service while being reset. When a Gateway is down, the doors for that Gateway remain locked if the lock is fail-secure, and unlocked otherwise. See Understanding Door Modes, Door Schedules, and the First Unlock Feature, page 5-25 for more information.
•If you deselect the options Set as active image and Reset Gateway, then the firmware image is copied to the Gateway, but is not made the Active or Running image. You must use the File Manager to manually activate the image on each Gateway module, as described in Step 8, and then reset the Gateway, as described in Step 9.
•Review the recommendations in Select the Following Options When Upgrading Gateway Firmware.
Procedure
Step 1 Complete the instructions in Uploading Firmware Images to a TFTP Server
Step 2 Log in to the Cisco PAM desktop client.
See Logging in to Cisco PAM, page 3-3.
Step 3 Select Hardware from the Doors menu.
Step 4 Right-click a Gateway Controller (blue icon) and select File Manager (Figure B-20).
Figure B-20 File Manager Menu
Tip You can also access the File Manager using the Locations & Doors module. Select Locations & Doors from the Doors menu, and then select Gateway Controllers from the View menu. Expand a location tree and right-click a Gateway to select File Manager from the menu.
Step 5 Select the Image tab to display a list of the firmware images currently loaded on the Gateway module (Figure B-21).
Figure B-21 File Manager Window: Image Tab
Each row displays information about the firmware image:
•Name: the image filename.
•Version: the firmware version number.
•Download Time: the time and date when the image was downloaded to the Gateway module.
•Active: The Active image will become the Running image when the Gateway is reset. The image marked Yes is the active image on the Gateway.
•Running: The Running image is the image currently used to operate the Gateway. The image marked Yes is the current running image on the Gateway.
Step 6 Download a new firmware image from a TFTP server, if necessary:
a. Select the Initiate Download button, as shown in Figure B-21.
The Initiate Download Input window appears, as shown in Figure B-22.
Figure B-22 Initiate Download Input Window
b. Enter the Image Name:
–If the image is located on the Cisco PAM TFTP server, click Browse (Figure B-22) to select a firmware image name.
–If the image is located on a different TFTP server, enter the filename manually.
c. Enter the TFTP Server IP address.
The Cisco PAM appliance TFTP server IP address is entered by default.
d. Enter the directory Path on the TFTP server for the firmware image.
–Leave this field blank if using the default location for the built-in Cisco PAM appliance TFTP server.
–Be sure the path and filename are valid. The administration tool does not verify remote server paths.
e. Select the following options to define what that will occur after the image is loaded to the Gateway:
–Set as active image: (checked by default) make the firmware file new active image. The Active image is the firmware that will become the Running image when the Gateway is reset
–Delete configuration: delete the module configuration. The configuration is automatically reloaded when the module establishes communication with the Cisco PAM appliance.
–Delete events: delete all events stored on the module.
–Reset Gateway: (checked by default) perform a soft reset to powercycle the module. Resetting the Gateway changes the Active image to the Running image. The Gateway will be down during the reset. Uncheck this box to reset the Gateways manually, as described in Step 9.
–Reset time: defines when the Gateway reset will occur. If this field is left blank, the Gateway resets immediately after the image is downloaded to the Gateway. You can also enter a time (in 24-hour notation) when the Gateway should reset. This field is used only if the Reset Gateway option is checked.
Note See Select the Following Options When Upgrading Gateway Firmware.
Step 7 Click OK to close the window and copy the firmware image to the Gateway module.
•Any actions selected in Step 6e are initiated. For example, the new active image is set and the Gateway module is reset (the Gateway must be reset to activate the new image).
•When all options are selected, wait approximately 10-15 minutes for the firmware upgrade to complete.
Step 8 Click Refresh in the File Manager window to refresh the information and verify the Active and Running firmware image (see Figure B-23).
Figure B-23 File Manager Window: Image Tab
Each row displays the following information:
•Name: the image filename.
•Version: the firmware version number.
•Download Time: the time and date when the image was downloaded to the Gateway module.
•Active: The Active image will become the Running image when the Gateway is reset. The image marked Yes is the Active image on the Gateway.
•Running: The Running image is the image currently used to operate the Gateway. The image marked Yes is the current Running image on the Gateway.
f. (Optional) To change the active image, select an image and click the Active Image button.
This button is available only if the selected file is not the active image. The Active image does not become the Running image until the Gateway is reset.
g. Click Close to accept the changes and close the window.
Step 9 (Optional) Reset the Gateway.
This step is necessary if you did not select the option to Reset Gateway in Step 6e, or want to change the Running image. The Active image becomes the Running image only after the Gateway is reset.
To reset the Gateway, do the following:
a. In the Hardware module, right-click the Gateway controller (blue icon).
b. Select Reset Gateway, as shown in Figure B-24.
Figure B-24 Reset Gateway Command
Feedback