[c-nsp] Upgraded to PIX 7.0

Mon Aug 1 14:13:50 EDT 2005

I upgraded our 515 to 7.0 on Friday night.  I think there were some folks 
here interested in a follow-up from me when I completed the upgrade, so 
here are some notes.

0) They are not kidding about reading all docs before starting.

1) Cisco's documentation is ambiguous as to whether you need to upgrade a 
515 through monitor mode or not.  For instance:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_upgrade_guides09186a0080369ee2.html

says, "If you are upgrading from a PIX 515 or a PIX 535 with PDM already 
installed, you must upgrade from monitor mode."  Which implies that you 
can upgrade a 515 using "copy tftp flash" if you don't have PDM installed 
(which we don't).

While:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

Has a table:

PIX MODEL	  UPGRADE METHOD
PIX-515		Monitor
PIX-515E	copy tftp flash
PIX-525		copy tftp flash
PIX-535		copy tftp flash

Which seems to indicate you always need to use monitor mode for a 515.

Anyways, we called TAC and they told us we could use the copy tftp flash 
method.  That ended up failing.  We got into the continuous reboot cycle 
mentioned in the docs.  So we ESC'd to monitor mode and did the upgrade 
that way.

2) We used output interpreter to migrate our conduit statements to ACL's 
two weeks ago.  This was the most significant config change (for us at 
least), so we had a week running ACL's under 6.3 to confirm everything 
worked before doing the upgrade.

3) The automatic config conversion for 7.0 worked almost flawlessly.  All 
of our lan to lan VPN sites worked fine, but our VPN users were unable to 
login after the upgrade.  This turned out to be due to CSCeh69389, which 
isn't actually mentioned in the two upgrade docs I was looking at.  The 
fix was pretty simple, cisco had us create a new ACL and change the 
"split-tunnel-network-list value" to point to the new ACL.

4) It takes a lot longer to boot.  A lot of the boot time is accessing the 
config.  Our config under 6.3 was about 90k, and under 7.0 is 122k.  (The 
size difference was mostly because of the change from vpngroup to 
tunnel-group/group-policy format).  We're going to clean this up in a few 
weeks.  But even so, if I do a "sh run", I get output instantly, but if I 
hit 'q' at the pager prompt, it takes a few seconds to get back to the 
prompt.

5) Some final thoughts...  The CLI enhancements alone are worth the 
upgrade.  But, like any other major code upgrade, I wouldn't do it unless 
there's a real need for the new features.  At this point, our's has been 
up for 2.5 days and everything looks good.  I'll follow-up if it catches 
fire or anything.

FWIW, we have about 80 806's and 831's doing lan to lan, and about 150 
users connecting using the cisco VPN software client.