[c-nsp] pix upgrade to 7.x from 6.34 *Possible Bug*
Joseph Jackson
JJackson at aninetworks.com
Mon Feb 20 12:11:12 EST 2006
All,
Last Friday we did the upgrade from 6.3(4) to 7.1(1). Went
pretty smooth everything looked good and we went home for the weekend.
Sunday night around 10pm I got an alert that our fail over pix was
rebooting. I power cycled the fail over and it came back up and stayed
back up. When doing show failover it reported that the failover was
"Other host: Secondary - Failed". After trouble shooting with
TAC it came down to the fact that we have a wireless device plugged
straight into the primary firewall and not also attached to the failover
firewall. When I shutdown the inteface on the primary pix to the
wireless device the failover state changed to "Other host: Secondary -
Standby Ready" and everything worked correctly. The interface to the
wireless device was never configured for failover and on the 6.3(4) code
we never had a problem with failover working correctly. Ok the
rebooting started again and then settled down. TAC is in a wait and see
mode for with this case. Anyone else have this issue? BTW I have a UR
lic on the main pix and a FO lic on the failover pix.
Joseph Jackson
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of nevot
> Sent: Saturday, February 18, 2006 12:24 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] pix upgrade to 7.x from 6.34
>
> we have recently upgraded to 128Mb RAM and we are using
> pre-shared key in our scenario.
> Only a VPN established with a VPN3k of cisco seemed to work
> ok. Other parties with netscreen, and linux-racoon-ipsectools
> suffered same problems.
> Connections were dropped with a message like 'Teardown tcp
> ... Tunnel has been torn down'.
>
> We'll mount a PIX and some clients to test it accurately.
>
>
> 2006/2/18, Brant I. Stevens <branto at branto.com>:
> >
> > Ditto the sentiments on the usability of the 7.x code. One
> caveat on
> > the 515E family is to be wary of memory consumption,
> especially if you
> > only have 64MB of RAM.
> >
> > Another issue to be aware of is an issue with reaching some
> websites.
> > (
> >
> >
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_no
> > te0918 6a00804c8b9f.shtml, or, http://alnk.org/smartgig)
> >
> > You might end up pulling your hair out trying to figure it out.
> >
> > For me, the pseudo-hitless IPSec VPN failover is most welcomed.
> >
> >
> > On 2/18/06 12:27 PM, "Jim McBurnett" <jim at tgasolutions.com> wrote:
> >
> > > I have 7.x running in several sites, and have not seen
> the VPN problems.
> > > With the exception of the pre-shared key note below and the split
> > > tunnel standard access list bugs, I have had pretty good success.
> > >
> > > I think 7.11 fixed both of these issues..
> > >
> > >
> > > Jim
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joseph
> > > Jackson
> > > Sent: Saturday, February 18, 2006 3:26 AM
> > > To: Adam Maloney; cisco-nsp at puck.nether.net
> > > Subject: RE: [c-nsp] pix upgrade to 7.x from 6.34
> > >
> > > Well I did the upgrade an hour ago and everything seemed
> to go ok.
> > > One thing I did notice was that for our remote vpn users I had to
> > > add back in the dns server info. Also have to redo the
> pre-shared
> > > key for the site to sites stuff but other than that it
> went really well.
> > >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Adam Maloney
> > > Sent: Friday, February 17, 2006 6:01 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: Re: [c-nsp] pix upgrade to 7.x from 6.34
> > >
> > > That was remote users. I have 76 l2l sessions with quite
> a few up
> > > for multiple days:
> > >
> > > Duration : 10d 4h:10m:17s
> > > Duration : 9d 3h:52m:48s
> > > Duration : 9d 3h:52m:48s
> > > Duration : 9d 3h:52m:48s
> > > Duration : 8d 3h:50m:55s
> > > Duration : 8d 0h:12m:55s
> > > Duration : 7d 21h:22m:00s
> > > Duration : 9d 3h:52m:29s
> > > Duration : 9d 3h:52m:27s
> > > Duration : 9d 3h:52m:11s
> > > Duration : 9d 3h:51m:52s
> > > Duration : 10d 3h:01m:41s
> > > Duration : 8d 17h:48m:13s
> > > Duration : 10d 3h:01m:41s
> > > Duration : 7d 9h:50m:39s
> > > Duration : 9d 3h:51m:32s
> > > Duration : 7d 5h:40m:28s
> > > Duration : 7d 20h:22m:07s
> > > Duration : 9d 3h:51m:04s
> > > Duration : 9d 3h:51m:04s
> > > Duration : 9d 3h:51m:04s
> > > Duration : 9d 3h:51m:04s
> > > Duration : 9d 3h:48m:44s
> > > Duration : 9d 3h:47m:36s
> > > Duration : 8d 12h:02m:56s
> > > Duration : 9d 3h:13m:43s
> > > Duration : 9d 3h:13m:31s
> > >
> > >
> > > On Fri, 17 Feb 2006, nevot wrote:
> > >
> > >> Remote users or remote lans?
> > >> I am talking about lan2lan vpns
> > >>
> > >>
> > >> 2006/2/17, Adam Maloney <adam at whee.org>:
> > >>>
> > >>> On Thu, 16 Feb 2006, nevot wrote:
> > >>>
> > >>>> In the other way, I just recently (half an hour ago)
> downgraded a
> > > pair
> > >>> of
> > >>>> PIX515E because our VPNs were sistematically dropped
> every hour,
> > > making
> > >>> the
> > >>>> vpns unusable. Though I will wait our provider's response, I
> > >>>> think
> > >>> version 7
> > >>>> is not still ready for use, at least not in a IPSEC
> VPN scenario.
> > >>>
> > >>> I ran 7.0(2) for the last few months, then upgraded to 7.0(4)
> > >>> because
> > > of a
> > >>> AAA session-limit bug. But other than that, no problems with
> > >>> remote
> > > users
> > >>> staying connected:
> > >>>
> > >>> Duration : 2d 0h:59m:30s
> > >>> Duration : 3d 1h:23m:09s
> > >>> Duration : 1d 0h:28m:07s
> > >>> Duration : 7d 23h:52m:18s
> > >>> Duration : 3d 18h:52m:35s
> > >>> Duration : 1d 0h:01m:23s
> > >>> Duration : 1d 23h:08m:59s
> > >>> Duration : 10d 18h:59m:38s
> > >>> Duration : 8d 21h:25m:26s
> > >>> Duration : 1d 20h:52m:17s
> > >>>
> > >>> (Some of the day+ connections)
> > >>>
> > >>> I've been on 7.0(4) for:
> > >>> up 12 days 17 hours
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list