[c-nsp] pix upgrade to 7.x from 6.34 *Possible Bug*
Joseph Jackson
JJackson at aninetworks.com
Tue Feb 21 20:19:48 EST 2006
All,
My tac case has been attached to BUG ID CSCsd28581. Just
wanted to let the list know.
> -----Original Message-----
> From: Joseph Jackson
> Sent: Monday, February 20, 2006 9:11 AM
> To: 'nevot'; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] pix upgrade to 7.x from 6.34 *Possible Bug*
>
> All,
>
> Last Friday we did the upgrade from 6.3(4) to 7.1(1).
> Went pretty smooth everything looked good and we went home
> for the weekend. Sunday night around 10pm I got an alert
> that our fail over pix was rebooting. I power cycled the fail
> over and it came back up and stayed back up. When doing
> show failover it reported that the failover was "Other host:
> Secondary - Failed". After trouble shooting with
> TAC it came down to the fact that we have a wireless device
> plugged straight into the primary firewall and not also
> attached to the failover firewall. When I shutdown the
> inteface on the primary pix to the wireless device the
> failover state changed to "Other host: Secondary - Standby
> Ready" and everything worked correctly. The interface to the
> wireless device was never configured for failover and on the
> 6.3(4) code we never had a problem with failover working
> correctly. Ok the rebooting started again and then settled
> down. TAC is in a wait and see mode for with this case.
> Anyone else have this issue? BTW I have a UR lic on the main
> pix and a FO lic on the failover pix.
>
>
>
> Joseph Jackson
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of nevot
> > Sent: Saturday, February 18, 2006 12:24 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] pix upgrade to 7.x from 6.34
> >
> > we have recently upgraded to 128Mb RAM and we are using
> > pre-shared key in our scenario.
> > Only a VPN established with a VPN3k of cisco seemed to work
> > ok. Other parties with netscreen, and linux-racoon-ipsectools
> > suffered same problems.
> > Connections were dropped with a message like 'Teardown tcp
> > ... Tunnel has been torn down'.
> >
> > We'll mount a PIX and some clients to test it accurately.
> >
> >
> > 2006/2/18, Brant I. Stevens <branto at branto.com>:
> > >
> > > Ditto the sentiments on the usability of the 7.x code. One
> > caveat on
> > > the 515E family is to be wary of memory consumption,
> > especially if you
> > > only have 64MB of RAM.
> > >
> > > Another issue to be aware of is an issue with reaching some
> > websites.
> > > (
> > >
> > >
> >
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_no
> > > te0918 6a00804c8b9f.shtml, or, http://alnk.org/smartgig)
> > >
> > > You might end up pulling your hair out trying to figure it out.
> > >
> > > For me, the pseudo-hitless IPSec VPN failover is most welcomed.
> > >
> > >
> > > On 2/18/06 12:27 PM, "Jim McBurnett" <jim at tgasolutions.com> wrote:
> > >
> > > > I have 7.x running in several sites, and have not seen
> > the VPN problems.
> > > > With the exception of the pre-shared key note below and
> the split
> > > > tunnel standard access list bugs, I have had pretty
> good success.
> > > >
> > > > I think 7.11 fixed both of these issues..
> > > >
> > > >
> > > > Jim
> > > >
> > > > -----Original Message-----
> > > > From: cisco-nsp-bounces at puck.nether.net
> > > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joseph
> > > > Jackson
> > > > Sent: Saturday, February 18, 2006 3:26 AM
> > > > To: Adam Maloney; cisco-nsp at puck.nether.net
> > > > Subject: RE: [c-nsp] pix upgrade to 7.x from 6.34
> > > >
> > > > Well I did the upgrade an hour ago and everything seemed
> > to go ok.
> > > > One thing I did notice was that for our remote vpn
> users I had to
> > > > add back in the dns server info. Also have to redo the
> > pre-shared
> > > > key for the site to sites stuff but other than that it
> > went really well.
> > > >
> > > > -----Original Message-----
> > > > From: cisco-nsp-bounces at puck.nether.net
> > > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> > Adam Maloney
> > > > Sent: Friday, February 17, 2006 6:01 AM
> > > > To: cisco-nsp at puck.nether.net
> > > > Subject: Re: [c-nsp] pix upgrade to 7.x from 6.34
> > > >
> > > > That was remote users. I have 76 l2l sessions with quite
> > a few up
> > > > for multiple days:
> > > >
> > > > Duration : 10d 4h:10m:17s
> > > > Duration : 9d 3h:52m:48s
> > > > Duration : 9d 3h:52m:48s
> > > > Duration : 9d 3h:52m:48s
> > > > Duration : 8d 3h:50m:55s
> > > > Duration : 8d 0h:12m:55s
> > > > Duration : 7d 21h:22m:00s
> > > > Duration : 9d 3h:52m:29s
> > > > Duration : 9d 3h:52m:27s
> > > > Duration : 9d 3h:52m:11s
> > > > Duration : 9d 3h:51m:52s
> > > > Duration : 10d 3h:01m:41s
> > > > Duration : 8d 17h:48m:13s
> > > > Duration : 10d 3h:01m:41s
> > > > Duration : 7d 9h:50m:39s
> > > > Duration : 9d 3h:51m:32s
> > > > Duration : 7d 5h:40m:28s
> > > > Duration : 7d 20h:22m:07s
> > > > Duration : 9d 3h:51m:04s
> > > > Duration : 9d 3h:51m:04s
> > > > Duration : 9d 3h:51m:04s
> > > > Duration : 9d 3h:51m:04s
> > > > Duration : 9d 3h:48m:44s
> > > > Duration : 9d 3h:47m:36s
> > > > Duration : 8d 12h:02m:56s
> > > > Duration : 9d 3h:13m:43s
> > > > Duration : 9d 3h:13m:31s
> > > >
> > > >
> > > > On Fri, 17 Feb 2006, nevot wrote:
> > > >
> > > >> Remote users or remote lans?
> > > >> I am talking about lan2lan vpns
> > > >>
> > > >>
> > > >> 2006/2/17, Adam Maloney <adam at whee.org>:
> > > >>>
> > > >>> On Thu, 16 Feb 2006, nevot wrote:
> > > >>>
> > > >>>> In the other way, I just recently (half an hour ago)
> > downgraded a
> > > > pair
> > > >>> of
> > > >>>> PIX515E because our VPNs were sistematically dropped
> > every hour,
> > > > making
> > > >>> the
> > > >>>> vpns unusable. Though I will wait our provider's response, I
> > > >>>> think
> > > >>> version 7
> > > >>>> is not still ready for use, at least not in a IPSEC
> > VPN scenario.
> > > >>>
> > > >>> I ran 7.0(2) for the last few months, then upgraded to 7.0(4)
> > > >>> because
> > > > of a
> > > >>> AAA session-limit bug. But other than that, no problems with
> > > >>> remote
> > > > users
> > > >>> staying connected:
> > > >>>
> > > >>> Duration : 2d 0h:59m:30s
> > > >>> Duration : 3d 1h:23m:09s
> > > >>> Duration : 1d 0h:28m:07s
> > > >>> Duration : 7d 23h:52m:18s
> > > >>> Duration : 3d 18h:52m:35s
> > > >>> Duration : 1d 0h:01m:23s
> > > >>> Duration : 1d 23h:08m:59s
> > > >>> Duration : 10d 18h:59m:38s
> > > >>> Duration : 8d 21h:25m:26s
> > > >>> Duration : 1d 20h:52m:17s
> > > >>>
> > > >>> (Some of the day+ connections)
> > > >>>
> > > >>> I've been on 7.0(4) for:
> > > >>> up 12 days 17 hours
> > >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
More information about the cisco-nsp
mailing list