Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
bj2001holt
Apr 6, 2003

delslo posted:

I am in the process of upgrading my home/home office network and I have a thing for good equipment and slight 'overkill.' I was looking at the Pix 501 since I've deployed a few of them. While looking I came across the ASA 5505 and it appears to have a lot of kick rear end features/specs. Also looking in that price range at other entry level "small office" firewalls and none seem to compare (I won't touch the low end watchguards, also not a fan of sonicwall). That said, Has anyone had much experience with the ASA 5505 (or I guess the 5510)? Does it perform well for what it is? Any issues/problems with it?

Thanks!

I have extensive experience with the ASA series of firewalls and the 5505 is great for small offices or home offices which require VPN concentration. My only complaint on the 5505 vs the 5510 are the licensing restrictions (only 3 vlans, 1 of those can only be used to make an interface management only). The 5505 is also great if you plan on having PoE phone devices, the one problem is that the 5505 will NOT terminate a site-to-site VPN unless you are using another ASA. 5510 is also a good choice but more suitable for a medium size office or if you require hardware IPS.

Adbot
ADBOT LOVES YOU

delslo
Sep 20, 2003

^^ Thanks. none of those restrictions are important to me, so I should be OK. Also, pardon my n00bness, but the 10 user licenses refer to concurrent VPN connections, not devices/users accessing the internets at the same time? If that is how it works, how well does it handle the licenses? The only other concern is how stable the intel/OS X cisco VPN client is these days.

ragzilla
Sep 9, 2005
don't ask me, i only work here


bj2001holt posted:

My only complaint on the 5505 vs the 5510 are the licensing restrictions (only 3 vlans, 1 of those can only be used to make an interface management only).

If you do trunking out of the 5505, you're supposed to be able to do up to 20 VLANs.

-edit-
ugh, I see what you mean about the licensing, without security plus it kind of sucks.
-/edit-

ragzilla fucked around with this message at 05:48 on Jul 31, 2007

XakEp
Dec 20, 2002
Amor est vitae essentia

inignot posted:

Yeah, I'm going to go put in failure number 2. Given that I haven't even begun to study multicast & QoS I know I'm going to fail. At the very least I get to see another copy of the exam & sanity check my progress on IGP & EGP routing.

So how did it go?

delslo
Sep 20, 2003

update: while troubleshooting a Watchguard Edge device for a client today, I became so annoyed with it and the idea that ANYONE, much less a MANAGER* at my company would recommend such a pile of poo poo to one of our clients... that I placed my order for the ASA 5505 as soon as I got off the phone.

Seriously, you shouldn't have to tell a client that: "when someone in your office can't get to the internet, please power cycle your brand new firewall" (that some rear end in a top hat didn't spec right for you guys) to allow that person to get on (while kicking someone else off)

delslo fucked around with this message at 01:51 on Aug 1, 2007

Herv
Mar 24, 2005

Soiled Meat

delslo posted:

update: while troubleshooting a Watchguard Edge device for a client today, I became so annoyed with it and the idea that ANYONE, much less a MANAGER* at my company would recommend such a pile of poo poo to one of our clients... that I placed my order for the ASA 5505 as soon as I got off the phone.

Seriously, you shouldn't have to tell a client that: "when someone in your office can't get to the internet, please power cycle your brand new firewall" (that some rear end in a top hat didn't spec right for you guys) to allow that person to get on (while kicking someone else off)

What, is it doing a nat pool with no pat overload?

jwh
Jun 12, 2002

I have yet to encounter a firewall that didn't make me at least partially irate. I don't like my PIX 501, and I didn't like the ASA's, although they're markedly better to work with. I'm not too crazy about NetScreen's either.

We're a big CheckPoint shop, and I don't even like them very much come to think of it.

Herv
Mar 24, 2005

Soiled Meat
The thing that pissed me off about Checkpoint was that so much hung off of pushing the policy and being the hero. This was version 4.x though. The NG seemed to be a bit better, and less wacky to bring up trust points (fw putkey, fw putlic, wow).

Once you wanted to get a little deeper past the gui, the config files were a little cumbersome. They were seemed made to be edited with a gui only.

Having said that, I love CP because it runs (ran) on anything, the logging/filtering is the bees knees. Well it was last time I checked.

501 was a real let down. I am still pissed I didn't keep my PIX 'Classic'. Cool looking piece, even if it was a pc with 3 intel nics and booted off an ISA Flash card.

jwh
Jun 12, 2002

Checkpoint has a few good things going for it, and a truckload of bad things going for it. The logging is nice, although it doesn't scale well- lots of enforcement modules logging thousands upon thousands of entries per day with nightly rotation can make scouring through logs late in the evening a real chore. You can rotate out faster, but that means having to pull up hourly chunks of data at a time.

There's also the issue of the object database, which is a tremendous source of entropy.

My biggest problem with Checkpoint is that it's sugar-coated to appear easy to use, but the underlying mechanisms are obscure, unnecessarily complicated, and potentially disastrous. Anybody could add a few rules to a Checkpoint policy, but if the enforcement module croaks on you, or the policy corrupts, you are in a nightmare world of suffering.

There's also the issue of Checkpoint not naming anything sensibly. SmartView Dashboard is the policy tool, for instance. Recently Checkpoint decided to screw around with their code train names, leading to nonsense like "RG62 NGX," whatever the christ that is.

Oh well, at least the Nokia IP series boxes are pretty painless, even if the routing engines leave something to be desired.

I want to like the PIX, but it just never feels right. It seems like the 7.x code is trying to make things more like IOS, which is a good thing, but it's still just different enough to irritate the living hell out of me.

inignot
Sep 1, 2003

WWBCD?

XakEp posted:

So how did it go?

It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge.

The more I study for this test the more I'm convinced it's just a stupid router tricks test. It's odd to see full reachability via TCL scripted pings of the environment from all devices, yet the score report indicates it was all so utterly wrong. When you are directed to route a network up your rear end on odd numbered Tuesdays I guess you're supposed to sit on it instead of using your hands to insert it.

There was actually a substantial difference between the second test vs the first. I imporoved in IPv6, BGP did not go so well.

I think I'm going to put some effort into trying out dynamips. Netmaster Class & Internetwork Expert are producing labs for dynamips. This renting rack time once a week stuff is getting old, and it's clearly not enough.

bj2001holt
Apr 6, 2003

delslo posted:

^^ Thanks. none of those restrictions are important to me, so I should be OK. Also, pardon my n00bness, but the 10 user licenses refer to concurrent VPN connections, not devices/users accessing the internets at the same time? If that is how it works, how well does it handle the licenses? The only other concern is how stable the intel/OS X cisco VPN client is these days.

Correct, that refers to concurrent connection restrictions over VPN. The only restriction you would encounter from a devices/users perspective would be the bandwidth restrictions (150Mb/s if I remember correctly on the 5505). The Cisco VPN client on a Microsoft OS is the most stable VPN I have ever used, connections will last for days without any problems and I have never encountered any problems with the client crashing or any weird issues. I have never used the OSX client so unfortunately I cannot speak of that. With ASA 8.0 they are going to be pushing out a new type of VPN client, I haven't played with it yet but it could be interesting.

XakEp
Dec 20, 2002
Amor est vitae essentia

inignot posted:

It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge.

The more I study for this test the more I'm convinced it's just a stupid router tricks test. It's odd to see full reachability via TCL scripted pings of the environment from all devices, yet the score report indicates it was all so utterly wrong. When you are directed to route a network up your rear end on odd numbered Tuesdays I guess you're supposed to sit on it instead of using your hands to insert it.

There was actually a substantial difference between the second test vs the first. I imporoved in IPv6, BGP did not go so well.

I think I'm going to put some effort into trying out dynamips. Netmaster Class & Internetwork Expert are producing labs for dynamips. This renting rack time once a week stuff is getting old, and it's clearly not enough.

Sorry to hear that. I've been toying with the idea of getting my CCIE, but I know its years away.

Edit - Ok cisco gurus, I have a question for you. Yesterday here at work, we had a sudden outage in our core network. One of the core switches was experiencing "extensive memory errors and high cpu usage". He failed over to the backup switch the problem went away. He's claiming that we had a network loop because STP is disabled because of incompatibility between vendor equipment.

1) How do you disable STP and why the hell would you do that? Wouldnt disabling it reduce your switch to a hub? What does a cisco switch use instead of STP if STP isnt in use?

2) Does this sound like bullshit to anyone else? I'm responsible for signing off on this report, and its not making a whole lot of sense.

3) We've apparently had STP disabled for a long time now, why would we only just NOW suddenly develop a network loop that would take down our network?

4) How is it possible that only one switch would be effected by a network loop?

XakEp fucked around with this message at 15:10 on Aug 1, 2007

Herv
Mar 24, 2005

Soiled Meat

inignot posted:

It ended much like the ever replayed ski jump by Vinko Bogataj. I was only able to attempt 73 points given my lack of multicast or qos knowledge.

Congratulations on getting further sir. I have to start all over again and shake the rust off my skill set in that area.

I remember failing my first certification test. I was really let down, but then a friend told me 'The guy that gets up last, wins'. I got the wind back and passed it on the next try.

Of course that was a dos 6.2 / win 3.1 exam. I am sure the average failing rate for any ccie is a bit higher!

Looking forward to your 'I did it' post.

Fleshpeg
Oct 23, 2001
Stop harassing me!

XakEp posted:

STP stuff

Without seeing what the actual errors were, "Extensive memory errors" is most likely bad hardware.

1. STP is just a protocol that lets a bunch of switches/bridges that are connected together turn off redundant paths so that a frame can't end up circling around in an endless loop. It takes about 30 seconds or so for that to happen when you turn a port on, so if you don't have any loops in your L2 network, you can disable STP to avoid the wait. Turning it off doesn't turn a switch into a hub. You just get a nasty surprise if create a loop. There's not another protocol that replaces it, just other flavors of STP.

2/3. If you've had your network running for a long time, I'd be pretty surprised to suddenly get an STP loop out of the blue.

4. Um... if you looped two ports on the same switch together you could do it. But seriously, different switches might have different symptoms (high CPU/no symptoms other than loss of traffic) depending on what type of frame is looping. In any case, the explanation you got doesn't sound right.

XakEp
Dec 20, 2002
Amor est vitae essentia

Fleshpeg posted:

Without seeing what the actual errors were, "Extensive memory errors" is most likely bad hardware.

1. STP is just a protocol that lets a bunch of switches/bridges that are connected together turn off redundant paths so that a frame can't end up circling around in an endless loop. It takes about 30 seconds or so for that to happen when you turn a port on, so if you don't have any loops in your L2 network, you can disable STP to avoid the wait. Turning it off doesn't turn a switch into a hub. You just get a nasty surprise if create a loop. There's not another protocol that replaces it, just other flavors of STP.

http://www.dell.com/downloads/global/products/pwcnt/en/app_note_1.pdf

quote:

Without STP, all switches “flood” any frames they receive with an unknown destination media access control (MAC) address. The switches will forward the frame to all interfaces, introducing duplicate frames and leading to a “loop” in which all switches continually forward all frames. This is not only inefficient but also extremely taxing on network resources. Besides violating IEEE protocols, duplicate frames can create “broadcast storms” that pose a threat to network and application stability

Having never disabled STP on a switch, I have no idea what would happen, but looking through cisco's site I cant really get a clear idea of what would happen.

quote:

2/3. If you've had your network running for a long time, I'd be pretty surprised to suddenly get an STP loop out of the blue.

Agreed, this doesnt make any sense at all.

quote:

4. Um... if you looped two ports on the same switch together you could do it. But seriously, different switches might have different symptoms (high CPU/no symptoms other than loss of traffic) depending on what type of frame is looping. In any case, the explanation you got doesn't sound right.

No one was in the data center at the time of the outage, so I dunno how that could have happened.

Fleshpeg
Oct 23, 2001
Stop harassing me!

XakEp posted:

Having never disabled STP on a switch, I have no idea what would happen, but looking through cisco's site I cant really get a clear idea of what would happen.

Imagine you have two switches (A and B) connected to each other with a single link and two PCs (1 and 2) connected to switch A. PC #1 ARPs or somehow sends an L2 broadcast. It goes to switch A, which needs to send it to all its ports. It gets sent to both switch B and to PC #2. Switch B gets the frame and sends it to all its other ports. If you have spanning tree turned on in this scenario and plugged in a new PC or attached another switch, you'd have to wait for STP to converge (about 30 seconds or so) before traffic would be allowed to go through it. But since you don't have any loops, you can turn it off and can send traffic as soon as something is plugged in.

Now lets take the same example and add a redundant connection between switch A and B. There's now a loop in your network. PC #1 ARPs again and switch A gets it. He now has 3 links to send it out, one to PC #2, and 2 that go to switch B. Switch B gets one of the frames and sees that he has a link to switch A that he needs to forward the broadcast to. The frame now goes back to switch A. Switch A gets it and sees that he's got links to broadcast it to, etc... You've now got traffic circling around forever.

If you have STP turned on, A and B would talk to each other and one of them would end up blocking traffic from going in or out one of the ports. Let's say switch A blocks one of the ports going to switch B. When switch A gets the first packet, he sends it to switch B on the unblocked port. Switch B gets it, but he still has two forwarding connections to switch A. He sends it back to switch A on the 2nd port, but since A has blocked the port, it won't receive it, breaking the loop.

I hope that kind of makes sense. It's hard to visualize without a diagram. Basically, if you connect a whole bunch of switches together and turn on STP, it figures out the minimum spanning tree that gives you one and only one path to every other switch. If you ever disconnect something or add another connection, it dynamically changes the tree for the new network.

XakEp
Dec 20, 2002
Amor est vitae essentia

Fleshpeg posted:

Imagine you have two switches (A and B) connected to each other with a single link and two PCs (1 and 2) connected to switch A. PC #1 ARPs or somehow sends an L2 broadcast. It goes to switch A, which needs to send it to all its ports. It gets sent to both switch B and to PC #2. Switch B gets the frame and sends it to all its other ports. If you have spanning tree turned on in this scenario and plugged in a new PC or attached another switch, you'd have to wait for STP to converge (about 30 seconds or so) before traffic would be allowed to go through it. But since you don't have any loops, you can turn it off and can send traffic as soon as something is plugged in.

Now lets take the same example and add a redundant connection between switch A and B. There's now a loop in your network. PC #1 ARPs again and switch A gets it. He now has 3 links to send it out, one to PC #2, and 2 that go to switch B. Switch B gets one of the frames and sees that he has a link to switch A that he needs to forward the broadcast to. The frame now goes back to switch A. Switch A gets it and sees that he's got links to broadcast it to, etc... You've now got traffic circling around forever.

If you have STP turned on, A and B would talk to each other and one of them would end up blocking traffic from going in or out one of the ports. Let's say switch A blocks one of the ports going to switch B. When switch A gets the first packet, he sends it to switch B on the unblocked port. Switch B gets it, but he still has two forwarding connections to switch A. He sends it back to switch A on the 2nd port, but since A has blocked the port, it won't receive it, breaking the loop.

I hope that kind of makes sense. It's hard to visualize without a diagram. Basically, if you connect a whole bunch of switches together and turn on STP, it figures out the minimum spanning tree that gives you one and only one path to every other switch. If you ever disconnect something or add another connection, it dynamically changes the tree for the new network.

THen the question is, with STP disabled does the switch still learn mac addys at all or does it function like a hub and just forward packets out every port?

Learning Mac addys is core to STP. With STP off, what does the switch do in absence of this?

ior
Nov 21, 2003

What's a fuckass?

XakEp posted:

Learning Mac addys is core to STP.
Not really.

XakEp posted:

With STP off, what does the switch do in absence of this?
STP does not affect the way a switch learns mac-addresses.

XakEp
Dec 20, 2002
Amor est vitae essentia

ior posted:

Not really.

STP does not affect the way a switch learns mac-addresses.

Now I feel dumb. Time to go read up.

conntrack
Aug 8, 2003

by angerbeet
For future reference, i did some simple testing on an 2621 and found that it maxes out
at about 50mbit. Three NATed streams results in 100% cpu usage.

So unless you are a swede a 2621 should work nicely for home use.

Found a free newish 806 but those things only have 10mbit ports :(

Edit: To comment on ior's post further down. The traffic is three FTP threads from
two localish servers. Packetsize should hover around 1500 unless something retarded
is going on.

conntrack fucked around with this message at 18:25 on Aug 1, 2007

TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!
Is there a way to alter the access list of a PIX 515e on a live network without it being automatically removed from the interface? I have an entry that needs to go at the very top. :argh: Should I just write it up in notepad and execute it quick to minimize downtime? I'm worried about making typo or something and then I have a half finished ACL with erroneous entries that I have to clean up.

So, editing a firewall ACL without downtime. Impossible?

ior
Nov 21, 2003

What's a fuckass?

conntrack posted:

For future reference, i did some simple testing on an 2621 and found that it maxes out
at about 50mbit. Three NATed streams results in 100% cpu usage.

So unless you are a swede a 2621 should work nicely for home use.

Keep in mind that packet sizes and number of flows matters. My 871 is rated for the same amount of PPS that a 2621. When maxing out my connection (10Mbit) with torrent traffic it hovers at about 50% cpu. In theory mine would therefore max out at about 20Mbits simplex with my traffic patterns.

But yes, a 2621 is a great home / learning router.

dwarftosser
Sep 3, 2002

PLEASE LET ME SUCK YOUR COCK, BRETT!

XakEp posted:

1) How do you disable STP and why the hell would you do that? Wouldnt disabling it reduce your switch to a hub? What does a cisco switch use instead of STP if STP isnt in use?

It's been a long time since I've disabled STP, but if I remember right you just add a "no span" command under the vlan interface. The only reason I've ever had to do it was due to problems with network timeout incompatablities with certain versions of Novell's client32 and 3c90x NICs. It's been a LONG time since I've seen a similar problem to that (about 8-9 years ago)

quote:

Does this sound like bullshit to anyone else? I'm responsible for signing off on this report, and its not making a whole lot of sense.

It sounds reasonable to me, as long as he identified the source of the loop. A loop can take down a network pretty quick.

quote:

3) We've apparently had STP disabled for a long time now, why would we only just NOW suddenly develop a network loop that would take down our network?

Well, something would have had to change to cause a loop. Like connecting an extra switch or WAP that looped back to your network.

quote:

4) How is it possible that only one switch would be effected by a network loop?

If STP is disabled everywhere it would be odd that only one device was effected. Maybe you have one vlan that is only on that switch and it isolated the flood? Hard to say.

inignot
Sep 1, 2003

WWBCD?

TheCaptain posted:

Is there a way to alter the access list of a PIX 515e on a live network without it being automatically removed from the interface? I have an entry that needs to go at the very top. :argh: Should I just write it up in notepad and execute it quick to minimize downtime? I'm worried about making typo or something and then I have a half finished ACL with erroneous entries that I have to clean up.

So, editing a firewall ACL without downtime. Impossible?

I am crap at PIX, but I've had to write up a bunch of rule changes for our firewall gents to implement. I believe there is a feature for line numbers in PIX acls. Pull your existing ACL out & put it back in using gapped line numbers (line 10, line 20, etc) for future expansion.

Mr. Fossey
Mar 31, 2003

Fresh bananas for the whole crew!
I am looking to overhaul our firewall/VPN situation (as in we don't have one other than a W2K3 box serving pptp connections). It is one main office going through a cisco 1720 with a dozen servers and 100 users. Also we have 6 remote offices that we would like to have site to site vpn access that have no more than 20 users. We will also need mobile VPN for ~25 uses via radius or AD LDAP auth. I am leaning towards the ASA5510 w/ ASA5505s at the remote site.

I have no ASA experience but I'm not terribly worried for myself but I am concerned if I keeled over there is nobody else here who does networking. Is the GUI for the ASAs good enough a general computer person could operate them or would watchguard, checkpoint, sonicwall, etc have a better solution?

The other thing I would like to do is put in vlans due to the CFD cluster we are going to be building shortly. While having a semi-decent gui takes precedence it would be nice.

bj2001holt
Apr 6, 2003

Mr. Fossey posted:

I am looking to overhaul our firewall/VPN situation (as in we don't have one other than a W2K3 box serving pptp connections). It is one main office going through a cisco 1720 with a dozen servers and 100 users. Also we have 6 remote offices that we would like to have site to site vpn access that have no more than 20 users. We will also need mobile VPN for ~25 uses via radius or AD LDAP auth. I am leaning towards the ASA5510 w/ ASA5505s at the remote site.

I have no ASA experience but I'm not terribly worried for myself but I am concerned if I keeled over there is nobody else here who does networking. Is the GUI for the ASAs good enough a general computer person could operate them or would watchguard, checkpoint, sonicwall, etc have a better solution?

The other thing I would like to do is put in vlans due to the CFD cluster we are going to be building shortly. While having a semi-decent gui takes precedence it would be nice.

My suggestion, but this can be done in multiple ways.
5510 at the main branch
2821 or 2851 at main branch for site-to-site termination
871s at each remote branch

You can run 5505s at the remote branches but you will need a much beefier ASA at the main branch if you are going to be terminating that many connections to one device. Cost will be higher but security will be tighter. Also, if I remember correctly you cannot run multiple VLANS over a site-to-site VPN with the 5505, which is why I recommend using the 871s or even 2811s, especially if you ever plan on running voice at the remote sites.

ragzilla
Sep 9, 2005
don't ask me, i only work here


Already have an open TAC case but in case anyone here's seen it before:

Turning up a new 7609 w/ RSP720s. We can get both RSPs up in SSO mode, but as soon as we turn on dcef-only fabric switching mode, the redundant RSP is no longer able to boot, it gets all the way up into the RP code, then abruptly drops to ROMMON and we get the following message on the active sup:
code:
*Aug  2 02:05:19.115: %PFREDUN-SP-6-ACTIVE: Standby processor removed or reloaded, changing to Simplex mode
*Aug  2 02:05:19.115: %OIR-SP-3-PWRCYCLE: Card in module 6, is being power-cycled (Module reset)

Tremblay
Oct 8, 2002
More dog whistles than a Petco

TheCaptain posted:

Is there a way to alter the access list of a PIX 515e on a live network without it being automatically removed from the interface? I have an entry that needs to go at the very top. :argh: Should I just write it up in notepad and execute it quick to minimize downtime? I'm worried about making typo or something and then I have a half finished ACL with erroneous entries that I have to clean up.

So, editing a firewall ACL without downtime. Impossible?

Hey, sorry I missed your previous IMs. It depends on the version of code. I think line numbers were introduced in 6.3.

access-list foobar line X ...

Depending on load and ACL size there could be a brief impact to traffic. This is due to ACL compilation which is an option in 6.3 and default in 7+.


Mr. Fossey posted:

I am looking to overhaul our firewall/VPN situation (as in we don't have one other than a W2K3 box serving pptp connections). It is one main office going through a cisco 1720 with a dozen servers and 100 users. Also we have 6 remote offices that we would like to have site to site vpn access that have no more than 20 users. We will also need mobile VPN for ~25 uses via radius or AD LDAP auth. I am leaning towards the ASA5510 w/ ASA5505s at the remote site.

I have no ASA experience but I'm not terribly worried for myself but I am concerned if I keeled over there is nobody else here who does networking. Is the GUI for the ASAs good enough a general computer person could operate them or would watchguard, checkpoint, sonicwall, etc have a better solution?

The other thing I would like to do is put in vlans due to the CFD cluster we are going to be building shortly. While having a semi-decent gui takes precedence it would be nice.

ASDM is pretty good. The biggest deal with any of this stuff is doing a little reading. For basic administration ASDM is pretty idiot proof. Do yourself a favor and pretend watchguard doesn't exist. I'd say do the same with sonicwall. Checkpoint, meh. I don't like the policy structure. I like PIX and ASA, but I work with them every day so familiarity and all that. Disclaimer, I work for Cisco.

Is all of this traffic hub to spoke or do the spokes need to chat to one another? I'd think you'd want routers if its the latter, that way you can use DMVPN. You'd probably want something larger than a 5510 for your hub but work with some presales people. I don't do a whole hell of a lot of design work.

Tremblay fucked around with this message at 05:54 on Aug 2, 2007

ate shit on live tv
Feb 15, 2004

by Azathoth

Girdle Wax posted:

Already have an open TAC case but in case anyone here's seen it before:

Turning up a new 7609 w/ RSP720s. We can get both RSPs up in SSO mode, but as soon as we turn on dcef-only fabric switching mode, the redundant RSP is no longer able to boot, it gets all the way up into the RP code, then abruptly drops to ROMMON and we get the following message on the active sup:
code:
*Aug  2 02:05:19.115: %PFREDUN-SP-6-ACTIVE: Standby processor removed or reloaded, changing to Simplex mode
*Aug  2 02:05:19.115: %OIR-SP-3-PWRCYCLE: Card in module 6, is being power-cycled (Module reset)

Do a show mod, and make sure that the RSP with the lowest firware revision is the active one. If they are both the same firmware and otherwise identical, then it sounds like you discovered a bug. :)

Also what code are you using? SRA, SRB, SRB1 or SRB2 (not sure if SRB2 is deployed yet).

e: If you want, I can try to reproduce the error in the Lab tomorrow, since we aren't really doing anything anyway, besdies that I'd like to know if this is a common problem so that I can save the day whenver we have a Demo that runs into a similiar problem.

ate shit on live tv fucked around with this message at 05:54 on Aug 2, 2007

ragzilla
Sep 9, 2005
don't ask me, i only work here


Powercrazy posted:

Do a show mod, and make sure that the RSP with the lowest firware revision is the active one. If they are both the same firmware and otherwise identical, then it sounds like you discovered a bug. :)

Also what code are you using? SRA, SRB, SRB1 or SRB2 (not sure if SRB2 is deployed yet).

e: If you want, I can try to reproduce the error in the Lab tomorrow, since we aren't really doing anything anyway, besdies that I'd like to know if this is a common problem so that I can save the day whenver we have a Demo that runs into a similiar problem.

It's SRB1, and yeah, there's a known bug (CSCsj12034), which is fixed in 12.2(33.1.1)SRB, but we're stuck waiting for SRB2 unless TAC can/will provide the rebuild. Both RSPs have the same Hw/Fw/Sw versions (both purchased brand new at the same time).

Sneaksie
Feb 13, 2003
I'm wondering if anyone here has had a similar problem, or can offer some advice as to the solution.

I am installing a bunch of 3845 routers with NM-4T cards in, recently I have had a set of cards fail on me. The error I get is

code:
Aug  2 07:31:11: %OIR-3-SEATED: Insert/removal failed for slot 2, check card seating
We have tried reseating the card but the error pursists, if the card is moved to a new slot the only change is that the error shows the new slot number.

At the moment we are replacing the cards as they fail but we are worried that 3 out of 6 cards have failed in the last 3 months.

TheCaptain
Dec 5, 2005

It's time to get a little Captain in you!

Tremblay posted:

Hey, sorry I missed your previous IMs. It depends on the version of code. I think line numbers were introduced in 6.3.

access-list foobar line X ...

Depending on load and ACL size there could be a brief impact to traffic. This is due to ACL compilation which is an option in 6.3 and default in 7+.


Thanks for the response. This version hasn't introduced accesslist numbers yet and PDM isn't installed. I ended up just asking permission to have a brief lapse in connectivity and applied the new rules successfully without too much noise.

CrazyLittle
Sep 11, 2001





Clapping Larry

Sneaksie posted:

At the moment we are replacing the cards as they fail but we are worried that 3 out of 6 cards have failed in the last 3 months.

Are they honest-to-god real Cisco cards? We've had 3 out of a 4-card purchase of WIC-T1-V2's and that's pretty much because they're all cheap chinese counterfeit WICs

conntrack
Aug 8, 2003

by angerbeet

CrazyLittle posted:

Are they honest-to-god real Cisco cards? We've had 3 out of a 4-card purchase of WIC-T1-V2's and that's pretty much because they're all cheap chinese counterfeit WICs

Is there a market for those serial cards? We have like 50 of them in the poo poo heap at work.

jwh
Jun 12, 2002

CrazyLittle posted:

Are they honest-to-god real Cisco cards? We've had 3 out of a 4-card purchase of WIC-T1-V2's and that's pretty much because they're all cheap chinese counterfeit WICs

Are they WIC-1T's, or WIC-1DSU-T1?

Apparently there are a lot of counterfit WIC-1DSU-T1's around, especially the V1's with the four big Taiwanese capacitors.

CrazyLittle
Sep 11, 2001





Clapping Larry

conntrack posted:

Is there a market for those serial cards? We have like 50 of them in the poo poo heap at work.

Yes, because the new routers 28xx and 18xx series routers only accept V2 WICs.

jwh posted:

Are they WIC-1T's, or WIC-1DSU-T1?

Apparently there are a lot of counterfit WIC-1DSU-T1's around, especially the V1's with the four big Taiwanese capacitors.

WIC-1DSU-T1-V2

And when you purchase them on eBay for ~$100, you can guarantee they're going to be counterfeit. poo poo, if it was just a cap problem I'd break out my soldering iron any day, but I don't think that's what's going on here.

Sneaksie
Feb 13, 2003

CrazyLittle posted:

Are they honest-to-god real Cisco cards? We've had 3 out of a 4-card purchase of WIC-T1-V2's and that's pretty much because they're all cheap chinese counterfeit WICs

Definatly Cisco cards, bought from Cisco direct (or at least thats what my buyer tells me)

I recieved one of the faulty cards back yesterday and the build quality is really low; dry solder, missing solder, chips not straight, gouges in the board. I have also checked the ones in stock and it looks like it may be a dodgy batch.
We are raising a TAC at the moment.

GOOCHY
Sep 17, 2003

In an interstellar burst I'm back to save the universe!

conntrack posted:

Is there a market for those serial cards? We have like 50 of them in the poo poo heap at work.

There's a market for them. I work for a CLEC and we still use them since many of our customer facing links are Frame Relay T1s. If you're looking to move those and they're V2 T1 WICs I can get you our inventory guys number. For the right price I bet he'll take the whole lot.

CrazyLittle
Sep 11, 2001





Clapping Larry

Sneaksie posted:

Definatly Cisco cards, bought from Cisco direct (or at least thats what my buyer tells me)

I recieved one of the faulty cards back yesterday and the build quality is really low; dry solder, missing solder, chips not straight, gouges in the board.

post a picture of the faulty card. Among other things, if there's no hologram sticker, it's counterfeit.

Adbot
ADBOT LOVES YOU

GOOCHY
Sep 17, 2003

In an interstellar burst I'm back to save the universe!
A furniture chain in my area is going out of business so I stopped over there with my wife to see what kind of discounts they had going on. On a table with misc. junk they had a Cisco PIX 501 and a Cisco 2600 series router with a 56K WIC in it. Neither had a price tag on them so I offered $20 for the PIX - and they took it!! Once they took the $20 for the PIX I figured I'd offer $10 for the 2600 - apparently my ultra low ball got the guy nervous and he said, "Oh, well - that's not supposed to be out on the table our IT guy was looking into that one so I can't sell it."

I guess that's what I get for being too greedy. ;) That PIX for $20 is the steal of the week for me though.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply