Re: [c-nsp] ASA5520 which image should I use?
Justin, I definitely see your point but it might be hard to generalize that all CF chips fail at 1 writes. Unless you know that Cisco uses a specific type of flash and the MTBF of that chip is 1 writes. Some CF chips are rated much higher than that. Regardless it is good that Cisco has fixed the coredump feature in 8.2 code. Nick -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Friday, September 25, 2009 11:56 AM To: Nicholas Maio Cc: amsoa...@netcabo.pt; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 which image should I use? nm...@guesswho.com wrote: > Justin, > I believe I saw your posts on the RANCID list and although the 8.2 coredump > problem can be a pain you can modify your rancid script to ignore the > coredump file when rancid does a show flash. I do this for dhcp snooping > since the db is small enough that I can keep it in flash. (Yes I know about > the warning that they give when you configure like this) Every time a lease > expires or a new lease is distributed the file is updated which would make > rancid grab the change. Nick, I could have modified a copy of the RANCID scripts to just use to work around the problem but that only addresses the RANCID problem. I kicked it around and ultimately decided to just slow down the rate that RANCID checked that device while I worked with Cisco on a solution. Modifying the RANCID scripts doesn't help address the bigger picture. The DE who programmed that feature to rewrite the file on disk with the exact same information each and every time the running-config was generated made a beginner programming mistake. CF has a lifecycle of approximately 10,000 writes. Running RANCID hourly (everybody picks their own times but we run hourly) results in CF module failure in about 14 months. It's hard to believe that something as simple as polling a router for some info can cause it have a hardware failure but in this case that's how the cookie crumbles. The fix on Cisco's end was very simple and they had the bug addressed and rolled into an interim release in about 3 weeks (far exceeding my expectations so kudos to Cisco on that). I will definitely keep in mind that possibly modifying the scripts if I ever have to write to flash regularly. Hopefully I can avoid it though. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
nm...@guesswho.com wrote: Justin, I believe I saw your posts on the RANCID list and although the 8.2 coredump problem can be a pain you can modify your rancid script to ignore the coredump file when rancid does a show flash. I do this for dhcp snooping since the db is small enough that I can keep it in flash. (Yes I know about the warning that they give when you configure like this) Every time a lease expires or a new lease is distributed the file is updated which would make rancid grab the change. Nick, I could have modified a copy of the RANCID scripts to just use to work around the problem but that only addresses the RANCID problem. I kicked it around and ultimately decided to just slow down the rate that RANCID checked that device while I worked with Cisco on a solution. Modifying the RANCID scripts doesn't help address the bigger picture. The DE who programmed that feature to rewrite the file on disk with the exact same information each and every time the running-config was generated made a beginner programming mistake. CF has a lifecycle of approximately 10,000 writes. Running RANCID hourly (everybody picks their own times but we run hourly) results in CF module failure in about 14 months. It's hard to believe that something as simple as polling a router for some info can cause it have a hardware failure but in this case that's how the cookie crumbles. The fix on Cisco's end was very simple and they had the bug addressed and rolled into an interim release in about 3 weeks (far exceeding my expectations so kudos to Cisco on that). I will definitely keep in mind that possibly modifying the scripts if I ever have to write to flash regularly. Hopefully I can avoid it though. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
I have been told that going forward TAC is the only way to get interim releases on 8.2 and newer code. This wouldn't be bad if they put out real releases more than once per year. Crazy that it seems to be SOP that Cisco, through making it difficult to get patches, encourages running code on a security device with known security flaws. Tnx Chris On Fri, 2009-09-25 at 09:45 -0400, Ryan West wrote: > Nick, > > I agree with you on the earlier 7.2(4) releases, in particular 7.2(4)18 was > bombing on us in multiple locations with site to site tunnels. However, I > think the same interim released bugs were in both trains. In terms of bug > fixes and general release times, 8.0(4)32 and 7.2(4)33 were released two days > apart and have held up to any of the recent of PSIRT fixes. I won't run > 8.0(4)16 anywhere, just as I won't run 7.2(4)18. > > I used the bugID Justin mentioned a while back to get 8.2.1(3) and it has > proved to be stable for AnyConnect Essential customers. I'm not sure why > Cisco isn't releasing anything in the way of interim updates, the last was > the 18th of May, I would rather not contact TAC for anything outside of the > main train. > > -ryan > > -Original Message- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of nm...@guesswho.com > Sent: Friday, September 25, 2009 9:30 AM > To: amsoa...@netcabo.pt > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] ASA5520 which image should I use? > > Obviously everybody's experience has been different but I have been running > very nicely on 8.0.x code. I am running on the latest interim code on both > ASAs and PIXs due to a security flaw though.(knock on wood) It has been > very stable. 7.2.4 code was very buggy for me. I was upgrading probably > every other month due to bugs until we jumped to 8.x code a while ago. > > Justin, > I believe I saw your posts on the RANCID list and although the 8.2 coredump > problem can be a pain you can modify your rancid script to ignore the > coredump file when rancid does a show flash. I do this for dhcp snooping > since the db is small enough that I can keep it in flash. (Yes I know about > the warning that they give when you configure like this) Every time a lease > expires or a new lease is distributed the file is updated which would make > rancid grab the change. > > Nick > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Griffin cgrif...@ufl.edu Sr. Network Engineer - CCNP Phone: (352) 273-1051 CNS - Network Services Fax: (352) 392-9440 University of Florida/FLR Gainesville, FL 32611 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
Nick, I agree with you on the earlier 7.2(4) releases, in particular 7.2(4)18 was bombing on us in multiple locations with site to site tunnels. However, I think the same interim released bugs were in both trains. In terms of bug fixes and general release times, 8.0(4)32 and 7.2(4)33 were released two days apart and have held up to any of the recent of PSIRT fixes. I won't run 8.0(4)16 anywhere, just as I won't run 7.2(4)18. I used the bugID Justin mentioned a while back to get 8.2.1(3) and it has proved to be stable for AnyConnect Essential customers. I'm not sure why Cisco isn't releasing anything in the way of interim updates, the last was the 18th of May, I would rather not contact TAC for anything outside of the main train. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of nm...@guesswho.com Sent: Friday, September 25, 2009 9:30 AM To: amsoa...@netcabo.pt Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 which image should I use? Obviously everybody's experience has been different but I have been running very nicely on 8.0.x code. I am running on the latest interim code on both ASAs and PIXs due to a security flaw though.(knock on wood) It has been very stable. 7.2.4 code was very buggy for me. I was upgrading probably every other month due to bugs until we jumped to 8.x code a while ago. Justin, I believe I saw your posts on the RANCID list and although the 8.2 coredump problem can be a pain you can modify your rancid script to ignore the coredump file when rancid does a show flash. I do this for dhcp snooping since the db is small enough that I can keep it in flash. (Yes I know about the warning that they give when you configure like this) Every time a lease expires or a new lease is distributed the file is updated which would make rancid grab the change. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
Obviously everybody's experience has been different but I have been running very nicely on 8.0.x code. I am running on the latest interim code on both ASAs and PIXs due to a security flaw though.(knock on wood) It has been very stable. 7.2.4 code was very buggy for me. I was upgrading probably every other month due to bugs until we jumped to 8.x code a while ago. Justin, I believe I saw your posts on the RANCID list and although the 8.2 coredump problem can be a pain you can modify your rancid script to ignore the coredump file when rancid does a show flash. I do this for dhcp snooping since the db is small enough that I can keep it in flash. (Yes I know about the warning that they give when you configure like this) Every time a lease expires or a new lease is distributed the file is updated which would make rancid grab the change. Nick -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Friday, September 25, 2009 9:09 AM To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 which image should I use? Antonio Soares wrote: > Stay away from 8.2. We are experiencing crashes since July (TAC case > involved). Tomorrow we will install 8.2.1-10 to see if finally > we get rid of this. I've had good luck with 8.2.1-3 for our purposes. Any 8.2 prior to that has that nasty coredump feature that writes to flash every time you do a 'sh run' (RANCID users beware). Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
Antonio Soares wrote: Stay away from 8.2. We are experiencing crashes since July (TAC case involved). Tomorrow we will install 8.2.1-10 to see if finally we get rid of this. I've had good luck with 8.2.1-3 for our purposes. Any 8.2 prior to that has that nasty coredump feature that writes to flash every time you do a 'sh run' (RANCID users beware). Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
IF you need features in the 8.x code: Use 8.04(32) in the interim releases, if you are authenticating against a windows domain there are some key fixes in there. Love this tidbit of info in the 8.2.1 release notes: "The caveats listed in Table 5 are recently-found caveats that were fixed in interim builds for previous versions; however, they are still open in Version 8.2 (they will be addressed in future releases)" Guess a year is not long enough to release 8.05 or have all known previous bugs in 8.2.1. -Jason -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Thursday, September 24, 2009 7:23 PM To: 'Scott Granados'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 which image should I use? Stay away from 8.2. We are experiencing crashes since July (TAC case involved). Tomorrow we will install 8.2.1-10 to see if finally we get rid of this. Regards, Antonio Soares, CCIE #18473 (R&S) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: quinta-feira, 24 de Setembro de 2009 21:51 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5520 which image should I use? Hi, I'm running a pair of ASA5520 devices as VPN concentrators. Presently there is a software image installed that seems very old and was actually shipped with the devices before I arrived on the scene. I'm experiencing some issues with bringing up L2L tunnels and figured that a firmware update was in order. What version are folks using successfully? I was thinking of going with the 8X code but not sure which one to choose. The features I'm using are very basic and include simple client access and LAN to LAN access, I'm not using the anyconnect or web VPN features at this point. Which image do you think would fit the bill the best? Any pointers would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
In? - Original Message - From: "Antonio Soares" To: "'Scott Granados'" ; Sent: Thursday, September 24, 2009 6:23 PM Subject: Re: [c-nsp] ASA5520 which image should I use? Stay away from 8.2. We are experiencing crashes since July (TAC case involved). Tomorrow we will install 8.2.1-10 to see if finally we get rid of this. Regards, Antonio Soares, CCIE #18473 (R&S) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: quinta-feira, 24 de Setembro de 2009 21:51 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5520 which image should I use? Hi, I'm running a pair of ASA5520 devices as VPN concentrators. Presently there is a software image installed that seems very old and was actually shipped with the devices before I arrived on the scene. I'm experiencing some issues with bringing up L2L tunnels and figured that a firmware update was in order. What version are folks using successfully? I was thinking of going with the 8X code but not sure which one to choose. The features I'm using are very basic and include simple client access and LAN to LAN access, I'm not using the anyconnect or web VPN features at this point. Which image do you think would fit the bill the best? Any pointers would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
It still works: http://www.cisco.com/cgi-bin/tablebuild.pl/asa Or when you are on the page with the "Download Now" button, click the "Previous ASA Releases" link. Regards, Antonio Soares, CCIE #18473 (R&S) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: quinta-feira, 24 de Setembro de 2009 23:11 To: Scott Granados; Ryan West Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA5520 which image should I use? On Thu, 2009-09-24 at 16:59 -0400, Ryan West wrote: > If you don't think you'll be using 8.x features anytime, I have a lot > of luck with 7.2(4)33. Agreed, 7.2(4) rebuilds have served us in a stable way for a long time. > Avoid the middle interim releases as there are a couple of nasty > ISAKMP bugs. Getting to those downloads can be a bit of a challenge > now, but this link still works, just go to the Interim Releases. > > http://www.cisco.com/cgi-bin/tablebuild.pl/asa As a side note: I can't seem to find the interim releases via the splendid new Download Area. Considering the number and importance of bug fixes in the interim releases it seems a little odd not to include them. The URL has that look you know, the look that means someone at Ciscos webteam is bound to replace it with something flashy/java-y. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
Hi, thanks for the pointers. I think I'm going to give 7.2.4-33 a shot and stay clear of the 8X. Thank you Scott - Original Message - From: "Antonio Soares" To: "'Scott Granados'" ; Sent: Thursday, September 24, 2009 4:23 PM Subject: RE: [c-nsp] ASA5520 which image should I use? Stay away from 8.2. We are experiencing crashes since July (TAC case involved). Tomorrow we will install 8.2.1-10 to see if finally we get rid of this. Regards, Antonio Soares, CCIE #18473 (R&S) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: quinta-feira, 24 de Setembro de 2009 21:51 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5520 which image should I use? Hi, I'm running a pair of ASA5520 devices as VPN concentrators. Presently there is a software image installed that seems very old and was actually shipped with the devices before I arrived on the scene. I'm experiencing some issues with bringing up L2L tunnels and figured that a firmware update was in order. What version are folks using successfully? I was thinking of going with the 8X code but not sure which one to choose. The features I'm using are very basic and include simple client access and LAN to LAN access, I'm not using the anyconnect or web VPN features at this point. Which image do you think would fit the bill the best? Any pointers would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
Stay away from 8.2. We are experiencing crashes since July (TAC case involved). Tomorrow we will install 8.2.1-10 to see if finally we get rid of this. Regards, Antonio Soares, CCIE #18473 (R&S) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: quinta-feira, 24 de Setembro de 2009 21:51 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5520 which image should I use? Hi, I'm running a pair of ASA5520 devices as VPN concentrators. Presently there is a software image installed that seems very old and was actually shipped with the devices before I arrived on the scene. I'm experiencing some issues with bringing up L2L tunnels and figured that a firmware update was in order. What version are folks using successfully? I was thinking of going with the 8X code but not sure which one to choose. The features I'm using are very basic and include simple client access and LAN to LAN access, I'm not using the anyconnect or web VPN features at this point. Which image do you think would fit the bill the best? Any pointers would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
On Thu, 2009-09-24 at 16:59 -0400, Ryan West wrote: > If you don't think you'll be using 8.x features anytime, I have a lot > of luck with 7.2(4)33. Agreed, 7.2(4) rebuilds have served us in a stable way for a long time. > Avoid the middle interim releases as there are a couple of nasty > ISAKMP bugs. Getting to those downloads can be a bit of a challenge > now, but this link still works, just go to the Interim Releases. > > http://www.cisco.com/cgi-bin/tablebuild.pl/asa As a side note: I can't seem to find the interim releases via the splendid new Download Area. Considering the number and importance of bug fixes in the interim releases it seems a little odd not to include them. The URL has that look you know, the look that means someone at Ciscos webteam is bound to replace it with something flashy/java-y. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5520 which image should I use?
Scott, If you don't think you'll be using 8.x features anytime, I have a lot of luck with 7.2(4)33. Avoid the middle interim releases as there are a couple of nasty ISAKMP bugs. Getting to those downloads can be a bit of a challenge now, but this link still works, just go to the Interim Releases. http://www.cisco.com/cgi-bin/tablebuild.pl/asa -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Thursday, September 24, 2009 4:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5520 which image should I use? Hi, I'm running a pair of ASA5520 devices as VPN concentrators. Presently there is a software image installed that seems very old and was actually shipped with the devices before I arrived on the scene. I'm experiencing some issues with bringing up L2L tunnels and figured that a firmware update was in order. What version are folks using successfully? I was thinking of going with the 8X code but not sure which one to choose. The features I'm using are very basic and include simple client access and LAN to LAN access, I'm not using the anyconnect or web VPN features at this point. Which image do you think would fit the bill the best? Any pointers would be appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/