Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
2
Replies

tunnels, poor configurations, and upgrades

lcaruso
Level 6
Level 6

‎03-01-2011 07:45 PM - edited ‎03-11-2019 12:59 PM

Hi,

Anyone had an experience such as this where after upgrading, where previously both ends of a ipsec tunnel were 7.2 code, upgrade one end only to 8.2, and after the upgrade when the tunnel is re-established, it brings the upgraded ASA down so it cannot be reached over the network?

That happened to me last night and I'm still searching for the reason why. We had to back it out. Opened a TAC case but they said they could not help unless we had the upgraded ASA live for them with a show tech. It will be a while before we try again.

These ASAs I'm currently assigned are poorly configured in my estimation and have uncessary processes such as snmp and ospf configured. I was not allowed to change the configurations--just do the upgrade. My guess is the poor configuration and possibly the mismatched code from the other end of the tunnel, being a major revision behind, might have also contributed.

So I'm wondering what others might have experienced with upgrades on ASAs with tunnels and poor configurations. I'm fishing here with little else to go on currently, so I'd appreciate hearing any your comments.

btw, I was told on these forums last night that this upgrade had to proceed from 7.2 to 8.2 with an interim upgrade to 8.0. I was also told the 5505 needed 512MB to run 8.2.

This is what TAC told me today, so according to TAC, so apparently I did nothing wrong in going directly from 7.2 to 8.2, and, on an ASA with only 256MB of memory:

Thank you for contacting Cisco Technical Assistance Center.
My name is Luis and I will be the engineer handling your service request.
After reading the problem description included on the ticket,
I understand that you want to upgrade from 7.2 to 8.2.
This is what Cisco recommends:
Upgrading Between Major Releases 
To ensure that your configuration
updates correctly, you must upgrade to each major release in turn. Therefore,
to upgrade from Version 7.0 to Version 8.2, first upgrade from 7.0 to 7.1, then
from 7.1 to 7.2, and finally from Version 7.2 to Version 8.2 (8.1 was only
available on the ASA 5580). 
You can find this on the release notes of 8.2(X)
Here you have the release notes:
http://tools.cisco.com/squish/58AB6
The ASA 5505 will support 8.2 with version 8.2 with 256 MB
of RAM.
Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎03-02-2011 05:43 AM

Hello,

When you say that the tunnel was re-established and it brought the upgraded ASA down so it could not be reached over the network, what do you mean exactly? Did the ASA crash and reload? Did traffic still pass but you lost management (i.e. SSH/ASDM/Telnet) access? How did you restore access before you downgraded?

Also, which version of 8.2 did you upgrade to?

-Mike

0 Helpful

lcaruso
Level 6
Level 6
In response to mirober2

‎03-02-2011 07:09 AM

Hi Mike,

We tried upgrading to 8.2(4).

All the work was done remotely, but I had a resource onsite who was able to console into the ASA after it was no longer reachable over the network.

There was no crash file, so technically it wasn't a crash. Before the crash and after the backout I could both SSH and ASDM to the ASA.

We were not able to restore network access, but I had made a backup copy of the startup and save it to flash before doing anything, so I walked my onsite resource through the commands to copy that saved startup from flash into the startup config and reload.

Since I didn't have direct access to the ASA in its degraded state, I cannot say exactly what its condition was. But I do know it came up and stayed up for about 12 minutes which is the same amount of time it takes all the servers on the two ends of this tunnel to re-establish all of their communications. That alone has me wondering just how mucked up everything associated with these sites seems to be.

I know that's how long it takes to re-establish because after we backed out and reloaded, it took that long before my onsite resource, who is the IT resource for the company, could see all the services he normally sees available.

He kept telling me right after the reload that the tunnel was not up, but I could see it was up with the MM_ACTIVE status. I kept asking him what was not working as I could see all the interfaces up and I could see traffic hitting the Internet. Eventually I figured out he was getting his DNS resolution from a server at the other end of the tunnel.

I should have mentioned these are refurbished ASAs if that makes any difference.

I was told not to clean up the configs before the upgrade. Afterwards I noticed he had snmp running which other experienced techs have said sometimes creates issues.

I'm still fishing...

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card