Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
3
Replies

Unexpected reloads during upgrade-path from 9.1.1 to 9.1.7 via 9.1.2

Uwe Bauschke
Level 1
Level 1

‎02-17-2016 12:33 AM - edited ‎03-12-2019 12:19 AM

Hello,

due to CVE-2016-1287 we are forced to update our 5550's from 9.1.1 to 9.1.7.

The 5550's are running in active-standby-failover.

Fortunately we have a pair of them for test-purposes.

Steps i took:

1. Copied Image 9.1.2 to both nodes

2. Set boot image to 9.1.2 in config on both nodes

3. Removed boot image 9.1.1 from config on both nodes

4. Reloaded standby-unit

5. Forced standby-unit to become the active one

Until this point everything worked fine, no interruption in the communication via Asa's detected, also all vpnclients stayed connected.

Now i reloaded the newly standby-unit. As the unit came up it became the active one, directly after syncing the config. The formerly active unit reloaded again, for me at a point where not all connection-entries or vpn-sessions were synced.  This caused a loss of all connections and vpn-sessions.

At this time my first thought was "ok, maybe the one unit was marked as failed to often", so i reset the failover and started same procedure with image 9.1.7

During upgrade same was happening again: after reloading second unit the context was switched again, causing again the loss of all connections and vpn-session.

Does anyone run into similar problems during upgrade or can give me some hints whre to look in detail to solve this, before we take this into production!?

Also chekced the bugs, but can't really find one describing the problem.

Regrads Uwe

Labels:
0 Helpful
3 Replies 3

Shivapramod M
Level 1
Level 1

‎02-17-2016 01:24 AM

Hi Uwe,

Are you seeing any crash. You can run "show crash info". There is an issue with the 9.1.7 version where the device crashes. You can try to upgrade the device to 9.1.6.11 where the IKE vulnerability is resolved and you should not face this issue.

https://tools.cisco.com/bugsearch/bug/CSCuy27428/?reffering_site=dumpcr

If you refer the Cisco security advisory now you can see that 9.1.6.11 has been released.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

Uwe Bauschke
Level 1
Level 1
In response to Shivapramod M

‎02-17-2016 01:44 AM

Hello,

no, seems that the unit has not chrashed, "show crashinfo" is empty.

Problem, is not only related to 9.1.7, it happened on our side also during the upgrade from 9.1.1 to 9.1.2, so seems that the problem is another one!?

Regards Uwe

0 Helpful

Uwe Bauschke
Level 1
Level 1
In response to Uwe Bauschke

‎02-17-2016 06:51 AM

Update: Just reproduced the procedure with a laptop connected to console-port.

After reloading the second unit from standby-mode it wasn't detecting the other unit as active-mate!

Then the normal behaviour began, the just reloaded unit was syncing it's config to the other unit (which was in fact the active one) and afterwards forced it to become standby. Result again: All connections and vpn-sessions lost!

Is there a way to debug this behaviour immediatly after boot?! To find the roor-cause why the unit is not detecting the other active unit?!

Regards Uwe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card