Re: Problems after upgrade from 6.3(4) to 7.0(1)

minoc · ‎06-10-2005

Hello all:

After performing an upgrade from 6.3(4) to 7.0(1) version the following problems arose:

1. Inside hosts could no connect to the Internet.

2. Outside hosts could no access published web servers with static staments.

I performed the following test:

1. From my laptop (inside) telnet to an outside router. Used capture test1 interface inside command to troubleshoot this.

2. Packets were captured from my laptop on the inside interface going to the router.

3. Changed capture command to outside interface.

4. Looking at the capture buffer, I saw packets with source address of my laptop private address going to the router.

5. Double check the NAT and static statements (My laptop has a static entry). Both commands were correct as per prior version configuration.

6. Checked with show xlate command to see if there was an entry for my laptop. Did not see one.

7. Configured the Pix to accept icmp on the outside interface and pinged from outside router to pix outside interface. No reply was seen.

8. Used debug icmp trace on the pix and tried againg. Ping request was hiting the outside interface but no reply packets from the pix to the router.

9. Double check cable and interface connection on the pix. Everything was correct.

10. Tried changing Speed and Duplex settings between Pix and the switch and went trough the same process but the results were the same. No connections from inside hosts to Internet.

I reverted to the older version and all worked as before.

Anyone has experienced this same situation?.

Regards,

Carlos Roque

Office Of Management and Budget

tjgli · ‎06-13-2005

Hello Carlos

I have also upgraded lately to V7.

2 Major problems i had :

1 Programming Access-List is totaly different from the conduit-permit. If an interface got an access-list configured, any traffic is denied until it is explicitely authorized.

2 When switching from my 2 PIX one with v4.4 the other with V7, I realised that i had to switch off any other nearby Routers : If i don't do that for my internet routeur (an 800 SDSL MOdel) internet would not work anymore.

Must be that the routeurs made an ARP Table with the mac adresses from the other PIX and won't recognize the replacement ?

Hope i helped...

ebussink · ‎06-13-2005

Here are my problems when upgrading to 7.0.1-2 on a PIX515E-Restricted.

1) PIX515E was connected on the outside to a 2950, and both devices where forced into Full-Duplex, but I logged on the switch CRC errors on the packets, those went away when I moved both the switch and the pix to auto/auto (solved)

2) I've got a past object-group from my 6.3.4 config, that doesn't show in ADSM, and I haven't succeeded yet in erasing it. (to be solved).

minoc · ‎06-13-2005

Thanks,

I'll do that to see if that fix the problem.

I had bad experience with the PDM before, that's why I do not use it anymore. I was really getting crazy, whetever I configured with the CLI and change it on the PDM, configuration items where not in synch.

Regards,

Carlos Roque

minoc · ‎06-13-2005

Thanks,

Coorect, the new version should use access-list instead of conduits. I am upgrading from version 6.3.4 which has access-list in the configuration. These commands are converted without problems.

The ARP situation is normal since you are using different boxes, the router needs the new MAC address mapping for the Pix.

When I check the new running configuration for version 7.0, everything seems ok, but the VPN part. For some reason the isakmp peer key command is nit transferred correctly. I know how to deal with this.

The main problem I am having after the upgrade is that NATTING is not working including Static translation. The outside interface does not see the external router nor the external router can ping the firewall. I'll have to double check the Duplex/speed auto settings between the switch and the firewall.

I did that and both were full/duplex but to make sure, I will put both in AUTO instead of hardcoding that.

Carlos Roque