While trying to update an iLO on a blade server yesterday, (from 2.07 to 2.33). I uploaded the file it got to 99% then after a while it recycled and repeated the process all over again, and kept going.
Solution
Well I was on a 2016 Server using IE 11, and the iLO2 is VERY OLD, so I’m guessing it’s a browser problem. I reconnected to the iLO using Firefox, and it worked perfectly. (Note: If using a Blade Center – connect to that using Firefox, then open the iLO page from there, you may need to restart the browser before it ‘autofills‘ in the username and password for you.
Related Articles, References, Credits, or External Links
I needed to reboot one of my ESX hosts yesterday, so I jumped on the DRAC and got this?
An internet search turned up, “The best way to fix this is, firmware update the iDRAC”, which I did. But sadly it didn’t fix the problem.
Solution
In IE11 they have done a good job of hiding compatibility settings > Options > Compatibility View Settings > Type in the IP/URL > Add > Close > Wait a few seconds.
And we are good to go!
Related Articles, References, Credits, or External Links
For the first time in ages I’ve been doing a VMware upgrade this week, a client had an MSA P2000 G3 and two G8 DL380 servers running vSphere 5.5. I put in a new 6.5 VCSA, built some new G9 DL380 servers, I noticed that the SAN was presenting five storage LUNs but the new ESX 6.5 servers could only see three of them?
Strangely when I selected the SAS storage controllers they could see all 5 storage LUNs, but the datastores refused to appear.
Solution
I checked that the SAN was not masking the LUN’s (it wasn’t, the default was read/write for everything). I connected to the console and proved the storage could be seen.
[box]
[root@ESX1:~] esxcli storage core path list------output removed for the sake of brevity------
sas.50014380388d8480-sas.d0b8d32406430000-naa.600c0ff00014dfce99cd2d5401000000
UID: sas.50014380388d8480-sas.d0b8d32406430000-naa.600c0ff00014dfce99cd2d5401000000
Runtime Name: vmhba3:C1:T1:L4
Device: naa.600c0ff00014dfce99cd2d5401000000
Device Display Name: HP Serial Attached SCSI Disk (naa.600c0ff00014dfce99cd2d5401000000)
Adapter: vmhba3
Channel: 1
Target: 1
LUN: 4 <-- First missing LUN
Plugin: NMP
State: active
Transport: sas
Adapter Identifier: sas.50014380388d8480
Target Identifier: sas.d0b8d32406430000
Adapter Transport Details: 50014380388d8480
Target Transport Details: d0b8d32406430000
Maximum IO Size: 4194304
sas.50014380388d8480-sas.d0b8d32406430000-naa.600c0ff00014ddb44c57ac5401000000
UID: sas.50014380388d8480-sas.d0b8d32406430000-naa.600c0ff00014ddb44c57ac5401000000
Runtime Name: vmhba3:C1:T1:L5
Device: naa.600c0ff00014ddb44c57ac5401000000
Device Display Name: HP Serial Attached SCSI Disk (naa.600c0ff00014ddb44c57ac5401000000)
Adapter: vmhba3
Channel: 1
Target: 1
LUN: 5 <--Second Missing LUN
Plugin: NMP
State: active
Transport: sas
Adapter Identifier: sas.50014380388d8480
Target Identifier: sas.d0b8d32406430000
Adapter Transport Details: 50014380388d8480
Target Transport Details: d0b8d32406430000
Maximum IO Size: 4194304
------output removed for the sake of brevity------
[/box]
At this point I opened a support call with VMware and started doing other work while I waited for them to ring back. By the following morning I was still waiting, but I had found this article, I had built the new servers with HP Build versions of ESX, but perhaps I just needed to install the HP VAAI Plugin? I was fiddling with this when a nice chap called Supreet rang from VMware. I explained what I was trying to do, and got him WebEx’d on (I try not to waste a ton of time saying I’ve done X,Y, and Z, people do that to me all the time, and it just slows the process down, if anything I’d done was correct, it would have been fixed already!)
He confirmed the hosts were definitely seeing the storage;
Note: The bottom two are the missing ones. Using that information he had a look in the logs.
[box]
[root@ESX1:/var/log] grep -i "542eb3f8-da4ea518-553e-ac162d6f719c" vmkernel.log | less
[root@ESX1:/var/log] grep -i "54ad3e22-b39316bd-3e65-ac162d6f719c" vmkernel.log | less
[/box]
That showed up the following;
[box]
2017-03-20T16:23:16.754Z cpu15:68106)WARNING: HBX: 2354: Failed to initialize VMFS distributed locking on volume 542eb3f8-da4ea518-553e-ac162d6f719c: Not supported
2017-03-20T16:23:16.754Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 1 uuid 542eb3f8-da4ea518-553e-ac162d6f719c FD 0 gen 0 :Not supported
2017-03-20T16:23:16.754Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 2 uuid 542eb3f8-da4ea518-553e-ac162d6f719c FD 4 gen 1 :Not supported
2017-03-20T16:23:16.896Z cpu15:68106)WARNING: HBX: 2354: Failed to initialize VMFS distributed locking on volume 542eb3f8-da4ea518-553e-ac162d6f719c: Not supported
2017-03-20T16:23:16.896Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 1 uuid 542eb3f8-da4ea518-553e-ac162d6f719c FD 0 gen 0 :Not supported
2017-03-20T16:23:16.896Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 2 uuid 542eb3f8-da4ea518-553e-ac162d6f719c FD 4 gen 1 :Not supported
2017-03-20T16:23:16.675Z cpu15:68106)WARNING: HBX: 2354: Failed to initialize VMFS distributed locking on volume 54ad3e22-b39316bd-3e65-ac162d6f719c: Not supported
2017-03-20T16:23:16.675Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 1 uuid 54ad3e22-b39316bd-3e65-ac162d6f719c FD 0 gen 0 :Not supported
2017-03-20T16:23:16.675Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 2 uuid 54ad3e22-b39316bd-3e65-ac162d6f719c FD 4 gen 1 :Not supported
2017-03-20T16:23:16.910Z cpu15:68106)WARNING: HBX: 2354: Failed to initialize VMFS distributed locking on volume 54ad3e22-b39316bd-3e65-ac162d6f719c: Not supported
2017-03-20T16:23:16.910Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 1 uuid 54ad3e22-b39316bd-3e65-ac162d6f719c FD 0 gen 0 :Not supported
2017-03-20T16:23:16.910Z cpu15:68106)Vol3: 3090: Failed to get object 28 type 2 uuid 54ad3e22-b39316bd-3e65-ac162d6f719c FD 4 gen 1 :Not supported
[/box]
That pointed him towards the VAAI, (perhaps the stuff I’d been reading, had me on the right track?)
[box]
[root@ESX1:/var/log] esxcli storage core device vaai status get
naa.600c0ff00014ddb44c57ac5401000000
VAAI Plugin Name:
ATS Status: unsupported
Clone Status: unsupported
Zero Status: supported
Delete Status: unsupported
naa.600c0ff00014dfce99cd2d5401000000
VAAI Plugin Name:
ATS Status: unsupported
Clone Status: unsupported
Zero Status: supported
Delete Status: unsupported
------output removed for the sake of brevity------
[/box]
Note the difference, the following is on the older servers that were working fine;
At this point, I piped up about the VAAI stuff I’d been reading, and told them that I’d download the VIB, and it was already on the offending server.
So they installed it and rebooted the server, (there were no running VMs on the new box).
I waited with bated breath, and it didn’t fix it 🙁 It was at this point that they gave me the bad news, HP P2000 G3 is not supported on ESX 6.5, (In fact its not supported on 6.0 either!)
Well I suppose that’s an answer, but not the one I wanted! I downgraded the hosts to 5.5U3a Same Problem! So I downgraded them to 5.0.0, then they wouldn’t boot, (error indicate unsupported hardware). So I set about upgrading them to 5.5U2, (to be on the safe side).
Also while this was going on, I updated the firmware on the SAN controllers;
Thankfully this time the servers booted up fine, and saw the storage and mounted all the datastores.
Related Articles, References, Credits, or External Links
OK to be honest, before I went to work for my current employer I didn’t even know Symantec made hardware firewall’s, and at the time of writing they no longer make “Low End” firewall’s and corporate support for them has all but ended. With this in mind there are a load of them currently being replaced with newer firewall’s and they are either getting thrown in cupboards “In case of emergency” ending up on eBay, or worst of all going in the skip.
So why would you want one then?
Because in true Petenetlive fashion you can pick them up for nothing, or for a few pounds on eBay, and they make an excellent firewall for your Home PC, Home network or Small business.
Fair enough but what’s the difference between the two?
Basically both firewall’s can function as a hardware firewall and do site to site VPNS, the FW200 however can have 2 WAN connections and the 200R supports client to gateway VPN connections using the Symantec Client VPN software. Both appliances have a built in switch, on the FW100 its a four port and on the FW200 its an eight port.
FW100 (Top) and FW200 (Bottom)
To see what the Warning Lights and Symbols mean CLICK HERE
Right I’ve bought one now what the hell do I do with it?
That depends on what you want it for, there are a number of things a firewall can do, you can simply run through the basic setup and it will protect you PC/Network, or you might want to set up a permanent connection from home to your office (Site to Site VPN). Or you might want to access your PC’s at home or in the office from anywhere in the world with an internet connection (Client to Gateway VPN – FW200R only) You may have a server at home or an Xbox and want to Port forward particular traffic to a particular PC/Server or games console.
You can do as much or as little as you like with it, Ill outline the basic things you may want to do below
If you have got an appliance of ebay or been given it by work then chances are you wont know its settings and the password to get in an manage it so before you do anything you need to reset the appliance back to its factory settings. Read the ENTIRE procedure before you do anything!
3. Password is set to {Blank} – That’s NO Password.
4. Outside Interface(s) set to obtain their IP address dynamically.
5. Appliance turns on its internal DHCP server and leases addresses from its switch ports.
6. All traffic will be allowed out
7. No traffic will be allowed in (unless its a reply to traffic instigated inside).
On the back of the alliance you will see a row of “dip” switches, you can turn on (down) and off (up) With the unit powered off make use a pen, or paperclip and have a couple of practice flicks on switch 1
Procedure
1. Power off the appliance
2. Drop dip swich1 to ON
3 Power on the appliance and watch the backup/active LED Light come on (This one )
4. As soon as the LED goes out flip dip switch 1 up(off) , down (on), and up(off) again – note you only get 12 seconds!
5. If you have carried out the procedure correctly then the Error LED will come on (This one )and then alternate with the LAN/WAN Status LED (This one ).
6. The Appliance will reboot let it do so then remove the power, wait a few seconds, and power it up again.
Connect to the Firewall for Administration
Assuming you have just reset the firewall then its internal IP address will be 192.168.0.1, then simply connect your PC or Laptop to the firewall using a standard ethernet cable to any of the ports labelled LAN
Your PC should be set to get an IP address dynamically – Or Manually set an IP address in the 192.168.0.2 to 254 range. Then open a web browser and go to http://192.168.0.1
Standard front Page here on a FW100
And here on a FW200 (note the second WAN settings)
Note: You can manage these firewall’s from outside for example from work, BUT you need to enter the IP range that you will be administering from, to do this Select the “Expert Level” section and enter the range (note if you only have 1 IP add it in the start and End IP address section. you then access the device from http://public_IP_address:8088
Remember this is a firewall always set a password for access, select the “Config Password” Section then type and re-type a password. Then Press Save
Now to access the firewall the username is admin and the password you set above.
Upgrade the Firmware
You might wonder why bother – well I’ve used these firewall’s in anger on corporate networks, and I’ve seen strange problems with VPN’s and other bugs that have been fixed by simply upgrading the firmware – remember these are old firewall’s so the last version of firmware released for them (Called 18F was released Nov 2005) The FW100 firmware is here vpn100_build18f and the FW200 firmware is here vpn200r_build18f. You will also need the nxtftpw.exe program you can download that here nxtftpw.
To check your Firewall’s Firmware version connect to the firewall as above and Select the Status section > Then the Device section. here you will see the firmware revision. This one says V1 Rel 8D so its version 18D we are going to upgrade it to 18F.
To Prepare the firewall for firmware updating, Power it off and drop dip switches 1 and 2 on the back. Then Power the firewall back on again.
On your PC launch nxtftpw.exe and enter the following information, under Server IP enter the IP address of the firewall. An in Local file navigate to the firmware file on your PC.
Warning: there are two versions of the firmware file, one looks like vpn100_18F_app.bin the other looks like vpn100_18Fall.bin use app.bin the all.bin will erase the configuration as well!
Click PUT.
It might take a while and say its re tying a few times, be patient, when its finished it will say SUCCESS at the bottom.
Wait a couple of minutes, when the lights on the appliance all return to normal shut it down. Lift all the dip switches again and power back up.
Log back into the firewall and Check the firmware revision on the Status Tab > Device Section to make sure the version is correct, it should say V1 Rel 8F.
Basic Setup
For a simple home user you will want to set an external IP with a default gateway, some DNS settings. Then set your internal IP.
Main Setup Tab
If your ISP supplies your IP address via DHCP you don’t need to do anything that’s the default – note if you have a router that needs PPPoE settings these can be set up on this tab as well. Click Save when finished
Static IP & DNS Tab
Or if you have a static IP address enter it here with the subnet mask and the default gateway supplied by your ISP. Also note you can statically assign DNS servers here too, then your internal clients can point directly to the Symantec Firewall for their DNS settings. Click Save when finished
LAN IP & DHCP
Set your inside interface here – Note you can also set the firewall up as a DHCP server for your network as well. Click Save when finished.
Port Forwarding
Not all port forwarding is used for servers and complicated communications, simply downloading torrent software or playing online games may require you to forward a port to one of your clients. For this example I’ll port forward TCP Port 3389 (that’s RDP for the non tech’s do you can connect to your PC and server from outside – note doing this in the real world has security implications and is done at your own risk).
Custom Virtual Servers Tab
You need to give the protocol you are forwarding a name, like RDP, Tick Enable, Enter the IP address you want to forward it to, Then enter the port number into ALL FOUR box’s. When done click “Add.”
This is what you want to be seeing 🙂
You will see the rule added at the bottom of the page – Note: As I said this is quite a security hole, so you can tick and un tick enable, then tick update to turn on and off as required.
Site to Site VPN
A site to site VPN connects one network to another securely, across an insecure network (in almost every case the insecure network is the public internet) So you can connect two offices together, or connect your home PC(s) to the office network. You need a device at both ends that can terminate a VPN. At our end we have the Symantec the other can be your corporate firewall or a VPN server.
To form a VPN you need both ends to agree a “Policy” as there are different methods of forming a VPN, the device at the other end must use the SAME settings as you do.
OK what do I need to know?
Encryption method: We will use 3DES Hashing Method: We will use SHA1 Diffie Hellman Group: we will use Group 2 IP address of the other Firewall: We will use 123.123.123.123 Network address of the Other network (the far one you are connecting to): We will use 10.1.0.0 Subnet Mask of the Other network (the far one you are connecting to): We will use 255.255.0.0 A Pre shared Key: we will use qwertyuiop123
Note: This firewall uses a system called PFS. Tell the Firewall administrator at the other end of the tunnel to make sure that end has it enabled.
VPN Dynamic Key Tab
Give it a descriptive name > Tick Enable > PPPoE Session set to Session 1 > Select Main Mode > ESP3DESSHA1 > SA Lifetime to 475 > Data Volume Limit to 2100000 > PFS enable
Gateway Address set to the IP of the other firewall > ID Type to IP Address > Pre Shared Key to qwertyuiop123 > NETBIOS Broadcast to Disable > Global Tunnel to Disable > Remote subnet to the network at the other end of the tunnel > Remote Mask to the mask at the other end of the tunnel. > Click Add
Hopefully you will see this.
You will then see the tunnel appear at the bottom of the screen.
And the connection will change colour and say “Connected” when the tunnel comes up.
Client to Gateway VPN (200R Only)
In a client to gateway scenario, you install the client software on a laptop or remote PC, you then use that software to connect to your network behind the firewall. With this method you can securely connect many clients to one firewall.
OK What Do I need to Know?
A username: We will use Jane A shared secret: We will use 1234567890qwertyuiop
VPN Dynamic Key Tab
This sets the levels and method of encryption used by your remote clients, Type the name clients into the name box > Enable > Session 1 > Aggressive mode > ESP3DESSHA1 > 475 Mins > 2100000 > PFS enable > Gateway Address to 0.0.0.0 > ID Type to Distinguished Name. Click Add
VPN Client Identity Tab
Enter the username > Tick Enable > Type in the shared secret > Tick Add > The user will be displayed at the bottom.
Obviously this procedure is carried out on the remote PC/Laptop
Once you have the software installed (Note you need to le a local system administrator to this bit – or the software wont let you in) Fire up the software and give yourself a username and password (This can be anything – its just to log into the software NOT bring up the VPN). You will be asked to confirm the password.
This is the main screen, you can save many tunnels to many firewalls, but we are just dealing with one, click new.
On the gateway tab, in IP address enter the IP of the outside of the firewall > Make sure download VPN policy is NOT checked > enter your shared secret 1234567890qwertyuiop (as set up on the firewall > Your client phase 1 ID is the name on the firewall – in the example above that’s “jane”
Click the Advanced Tab > Under Gateway Phase 1 ID re-enter the IP address of the outside of the firewall.
Click the Tunnels Tab > Click New.
Tunnel name HAS TO match the policy you created on the firewall (in out case “clients”) Then enter the network address and subnet mask of the network BEHIND the firewall you are connecting to. > OK > OK.
Back at the main screen click the Policies Tab > Set “Port Control Type” to “Wide Open”.
Click the Gateways Tab > Log Off > Close and restart the client software > Select the tunnel and click connect > In the progress log when you see a message stating “security gateway connected”.
Related Articles, References, Credits, or External Links
You have a ZyXEL router (In my case a P-600R-D1) and you want to put a device behind it with a public IP.
Note: I’m assuming you have agreed with your ISP that you will receive a range of public IP addresses. With some ASDL packages the first IP in the range usually gets allocated to the router, confirm this with your ISP.
BT Business Broadband Note: If you are a BT Business customer, your setup will be slightly different, I’ll point that out as we go along.
Solution
1. Connect up to the router, and you should get an IP address from it, open your web browser and proceed to http://192.168.1.1 the default password is “1234”
2. You will be prompted to change the default password, do so, then select the option to go to ‘Advanced Setup’.
3. Expand Network > WAN > Enter the ADSL details provided by your ISP (i.e. ADSL username and ADSL password). If you are having a static IP on the outside of the router you can also set that here.
Note: If you have only been given TWO IP addresses you may need to set BOTH the WAN and LAN IP address to the SAME IP (and disable NAT).
BT Business Broadband Note: Even if you have been allocated a range of public IP addresses, you LEAVE the routers outside IP address option set to, ‘Obtain an IP address automatically’
4. Disable NATONLY IF YOU ARE SETTING THE LAN AND WAN TO THE SAME IP: Select NAT > General > Un-tick “Active Network Address Translation (NAT)” > Apply.
4. Disable DHCP: Select LAN > DHCP Setup > Change DHCP to “None” > Apply.
5. Set the inside IP: Set this to the IP address allocated to your Router – (Note: this may be the SAME as the address allocated to the outside IP, don’t panic it will not conflict (NAT is disabled).
BT Business Broadband Note: This is typically the highest IP address in the range, BT have given you.
6. You can now connect your internal device/firewall (Note: You may need to reboot the device AND the router as the MAC address may have changed if you have been testing from your laptop/PC.) Or simply allocate another public IP address to device, then make its default route, (or default gateway) the IP address you set on the LAN port of the ZyXEL, (in our example above 123.123.123.124).
Factory Reset ZyXEL Router
If things break and you want to reset the router,
1. Power off the router.
2. Depress the reset button on the rear of the router.
3. Power on the device until the ethernet light, flashes amber.
4. Now DHCP will be turned on and the router will use 192.168.1.1 internally and the default password will be reset to 1234.
Related Articles, References, Credits, or External Links
2. The more observant of you will have noticed that it has already shown you the OS version above, but in case there is any doubt.
[box] root@FW-02# show version
## Last changed: 2014-08-26 21:15:09 GMT version 12.1X44-D30.4;
[edit]
root@FW-02# exit[/box]
3. I’ve always got 3CDeamon on my laptop so I’ll copy the update file over via FTP to the /var/tmp folder. (Note: We’re not at CLI or configure mode!)
[box]root@FW-02% ftp 10.5.0.2
Connected to 10.5.0.2.
220 3Com 3CDaemon FTP Server Version 2.0
Name (10.5.0.2:root): PeteLong
331 User name ok, need password
Password:********
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /var/tmp
Local directory now /cf/var/tmp
ftp> bin
200 Type set to I.
ftp> get junos-srxsme-12.1X47-D10.4-domestic.tgz
local: junos-srxsme-12.1X47-D10.4-domestic.tgz remote: junos-srxsme-12.1X47-D10.
4-domestic.tgz
200 PORT command successful.
150 File status OK ; about to open data connection
100% |**************************************************| 158 MB 00:00 ETA
226 Closing data connection; File transfer successful.
166060642 bytes
received in 64.50 seconds (2.46 MB/s)
ftp> bye
221 Service closing control connection
root@FW-02%[/box]
4. Now perform the upgrade.
[box] root@FW-02% cli
root@FW-02> request system software add no-copy /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz
NOTICE: Validating configuration against junos-srxsme-12.1X47-D10.4-domestic.tgz
.
NOTICE: Use the ‘no-validate’ option to skip this if desired.
Formatting alternate root (/dev/da0s2a)…
/dev/da0s2a: 627.4MB (1284940 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 156.86MB, 10039 blks, 20096 inodes.
super-block backups (for fsck -b #) at:
32, 321280, 642528, 963776
Extracting /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz …
Checking compatibility with configuration
Initializing…
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1X44-D30.4-domestic signed by PackageProduction_12_1_0
Using junos-12.1X47-D10.4-domestic from /altroot/cf/packages/install-tmp/junos-1
2.1X47-D10.4-domestic
Copying package …
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Usage: license-check -f “<features>” -m -p -q -M -u -U -V
Validation succeeded
Installing package ‘/altroot/cf/packages/install-tmp/junos-12.1X47-D10.4-domesti
c’ …
Verified junos-boot-srxsme-12.1X47-D10.4.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X47-D10.4-domestic signed by PackageProduction_12_1_0
JUNOS 12.1X47-D10.4 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING: Use the ‘request system reboot’ command
WARNING: when software installation is complete
Saving state for rollback …
root@FW-02> [/box]
5. Then reboot the firewall.
[box]
root@FW-02> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2749]
root@FW-02>
*** FINAL System shutdown message from root@FW-02 ***
System going down IMMEDIATELY
[/box]
6. Post reboot, check the version again.
[box]
login: root
Password: ********
— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC
For such a ‘baby’ switch this has a LOT of features, I had to lock down the speed and duplex settings on one of the switch ports today. The main details you will be looking for are,
Default IP address = 192.168.2.10
Default Password = blank
Solution
1. Put yourself on the same network: Windows Key+R > ncpa.cpl {enter} > Right click your network connection > Properties > Internet Protocol Version 4 (TCP/IP) > properties > Set yout IP to 192.168.2.11 and set the subnet mask to 255.255.255.0 > OK > OK.
2. Open a web browser and navigate to http://192.186.2.10 log in with a blank password.
3. To Change the Switches IP: Setup Network
4. To change Speed/Duplex Settings: Switching > Port Configuration
5. To change the password: Maintenance > Password Manager.
Related Articles, References, Credits, or External Links
Upgrading the operating system on the CSC module is pretty straight forward, as long as you have a valid support agreement for your hardware and a CCO account you can download the updates straight from Cisco (here).
Solution
WARNING: It’s rare that you can update straight to the latest version, by all means try, and the CSC module will simply error if it will not accept the version you are trying to update to.
WARNING 2: This may involve some downtime, especially if your CSC module is configured to fail-closed, you may wish to set it to fail-open during the upgrade to minimise disruption. Unless you have a dual failover firewall solution, in which case scroll down.
You can do this via command line if you wish, but it’s a lot simpler to do via the web console. You will need to download your updated software (with the .pkg extension NOT the .bin extension).
Once downloaded, log into the web portal of the CSC module https://{IP-Address}:8443 > Administration > Product Upgrade > Browse > Locate your update > Upload > Go an have a coffee, it will take a while.
Upgrading CSC Modules in a Failover Pair
If you have firewalls deployed in failover, then you will have two CSC modules to upgrade.
1. Just for ease I’m showing the command line and the web console view. Start by upgrading the CSC module in the Secondary Standby firewall, here I’m upgrading 6.3.1172.0 to 6.3.1172.4.
2. Now I take the same module to 6.6.1125.0.
3. Once I know the system has updated and is back online, I jump onto the Primary Active firewall and force a failover to the Secondary Standby firewall.
Check module status with;
[box]
show module 1 detail
[/box]
To force failover, on the PrimaryActive firewall.
[box]
configure terminal
no failover active
[/box]
4. Note: At this point the screen looks the same as above, but ‘physically’ the firewalls have swapped over, the Primary is now Standby and can be updated. Below I’m upgrading from 6.2.1599.0 to 6.2.1599.6.
5. Now we can see both modules are running the latest (at time of writing), product version.
6. Now to fail back simply issue the following command an the Secondary Active firewall;
[box]
configure terminal
no failover active
[/box]
7. You can also check the versions match with the following command;
[box]
show failover
[/box]
Related Articles, References, Credits, or External Links