Word of warning regarding new firewalls

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
aclawson
Senior Member
Posts: 712
Joined: Fri Jan 19, 2007 6:28 pm
Location: Commerce Twp, MI

Word of warning regarding new firewalls

Postby aclawson » Sun Mar 11, 2012 10:04 am

Make absolutely positively sure that you have access to an internet connected machine that has a serial port (or buy a serial/USB interface and carry it around with you) when upgrading the firewalls. On Wednesday last I attempted to activate the new box and received an error message regarding a problem with licensing. GSD had me do the usual hard reset then attempted to reimage the device as it had been shipped with the configuration dated from last spring. The scripting failed and the box was refusing to accept commands.

To fix I had to temporarily enable the AT&T Uverse wireless, move the firewall downstairs and connect to one of the admin desktops, establish a team viewer connection and allow GSD to reimage the device with putty. Then move the firewall back into the attic, reconfigure the 2-wire box to kill the wireless and start the activation process again from scratch.

I asked why the firewalls are being shipped with serial console cables when essentially zero laptops in the wild these days have them and was told that they never asked Cisco to start sending USB console cables with the boxes and it didn't appear that anybody had the problem on their radar.

With the new requirement (de facto policy I am told) prohibiting the firewalls from being located in the clerks' offices the past use of the serial ports on the admin machines is much more difficult. (Do the new machines come with serial ports?) Troubleshooting is more likely to be done in a closet somewhere, on a laptop, and since laptops no longer have serial ports this is going to happen more and more frequently.

john84601
New Member
Posts: 44
Joined: Sun Mar 11, 2012 1:24 pm

Postby john84601 » Sun Mar 11, 2012 6:12 pm

As noted... this is a problem brought on by Cisco (really, they all make them that way) and not the Church.

None the less... it's good advice to have some sort of 'USB <--> Serial(RS-232)' adapter when working with enterprise class gear (albeit low end enterprise gear).

Most Network Engineers have a couple of these floating around their laptop bags. I use what Dell calls a "Legacy Port Extender" which snaps on the bottom of the laptop where the docking connector is. It works really well. But any more... only the "business" grade laptops even have a dock connector anymore :-(

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Sun Mar 11, 2012 7:48 pm

john84601 wrote:As noted... this is a problem brought on by Cisco (really, they all make them that way) and not the Church.
The report aclawson makes is recent. This is not necessarily brought on by Cisco as you describe. In the past the 881Ws shipped to units have been adequately configured for deployment by the Church. Why would the problem be brought on by Cisco if past units were properly configured for deployment?
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
aebrown
Community Administrator
Posts: 14691
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Mon Mar 12, 2012 4:57 am

jdlessley wrote:The report aclawson makes is recent. This is not necessarily brought on by Cisco as you describe. In the past the 881Ws shipped to units have been adequately configured for deployment by the Church. Why would the problem be brought on by Cisco if past units were properly configured for deployment?


I think aclawson is making a different point. He's not saying that the configuration problem was brought on by Cisco; rather he is saying that if there is a configuration problem that requires rescripting of the firewall using the console cable, the console cable is almost certainly unusable unless you have some additional hardware. The fact that Cisco continues to use a 9-pin serial connection for its console cables is indeed a decision made by Cisco that is incompatible with practically all current hardware.

But a serial-USB converter is cheap (I got one for about $5 that works like a charm). I have used it with Putty (free) with GSC techs on about 10 different occasions to rescript our firewalls (we have a particularly flaky Pix 501 which finally died two days ago, so I got to work through this process many times). I certainly agree with the advice to have such a converter on hand.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Mon Mar 12, 2012 10:05 am

Thanks for the clarification Alan. I most definitely misunderstood to what john84601 was referring in his first sentence.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
johnshaw
Senior Member
Posts: 1834
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

Postby johnshaw » Mon Mar 12, 2012 11:00 am

Just another note, this is the same for old firewalls and new firewalls. If you are an STS, make sure you have a serial port, or a USB --> serial port available. It might be good to start a list of good USB to Serial converters, I have had several that just did not work well for me. I tend to carry round an old laptop as a backup for this reason.....


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest