Word of warning regarding new firewalls

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
aclawson
Senior Member
Posts: 760
Joined: Fri Jan 19, 2007 6:28 pm

Word of warning regarding new firewalls

#1

Post by aclawson »

Make absolutely positively sure that you have access to an internet connected machine that has a serial port (or buy a serial/USB interface and carry it around with you) when upgrading the firewalls. On Wednesday last I attempted to activate the new box and received an error message regarding a problem with licensing. GSD had me do the usual hard reset then attempted to reimage the device as it had been shipped with the configuration dated from last spring. The scripting failed and the box was refusing to accept commands.

To fix I had to temporarily enable the AT&T Uverse wireless, move the firewall downstairs and connect to one of the admin desktops, establish a team viewer connection and allow GSD to reimage the device with putty. Then move the firewall back into the attic, reconfigure the 2-wire box to kill the wireless and start the activation process again from scratch.

I asked why the firewalls are being shipped with serial console cables when essentially zero laptops in the wild these days have them and was told that they never asked Cisco to start sending USB console cables with the boxes and it didn't appear that anybody had the problem on their radar.

With the new requirement (de facto policy I am told) prohibiting the firewalls from being located in the clerks' offices the past use of the serial ports on the admin machines is much more difficult. (Do the new machines come with serial ports?) Troubleshooting is more likely to be done in a closet somewhere, on a laptop, and since laptops no longer have serial ports this is going to happen more and more frequently.
john84601
New Member
Posts: 47
Joined: Sun Mar 11, 2012 2:24 pm

#2

Post by john84601 »

As noted... this is a problem brought on by Cisco (really, they all make them that way) and not the Church.

None the less... it's good advice to have some sort of 'USB <--> Serial(RS-232)' adapter when working with enterprise class gear (albeit low end enterprise gear).

Most Network Engineers have a couple of these floating around their laptop bags. I use what Dell calls a "Legacy Port Extender" which snaps on the bottom of the laptop where the docking connector is. It works really well. But any more... only the "business" grade laptops even have a dock connector anymore :-(
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#3

Post by jdlessley »

john84601 wrote:As noted... this is a problem brought on by Cisco (really, they all make them that way) and not the Church.
The report aclawson makes is recent. This is not necessarily brought on by Cisco as you describe. In the past the 881Ws shipped to units have been adequately configured for deployment by the Church. Why would the problem be brought on by Cisco if past units were properly configured for deployment?
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#4

Post by aebrown »

jdlessley wrote:The report aclawson makes is recent. This is not necessarily brought on by Cisco as you describe. In the past the 881Ws shipped to units have been adequately configured for deployment by the Church. Why would the problem be brought on by Cisco if past units were properly configured for deployment?
I think aclawson is making a different point. He's not saying that the configuration problem was brought on by Cisco; rather he is saying that if there is a configuration problem that requires rescripting of the firewall using the console cable, the console cable is almost certainly unusable unless you have some additional hardware. The fact that Cisco continues to use a 9-pin serial connection for its console cables is indeed a decision made by Cisco that is incompatible with practically all current hardware.

But a serial-USB converter is cheap (I got one for about $5 that works like a charm). I have used it with Putty (free) with GSC techs on about 10 different occasions to rescript our firewalls (we have a particularly flaky Pix 501 which finally died two days ago, so I got to work through this process many times). I certainly agree with the advice to have such a converter on hand.
Questions that can benefit the larger community should be asked in a public forum, not a private message.
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#5

Post by jdlessley »

Thanks for the clarification Alan. I most definitely misunderstood to what john84601 was referring in his first sentence.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
User avatar
johnshaw
Senior Member
Posts: 2273
Joined: Fri Jan 19, 2007 1:55 pm
Location: Syracuse, UT

#6

Post by johnshaw »

Just another note, this is the same for old firewalls and new firewalls. If you are an STS, make sure you have a serial port, or a USB --> serial port available. It might be good to start a list of good USB to Serial converters, I have had several that just did not work well for me. I tend to carry round an old laptop as a backup for this reason.....
Post Reply

Return to “Meetinghouse Internet”