Thursday, May 31, 2012

Cisco Nexus 5000/2000 Install (Part 3): FEX Configuration Notes

Cisco Nexus 5000/2000 Install (Part 3): FEX Notes

Before we get to the notes on the FEXs, Im adding these links below as an afterthought to this series.  This Nexus install was a four part series, this page being part three.  Here are the links to the others if you are interested.
For the notes on the install of the 5000s/2000s and how to configure a redundant setup, click here.
For the notes on the vPC connections, click here.
For some config examples without explanations, click here.

Here are some notes about the FEXs (2232PP) that I learned on this install.  One thing I wanted to point out is that when the FEX boots up, or the N5K boots up (whichever is the case), the FEXs take some time to come 'online'.  In this case below, Ill be showing two FEXs coming back online after a N5K reboots.  Here are the 'show fex' outputs that I saw while waiting on them to come up:

N5K-2# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
100        FEX0100             Connected    N2K-C2232PP-10GE   SSIXXXXXX1
101        FEX0101             Connected    N2K-C2232PP-10GE   SSIXXXXXX2

After a few minutes:
N5K-2# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
100        FEX0100       Online Sequence    N2K-C2232PP-10GE   SSIXXXXXX1
101        FEX0101             Connected    N2K-C2232PP-10GE   SSIXXXXXX2

A little more waiting:
2009 Apr  1 20:52:51 N5K-2 %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex 100 is online
2009 Apr  1 20:52:51 N5K-2 %$ VDC-1 %$ %NOHMS-2-NOHMS_ENV_FEX_ONLINE: FEX-100 On-line
2009 Apr  1 20:52:52 N5K-2 %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex 100 is online
N5K-2# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
100        FEX0100                Online    N2K-C2232PP-10GE   SSIXXXXXX1
101        FEX0101             Connected    N2K-C2232PP-10GE   SSIXXXXXX2

More waiting:
N5K-2# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
100        FEX0100                Online    N2K-C2232PP-10GE   SSIXXXXXX1
101        FEX0101       Online Sequence    N2K-C2232PP-10GE   SSIXXXXXX2

And we arrive:
2009 Apr  1 20:53:34 N5K-2 %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex 101 is online
2009 Apr  1 20:53:34 N5K-2 %$ VDC-1 %$ %NOHMS-2-NOHMS_ENV_FEX_ONLINE: FEX-101 On-line
2009 Apr  1 20:53:37 N5K-2 %$ VDC-1 %$ %PFMA-2-FEX_STATUS: Fex 101 is online
N5K-2# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
100        FEX0100                Online    N2K-C2232PP-10GE   SSIXXXXXX1
101        FEX0101                Online    N2K-C2232PP-10GE   SSIXXXXXX2

I just found this interesting.  Be patient, these take time to come 'online'.

Cisco Nexus 5000/2000 Install (Part 2): vPC Configuration Notes For Connections To 6500

Cisco Nexus 5000/2000 Install (Part 2): vPC Notes For Connections To 6500

I want to add more notes to this weeks post that will help.  See this post for the beginning of this install.  So, my focus will be primarily on the connection of the 5000s to the core switches.  In this case, I happened to be connecting my two 5000s to two 6500s for redundancy.
It is really important that you make the all port-channels to the core a part of the same 'port-channel number'.  For example, 'interface port-channel 5'.  Here is a drawing that the TAC guy drew up for me.
  So, if you will notice, there are a few numbers in this drawing.  I had on N5K-1 a vPC of 11.  On N5K-2, I had a vPC of 11.  But on the core switch, we had a 'interface port-channel 25' going to N5K-1.  Again, on the core, we had 'interface port-channel 26' to N5K-2.  Well, as it turns out, this doesn't work well, according to Cisco TAC, and I believe it.  I didnt know this until today, but from what I was seeing, it didn't seem stable.  Also, even though there is no real vPC configuration on the core (except the port-channels and interface commands), TAC recommends that the port-channel interfaces match the port-channel interface numbers of the N5Ks.  When I did this, things got stable and I didn't have any issues afterwards.  If you will notice in the above drawing, there is a vPC circle above 'core1'.  That is what it is 'supposed' to be.  Port-channel 11 for N5K-1, port-channel 11 for N5K-2, and port-channel 11 for core1. 
If you are going to a second core 6500 like I was, use a different port-channel number for the N5K-1, N5k-2, and the second 6500.  I used port-channel 15. 
Test your connections.  I put my laptop up on one of the 2232s and pulled the power from N5K-1.  Ping still works to the core.  I powered up the N5K-1, let the FEXs register, and pulled the power to N5K-2.  Pings still gets to core.  Power N5K-2 back up.  Do the same for the second FEX.  Redundancy confirmed works.  
Im adding these links below as an afterthought to this series.  This Nexus install was a four part series, this link being part two.  Here are the links to the others if you are interested.
For the notes on the install of the 5000s/2000s and how to configure a redundant setup, click here.
For the notes on the "FEXs", click here.
For some config examples without explanations, click here.
 

Cisco Nexus 5000/2000 Install (Part 1): How To Configure Redundant 5000s With Redundant 2000 FEXs

Cisco Nexus 5000/2000 Install: How To Configure Redundant 5000s With Redundant 2000 FEXs

Im adding these links in as an afterthought.  I have a four part series on this blog about this 5000/2000 install, in case you are interested in seeing them all.  This article you are on is the first of the four: 
For the notes on "vPC", click here.
For the notes on the "FEXs", click here.
For some config examples without explanations, click here.


My components: (2) 5548UP Nexus Switches, (2) 2232PP Fabric Extenders (FEX), (4) glc-sx-mm= gbics, and (8) fet-10g gbics

Here is the topology of the Cisco Nexus setup that Im looking to do, with one exception.  I only had one fiber run to each FEX instead of two like the diagram shows:
This was an interesting install.  I ran into a few roadblocks along the way, but Ill highlight what I did and what I learned in this posting. 

First, I learned from TAC that when doing an install like this, you must start configuration of the 5000s first, then move to the vPC config between the two 5000s.  This will save you some headache when it comes to getting the 5000s to see the 2000s. 
Second, if TAC tells you that the 5000 will only see one 2232PP device instead of being able to see two, its not true.  I had two TAC guys tell me this.  Here is my proof that it will see more than one.  Actually, I think it supports up to 12:

N5K-1# sh fex
  FEX         FEX           FEX                       FEX              
Number    Description      State            Model            Serial    
------------------------------------------------------------------------
100        FEX0100                Online    N2K-C2232PP-10GE   SSI155XXXX1
101        FEX0101                Online    N2K-C2232PP-10GE   SSI155XXXX2

Third, the Nexus config does have some changes from the Catalyst.  Its mostly similar, but one thing I really like about it is that its like an ASA in that you can run most commands no matter where you are in the command structure.  I dont like having to exit back one just to run a command.  I can even do a 'copy run start' from config mode.  I like that.
Fourth, my understanding is that you want to use your management interfaces for the vPC keep-alives. TAC tells me that you will have spratic issues come up if you dont use the management interfaces.  They did not elaborate on what issues I might face, but they made sure to mention it to me.
Fifth, you can not do a 'write mem' on the Nexus 5000.  You can only do a 'copy run start'.
One last thing.  When you are configuring these 5000s in a redundant setup, like in the topology above, you really should work on both 5000s at the same time.  Now this is my own opinion, but I found that this is helpful when getting the two ready for the 2000s.

So, here is what my experience was like:
I first started out changing the password.  The first time you log in, it asks you to change it, so I did.  You will have a login of admin and whatever your new password will be.
I then went on to configure the management interface.  I think the best approach for me personally is to configure both 5548UPs at the same time.  Looking back, I think it will be easier for me to know where I am in the config steps.  Plus, it seems that some things just need to be done on both switches for things to go smoothly (in a topology like Im doing).  So, lets configure the management interface:

interface mgmt0
  ip address 10.10.10.4/24
 exit
vrf context management
ip route 0.0.0.0/0 10.10.10.1

Now you have your management interface configured.  Do the other 5000 as well.
Configure the hostname.  I chose N5K-1 and N5K-2.  'hostname N5K-1'. 
You need to enable to services you will need on the Nexus.  Here is what I enabled on mine:

feature telnet
feature vpc
feature lacp
feature fex

I configured my trunk ports to my core 6500 now.  You got to hook into the network somehow, you may as well do it now.  I did trunk ports so I could carry multiple vlans.  I also tied a separate vlan on my 6500 for my management interfaces.  Dont ask why, but Im having to bond (5) Cat5 cable together.  My 6500 didn't have enough fiber ports.
Here is the trunk config I did on the 5000:

interface port-channel10
  description To_Core_Switch
  switchport mode trunk
switchport trunk allowed vlan all
speed 1000

interface Ethernet1/1-5
  description To_Core_Switch
switchport mode trunk
speed 1000
  channel-group 10

I actually ended up doing two of these (5) port port-channel trunks, to two different core switches for redundancy.
Now its time to configure the vPC domain.  'vpc domain 1'  I used 1, but you can use whatever number you want (within a certain limit, which I cant remember now).
Peer keep-alive config., remember to use your management interfaces:

 peer-keepalive destination 10.10.10.5 (10.10.10.5 is the management interface IP on my other 5000).

Now its time to configure the vPC peer 'link'.  This is the link between the two 5000s.  I did this as a trunk port, per Cisco's recommendation. 

 int ethernet 1/15-16
  switchport mode trunk
  speed 1000     (notice I have to say 1000 for 1G connection. 10G is the default)
  channel-group 1516 mode active  (keyword 'active' tells it to use LACP)

interface port-channel1516
  switchport mode trunk
  spanning-tree port type network
  speed 1000
  vpc peer-link

NOTE*** In the above config, for the channel-group command, I used keyword 'on', and it caused problems.  It wasn't until I used LACP (keyword 'active') that things were steady and reliable.
That should take care of the vPC link between the two 5000s.  **Note: I used the following GBICS for this connectivity: glc-sx-mm= (1G fiber GBICS)

Now, you should see something like this below for successful configuration:
N5K-1(config-if-range)# sh vpc brief
Legend:
                (*) - local vPC is down, forwarding via vPC peer-link

vPC domain id                   : 1
Peer status                     : peer adjacency formed ok     
vPC keep-alive status           : peer is alive                
Configuration consistency status: success
Per-vlan consistency status     : success                      
Type-2 consistency status       : success
vPC role                        : secondary                    
Number of vPCs configured       : 0  
Peer Gateway                    : Disabled
Dual-active excluded VLANs      : -
Graceful Consistency Check      : Enabled

Now its time to configure the FEXs (the 2232PPs). 
Now keep in mind that I did not configure the following three commands.  Even though they are needed, these commands were defaulted in when I added the fex command into the port-channel.  Again, these three commands below, I did not put in myself.  The switch did it on its own.

fex 100
  pinning max-links 1
  description "FEX0100"

They are needed, but again, when I did this port-channel config below, the above commands were put in automatically:

interface port-channel6
  switchport mode fex-fabric
  fex associate 100
  vpc 6

Now the interface (again, only one interface since I only had one fiber going to each FEX from each 5548):

interface Ethernet1/6
  description *** To FEX 100 ****** To FEX 100 ***
  switchport mode fex-fabric
  fex associate 100
  channel-group 6

I also added in for the second FEX (2232PP):
interface port-channel7
  switchport mode fex-fabric
  fex associate 101
  vpc 7

interface Ethernet1/7
  description *** To FEX 101 ****** To FEX 101 ***
  switchport mode fex-fabric
  fex associate 101
  channel-group 7

And again, when I added the commands above for the second FEX, it added these commands below on its own:

fex 101
  pinning max-links 1
  description "FEX0101"

Now its probably important to note that I used the following for connectivity from the 5548s to the 2232s.  Here is what I used:
fet-10g (10G fiber GBICS)
LC-LC/10GIG/AQ/1M (10G fiber patch cables)

Now some notes when you first connect to the FEXs:
The 2232PP has to download the same image that the 5548UP has.  See below:
N5K-1(config-if)# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
100        FEX0100        Image Download    N2K-C2232PP-10GE   SSIXXXXXXX1

Once it is done downloading (which takes a few minutes), it will show this below:
N5K-1(config-if)# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
100        FEX0100                Online    N2K-C2232PP-10GE   SSIXXXXXXX1

Another interesting command is the 'show interface fex':
N5K-1(config-if)# sh inter fex
     Fabric      Fabric       Fex                FEX
Fex  Port      Port State    Uplink    Model         Serial
---------------------------------------------------------------
100    Eth1/6        Active     8    N2K-C2232PP-10GE  SSIXXXXXXX1

Probably another useful insight at this point is that all the interfaces are 10G by default.  It comes that way on the 5000.  IF you want the links to be any other speed except 10G, you have to tell it.  Here is what you might see:
N5K-1(config-if)# sh int brief
--------------------------------------------------------------------------------
Ethernet      VLAN    Type Mode   Status  Reason                   Speed     Port
Interface                                                                    Ch#
--------------------------------------------------------------------------------
Eth1/1        1       eth  trunk  down    Link not connected         1000(D) 10
Eth1/2        1       eth  trunk  down    Link not connected         1000(D) 10
Eth1/3        1       eth  trunk  down    Link not connected         1000(D) 10
Eth1/4        1       eth  trunk  down    SFP Validation Failed      1000(D) 10

If you see that "SFP Validation Failed", then probably if you go on the port-channel (or interface if you are not doing port-channel) and set the speed correctly, it will resolve this issue.  It did for me.

Now it will be time to configure any vlan that needs to be on the switch, plus any vlan configuration on a port that you need.  They will be the same commands as on a Catalyst, except you dont have to go into a vlan database.
So a small recap: config is done on and between the 5000s first, then add the 2000s.

Saturday, May 19, 2012

Access Closet Network Cleanup!

Cleaning up a access closet.  Going to bad to better with new patch cables.  This makes troubleshooting a lot easier, among other benefits.  See the before and after.  This was part of a Cisco switch replacement project.
Before picture:

































After picture:

How To Extend Your Cat5 Run When You Dont Have Many Choices

Dont have any RJ45 jacks?  Dont have a long enough Cat 5 pull to get you to the new switch room?  Dont have any extra Cat 5 to run a new line? Here is what you do then if you have to.  I dont recommend it, but sometimes you have to work with what you have to extend your Cat 5 cable out.  I put this under the ShoreTel Fun site because if I ever have to do anything odd, its usually in the phone world.  This time, it was to extend a cable for a IP phone.  The grey cable on the right is punched down in the second to the right column.  That cable runs next door to where the new switch is.  The first column on the right goes to the IP phone.

Thursday, May 17, 2012

How To Add A Phone In Cisco CUCM: A Video Guide

Here is how you add a IP phone to a Cisco CUCM.  I can not recall the version this was, but this is on a linux box and Im thinking this was version 7.x.

Cisco: How To Put An IP Address On A ASA-SSM-10 IPS Module In An ASA 55X0

I wanted to go through how to put an IP address on an IPS module sensor that resides in an ASA.  I also want to make sure my network can access the IPS sensor as well.  Below is the process I went through to get this in place.  I also have made sure I have a cable plugged into the IPS module and that its in the right vlan on the switch Im connecting to.
Settings:
Sensor IP address: 192.168.255.130/16
Gateway IP address:  192.168.255.254
Who has access to the IPS sensor:  192.168.0.0/16

CLI in the sensor:
sensor# config t
sensor(config)# service  host
sensor(config-hos)# network-settings
sensor(config-hos-net)#  host-ip 192.168.255.130/16,192.168.255.254
sensor(config-hos-net)#  access-list 192.168.0.0/16
sensor(config-hos-net)#  exit
sensor(config-hos)# exit
Apply Changes?[yes]: yes
sensor(config)#
sensor(config)#
sensor(config)# exit

Now, I should be able to ping the IPS sensor:
C:\Users\skillen>ping 192.168.255.130

Pinging 192.168.255.130 with 32 bytes of data:
Reply from 192.168.255.130: bytes=32 time=1ms TTL=64
Reply from 192.168.255.130: bytes=32 time<1ms TTL=64
Reply from 192.168.255.130: bytes=32 time<1ms TTL=64
Reply from 192.168.255.130: bytes=32 time<1ms TTL=64

Just FYI, here is what a ASA-SSM-10 IPS module looks like:

Wednesday, May 16, 2012

Cisco: How To Add A Presense User In CUCM: Complete Notes

Adding Presence Users:

IN CUCM:
In the end user, make sure of the following:
device association - phone is associated
primary number - DN is associated
"CTI Enable Group" and "Standard CCM end users group" - make sure user is a part of these groups on the end user page

In the device --> phone page:
associate user to DN under phone properties

For SOFTPHONE (Personal Commucator softphone) usage:
add a new phone
select personal comunicator
name it "UPC(USERID)" - example UPCSKILLEN -- It all has to be UPPERCASE
associate the new phone to a DN

In CUCM still, go to System --> Licensing --> Capabilities
make sure both items ARE CHECKED for each user you want to have this capability.

IN PRESENCE:
go to Presence --> Application --> CUPC --> User settings
search for userID
preferred phone is the "hard" phone, not softphone
CTI Gateway profile is “Birmingham_cti_tcp_profile_synced_000”

Cisco: How To Give A CUCM User Presence Capability/Permissions: CUCM Config

Here is a training video I created on how to give a Presence user the capabilities they need in CUCM.

Saturday, May 12, 2012

Cisco ASA-SSM-10 Upgrade: Upgrading The ASA 5520 IPS Module

I went onsite today to upgrade two IPS modules in two ASA 5520s, setup for HA (Active, Standby).  One of the modules had version 5.1(1)S222.0 on it.  The other module had version 6.0(1)E4 on it.  I remember that the second one had been replaced when the ASA died.  The first one was an original to this company.  Here is what I encountered below.

I first got into the IPS module and had to reset the password:
ASA#session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco
Password:
You are required to change your password immediately (password aged)
Changing password for cisco
(current) password:
New password:
Retype new password:

Once I reset the password, I went forward with the upgrade.
ASAIPS-2# sh ver
Application Partition:

Cisco Intrusion Prevention System, Version 5.1(1)S222.0

Host:                                                        
    Realm Keys          key1.0                               
Signature Definition:                                        
    Signature Update    S222.0                   2006-03-17  
    Virus Update        V1.0                     2005-11-17  
OS Version:             2.4.26-IDS-smp-bigphys               
Platform:               ASA-SSM-10                           
Serial Number:          JAB0XXXXXX                          
License expired:        22-May-2006 UTC                      
Sensor up-time is 244 days.
Using 552251392 out of 1054670848 bytes of available memory (52% usage)
system is using 17.3M out of 36.8M bytes of available disk space (47% usage)
application-data is using 45.2M out of 166.6M bytes of available disk space (29% usage)
boot is using 35.0M out of 68.5M bytes of available disk space (54% usage)

MainApp          2005_Nov_15_13.47   (Release)   2005-11-15T14:27:20-0600   Running  
AnalysisEngine   2006_Feb_08_13.09   (Release)   2006-02-08T13:52:38-0600   Running  
CLI              2005_Nov_15_13.47   (Release)   2005-11-15T14:27:20-0600            

Upgrade History:

* IPS-K9-min-5.1-1                19:47:00 UTC Tue Nov 15 2005  
--MORE--          IPS-sig-S222-minreq-5.0-5.pkg   13:06:21 UTC Thu Mar 23 2006  

Recovery Partition Version 1.1 - 5.1(1)

ASAIPS-2# config t
ASAIPS-2(config)#  upgrade ftp://shane@172.24.14.44/IPS-engine-E4-req-6.2-2.pkg
Password: *********
Continue with upgrade? []:yes
 The filename IPS-K9-6.2-2-E4.pkg is not a valid upgrade file type. 

Ok, obviously this did not go the way I wanted.  To make a lengthy process short, I simply could not upgrade this IPS module, according to Cisco TAC.  I tried many pkg files, none successful.  This one will be swapped out by Cisco.
The second one was not so bad.  Below is what I did:
 
ASA#session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco
Password:
sensor#
sensor# config t
sensor(config)# upgrade  ftp://shane@172.24.14.44 /IPS-K9-7.0-7-E4.pkg
Password: ****
Warning: Executing this command will apply a software update to the application partition. The system may be rebooted to complete the upgrade.
Continue with upgrade? []]: yes
                                                                              
Broadcast Message from root@sensor                                            
        (somewhere) at 8:02 ...                                               
                                                                              
Applying update IPS-K9-7.0-7-E4.pkg.                                                                                                                 
Broadcast Message from root@sensor                                            
        (somewhere) at 8:02 ...                                               
                                                                              
IPS applications will be stopped and system will be rebooted after upgrade comp
letes .                                                                 
                                                                          
Broadcast Message from root@sensor                                            
        (somewhere) at 8:02 ...                                               
                                                                              
Shutting down IPS applications.  Applications will be restarted when update is
complete..                                                              
                                                                         
Command session with slot 1 terminated.
Remote card closed command session. Press any key to continue.

    Switching to Standby

    Switching to Failed state.
Command session with slot 1 terminated.
Command session with slot 1 terminated.
ASA5520-1/asa.net/stby# sh module

Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
  0 ASA 5520 Adaptive Security Appliance         ASA5520            JMXXXXXX
  1 ASA_5500_Series_Security_Services_Module-10  ASA-SSM-10         JAFXXXXX

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version    
--- --------------------------------- ------------ ------------ ---------------
  0 e05f.b904.3324 to e05f.b904.3328  2.0          1.0(11)2     8.2(4)
  1 001e.7a81.8960 to 001e.7a81.8960  1.0          1.0(11)5     6.0(6)E4

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
  1 IPS                            Not Applicable   6.0(6)E4

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable        
  1 Init               Not Applicable          

ASA5520-1/asa.net/stby# sh module

Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
  0 ASA 5520 Adaptive Security Appliance         ASA5520            JMXXXXXXXXX
  1 ASA_5500_Series_Security_Services_Module-10  ASA-SSM-10         JAFXXXXX

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version    
--- --------------------------------- ------------ ------------ ---------------
  0 e05f.b904.3324 to e05f.b904.3328  2.0          1.0(11)2     8.2(4)
  1 001e.7a81.8960 to 001e.7a81.8960  1.0          1.0(11)5     7.0(7)E4

Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
  1 IPS                            Up               7.0(7)E4

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable        
  1 Up                 Up                    
 

Upgrade not too bad.  Here is some notes that I put down before showing up today.
NOTES:
To upgrade the Engine:
1. Log into IPS module: session 1
2. type config t
3. type upgrade ftp://shane@172.24.14.44/IPS-engine-E4-req-6.2-2.pkg
4. type none
5. sensor reboots

IPS system:
6. log into IPS module
7. type config t
8. type upgrade ftp://shane@172.24.14.44/IPS-K9-6.2-2-E4.pkg
9. type none
10. yes
11. sensor reboots.

Signatures:
12. log into the IPS module
13. config t
12. upgrade ftp://shane@172.24.14.44/IPS-sig-S576-req-E4.pkg
13. type yes
complete.


SECOND NOTES:  When you upgrade the sensor, you will have to allow yourself access again so that you can HTTPS into it for configuration.  Here is what I did:
sensor# conf t
sensor(config)# service host
sensor(config-hos)# network-settings
sensor(config-hos-net)# access-list 172.16.1.0/24
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes?[yes]:
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.
sensor(config)# exit
sensor#

Thursday, May 10, 2012

ShoreTel: No Internal Calling Capability Between Sites Across A VPN

Today I went to complete a ShoreTel install for a company that had a HQ site and one remote site.  The HQ site was already done, and all I had to do today was just the remote site.  When I got there and got all the phones out (I had already done the config when I did the main site), I found that I could dial internally to the remote site without any issue, but I could not dial across the site to site vpn to the HQ site.  It would tell me when I tried that the extension was not valid.  If I got someone from the HQ site to call where I was, they got the same message.
So I created a case, but in the meantime, I found that if I went into Call Control --> Options --> and checked Distributed Routing (I cant recall the whole line, but it was the first selection), I found that after the ShoreGear switches rebooted, the remote site could then dial the main site.  However, the main site could not dial the remote site.  So during the TAC call, they unchecked that same option for distributed routing, the switches rebooted, and both sites could then call each other.  So, the question is why did that work when it was set like that in the beginning?  I have no idea, but TAC says something must have needed to be sync'ed.  Im not sure, but either way, it did work.

Wednesday, May 9, 2012

Check Point UTM-1 270 Upgrade Via CLI: R75.40

I always prefer to upgrade Check Point via CLI.  So, here is what I went through today on an upgrade from R75.30 to R75.40.  It actually failed, and Ill explain at the end of this explanation.  But for now, lets go through the upgrade process via CLI.

First, you must FTP the .TGZ image to the UTM, preferrably to a partition with enough disk space other than the system partition.  I sent it to /var/log.  Then, I ran the following command to strat the upgrade process:
[Expert@CP]# tar -zxvf Check_Point_Upgrade_for_R75.40.Splat.tgz

After it extracts the needed files, I get this error at the end:
gzip: stdin: unexpected end of file
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now

However, I kept on going, as I saw this the last time when I upgraded from R75.20 to R75.30 and the install worked fine afterwards.
Run the following command to start the upgrade from CLI:
[Expert@CP]# ./installme.sh

Once the upgrade completes, reboot the system.  Make sure it comes up.  Download the SmartConsole for the version you are going to, login, and push policy.  All should be good afterwards.

HOWEVER, Today was not like this.  I had a UTM-1 270 that had 79% of its root partition filled up on the hard disk.  This comes with 7.9 Gig of free space for the root partition from scratch.  Its not much, however there is more space on other partitions, which wont do you good for several upgrades.  Its real good for logging though.  I dont recall what it is, but its like 80 Gig or so. 

So, what I hear from Check Point (the first time) is that I need 2.5 Gig on the root directory for an upgrade to R75.40 from R75.30.  Turns out that now they tell me I need 4.9 Gig free (according to another TAC guy).  So, first, here are some commands that are useful in knowing about disk space on SPLAT:

Disk space in the current directory you are in:
[Expert@CP]# ls | xargs du -hs
0       1
796M    Check_Point_Upgrade_for_R75.40.Splat.tgz
0       CvpndAdmin.log
0       DEBUG
68K     DOCS
4.0K    License.txt
11M     bin
20M     boot
64K     dev
31M     etc
52K     home
4.0K    initrd
61M     lib
1.5G    log
16K     lost+found
32K     mnt
1.9G    opt
du: `proc/5355/task/5355/fd/3': No such file or directory
du: `proc/5355/fd/3': No such file or directory
0       proc
28K     root
14M     sbin
12K     scripts
0       sys
1.1G    sysimg
32K     tmp
76M     usr
7.0G    var
[Expert@CP]#

Overall disk space:
[Expert@CP]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
                      7.9G  7.1G  438M  95% /
/dev/sda1             145M   24M  114M  18% /boot
none                  501M     0  501M   0% /dev/shm
/dev/mapper/vg_splat-lv_log
                       60G 1020M   56G   2% /var/log
[Expert@CP]#

So I did the upgrade, and I ran out of disk space.  It bombed said it completed, but failed to verify.  Essentially, I experienced this below:
[Expert@CP]# ./installme.sh
Start Upgrading ..
Wait while creating upgrade image ... 23%
complete
Creating upgrade image is ok
Verifying ..
Disk Space Error - 888960.97265625 Required, 0 AvailableVerification failed.

I was at 100% disk utilization on the root partition.  I didnt reboot because I was afraid it wouldnt come back up with the disk full like that.  So, I moved the /log directory (because it was 1.5 Gig) to another partition and then rebooted.  It didnt come back up from where I was (two floors up, physically), so I went down there to the server room and it says the following:
I have to admit, my heart sank a little when I saw this.  My first thought was "what am I about to encounter???"  I got my console cable out to see if I could see anything.  I got a blinking cursor that would respond if I hit enter, but I couldnt really do anything.  It was truly working on reverting back to R75.30.












So, in time, I finally go to this screen below for a few minutes:
 
 
When it got to the "loading" screen, thats when it started to reboot.  Below is what I saw on the console:
---------
CPU Brand Name : Intel(R) Celeron(R) M processor          600MHz

  Memory Frequency For DDR2 400
IDE Channel 0 Master : None
IDE Channel 0 Slave  : None

SATA Channel 0 Master: WDC WD1601ABYS-01C0A0 06.06H05
SATA Channel 0 Slave : None
SATA Channel 1 Master: None
SATA Channel 1 Slave : None

05/09/2008-Alviso-PPAP2100C-00


Initializing Intel(R) Boot Agent GE v1.2.30
PXE 2.1 Build 084 (WfM 2.0)

                           Phoenix Technologies, LTD
                             System Configurations
+==============================================================================+
| CPU T: Intel(R) Celeron(R) M processor  Base Memory       :    640K          |
| CPU I: 0695/45D                         Extended Memory   :1038336K          |
| CPU C: 600MHz                           Cache Memory      :    512K          |
|------------------------------------------------------------------------------|
| Diskette Drive A  : None                Display Type      : EGA/VGA          |
| Diskette Drive B  : None                Serial Port(s)    : 3F8 2F8          |
| Pri. Master Disk  : None                Parallel Port(s)  : None             |
| Pri. Slave  Disk  : None                DDR2 at Bank(s)   : 0 2              |
| Sec. Master Disk  : None                                                     |
| Sec. Slave  Disk  : None                                                     |
+==============================================================================+

IDE Channel 2 . Master Disk  : LBA,ATA 100,  164GB


PCI device listing ...
Bus No. Device No. Func No. Vendor/Device Class Device Class               IRQ
--------------------------------------------------------------------------------
    0       2         0     8086   2592   0300  Display Cntrlr               9
    0      29         0     8086   2658   0C03  USB 1.0/1.1 UHCI Cntrlr     11
    0      29         1     8086   2659   0C03  USB 1.0/1.1 UHCI Cntrlr     15

ACPI: Getting cpuindex for acpiid 0x1
ACPI: Getting cpuindex for acpiid 0x2
ACPI: Getting cpuindex for acpiid 0x3
├┐Red Hat nash version 5.1.19.6 starting
  Reading all physical volumes.  This may take a while...
  Found volume group "vg_splat" using metadata type lvm2
  5 logical volume(s) in volume group "vg_splat" now active
INIT: version 2.85 booting
mount: proc already mounted
Configuring kernel parameters:  [  OK  ]
Setting clock  (utc): Wed May  9 15:59:07 GMT-5 2012 [  OK  ]
Starting udev: [  OK  ]
Setting hostname CPipacc:  [  OK  ]
Setting domain name ipacc.com:  [  OK  ]
Initializing USB controller (ehci-hcd):  [  OK  ]
Your system appears to have shut down uncleanly
Press Y within 1 seconds to force file system integrity check...
Checking root filesystem
[/sbin/fsck.ext3 (1) -- /] fsck.ext3 -a /dev/mapper/vg_splat-lv_current
/dev/mapper/vg_splat-lv_current: clean, 39865/1048576 files, 2093857/2097152 blocks
[  OK  ]
Remounting root filesystem in read-write mode:  [  OK  ]
Setting up Logical Volume Management: [  OK  ]
Finding module dependencies:  [  OK  ]
Checking filesystems
Checking all file systems.
[/sbin/fsck.ext3 (1) -- /boot] fsck.ext3 -a /dev/sda1
/boot: recovering journal
/boot: clean, 78/38152 files, 29142/152586 blocks
[/sbin/fsck.ext3 (1) -- /var/log] fsck.ext3 -a /dev/mapper/vg_splat-lv_log
/dev/mapper/vg_splat-lv_log: recovering journal
/dev/mapper/vg_splat-lv_log: clean, 786/7864320 files, 1483684/15728640 blocks
[  OK  ]
Mounting local filesystems:  [  OK  ]
Activating swap partitions:  [  OK  ]
Enabling swap space:  [  OK  ]
INIT: Entering runlevel: 3
Applying Intel Microcode update: don't know how to make device "cpu/0/microcode"
/etc/rc3.d/S00microcode_ctl: microcode device /dev/cpu/0/microcode doesn't exist?
Checking for new hardware [  OK  ]
Updating /etc/fstab [  OK  ]
Starting WdHwSensors_init:  [  OK  ]
Starting lcdpanel_init:  [  OK  ]
Starting kdump:  [  OK  ]
Inserting vpntmod.2.6.18.cp.i686.noPAE: [  OK  ]
Starting s3500.boot:  [  OK  ]
CKP: Loading SecureXL:  [  OK  ]
CKP: Loading FW-1 IPv4 Instance 0:  [  OK  ]
CKP: Loading VPN-1     Instance 0:  [  OK  ]
Configuring network:  [  OK  ]
Starting SMBFS mounts:  [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]
Starting rmatool:  [  OK  ]
CPshell initialization:  [  OK  ]
Initializing random number generator:  [  OK  ]
Starting acpi daemon: [  OK  ]
Starting sshd:[  OK  ]
Starting arp:  [  OK  ]
Starting bp_init:  [  OK  ]
Starting crond: [  OK  ]
Running cp_http_server_wd: [  OK  ]
Running cpwmd_wd: [  OK  ]
Starting cpri_d:  [  OK  ]
Starting cpboot:  [  OK  ]
Starting cpboot_refetch:  [  OK  ]
Starting lcdpanel:  [  OK  ]
Starting led:  [  OK  ]
Starting ntp:  [  OK  ]

Check Point SecurePlatform R75.30
For Web User Interface access connect to https://X.X.X.X:4434/

login:
----------------
When it came up, I tried to push policy and it would not push.  It just hung up on me.  
Again, for some reason, my disk space was full on the root partition.  There was a /log folder again, about 1.5 Gig in size, that I moved to the /var/log partition. I was then able to push policy after I moved the folder.  I also deleted the file for the R75.40 upgrade, which gave me more space.  At this point, I left it alone.  Im able to push policy and I have disk space.  Time to go home.

Tuesday, May 8, 2012

How To Upgrade The Firmware Of A Brocade 7131 Access Point (AP)

My experience from start to finish on upgrading a 7131 AP.

configure dhcp on your laptop with dual-server (freeware).
connect ap to a switch (with your laptop connected) to get an ip address from dual-server.
I wondered at what point does the AP actually get an IP address?  I watched my DHCP server and the AP, and this was the point I saw when it got the IP address:
---------------------------------------------------------------------------------------------------------------------------------------
eth0: port 1(ath0sn0) entering learning state
eth0: topology change detected, propagating
eth0: port 2(oct0) entering forwarding state
eth0: topology change detected, propagating
eth0: port 1(ath0sn0) entering forwarding state   <--- At this point is when it gets an IP address from the DHCP server.
---------------------------------------------------------------------------------------------------------------------------------------
I did a quick scan to find the IP address it gave out.  Web browse into the AP.  Above, after it gets an IP address, go to http://192.168.0.7 . (192.168.0.7 was my address given out by DHCP).














Above, login with admin/admin123 .















Below, go to Firmware Update.
















Fill in the info on the screen (Filename, TFTP Server IP Address, TFTP radio)  See below.
















Make sure TFTP is running on your laptop:















Select "Perform Update" in the AP interface.  Once you select that, you get this message below:







Select "Yes".  It then logs you out automatically.
















It takes the 7131 around 10 minutes or so to upgrade and boot back up.  Below is the TFTP (Two screenshots).







 Sniff of the TFTP.









TFTP from my laptop.




When it reboots, it goes through this process in CLI on the 7131:
-----------------------------------------------------------------------------------------------------------------------------------------
Status 0
Restarting system.
.
CN3010_EVB_HS5 board revision major:1, minor:0, serial #: 2007-1.0-00179
OCTEON CN3010-SCP revision: 2, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM:  128 MB
Rom Based Init Sequence complete
Press the R key within 4 seconds for ROM based Diags
Else, Boot code relocation to DRAM will commence
Commencing Boot code relocation to DRAM
Flash:  8 MB
NAND:  512 MiB
Clearing DRAM...... done
BIST check passed.
Starting PCI
PCI Status: PCI 32-bit
PCI BAR 0: 0x00000000, PCI BAR 1: Memory 0x00000000  PCI 0xf8000000
Net:   octeth0, octeth1


BR71xx Boot Firmware Version 3.2.2.0-011R, CPLD Revision 3.19
Copyright(c) 2009. All rights reserved.


Press escape key to run boot firmware .............
NAND read: device 0 offset 0x8000000, size 0x20c2000
Reading data from 0x8000000 --   0% complete.Reading data from 0x8053800 --   1% complete.Reading data from 0x80a7800 --   2% complete.Reading data from 0x80fb800 --   3% complete.Reading data from 0x814f000 --   4% complete.Reading data from 0x81a3000 --   5% complete.Reading data from 0x81f7000 --   6% complete.Reading data from 0x824b000 --   7% complete.Reading data from 0x829e800 --   8% complete.Reading data from 0x82f2800 --   9% complete.Reading data from 0x8346800 --  10% complete.Reading data from 0x839a000 --  11% complete.Reading data from 0x83ee000 --  12% complete.Reading data from 0x8442000 --  13% complete.Reading data from 0x8496000 --  14% complete.Reading data from 0x84e9800 --  15% complete.Reading data from 0x853d800 --  16% complete.Reading data from 0x8591800 --  17% complete.Reading data from 0x85e5000 --  18% complete.Reading data from 0x8639000 --  19% complete.Reading data from 0x868d000 --  20% complete.Reading data from 0x86e1000 --  21% complete.Reading data from 0x8734800 --  22% complete.Reading data from 0x8788800 --  23% complete.Reading data from 0x87dc800 --  24% complete.Reading data from 0x8830000 --  25% complete.Reading data from 0x8884000 --  26% complete.Reading data from 0x88d8000 --  27% complete.Reading data from 0x892c000 --  28% complete.Reading data from 0x897f800 --  29% complete.Reading data from 0x89d3800 --  30% complete.Reading data from 0x8a27800 --  31% complete.Reading data from 0x8a7b800 --  32% complete.Reading data from 0x8acf000 --  33% complete.Reading data from 0x8b23000 --  34% complete.Reading data from 0x8b77000 --  35% complete.Reading data from 0x8bca800 --  36% complete.Reading data from 0x8c1e800 --  37% complete.Reading data from 0x8c72800 --  38% complete.Reading data from 0x8cc6800 --  39% complete.Reading data from 0x8d1a000 --  40% complete.Reading data from 0x8d6e000 --  41% complete.Reading data from 0x8dc2000 --  42% complete.Reading data from 0x8e15800 --  43% complete.Reading data from 0x8e69800 --  44% complete.Reading data from 0x8ebd800 --  45% complete.Reading data from 0x8f11800 --  46% complete.Reading data from 0x8f65000 --  47% complete.Reading data from 0x8fb9000 --  48% complete.Reading data from 0x900d000 --  49% complete.Reading data from 0x9060800 --  50% complete.Reading data from 0x90b4800 --  51% complete.Reading data from 0x9108800 --  52% complete.Reading data from 0x915c800 --  53% complete.Reading data from 0x91b0000 --  54% complete.Reading data from 0x9204000 --  55% complete.Reading data from 0x9258000 --  56% complete.Reading data from 0x92ac000 --  57% complete.Reading data from 0x92ff800 --  58% complete.Reading data from 0x9353800 --  59% complete.Reading data from 0x93a7800 --  60% complete.Reading data from 0x93fb000 --  61% complete.Reading data from 0x944f000 --  62% complete.Reading data from 0x94a3000 --  63% complete.Reading data from 0x94f7000 --  64% complete.Reading data from 0x954a800 --  65% complete.Reading data from 0x959e800 --  66% complete.Reading data from 0x95f2800 --  67% complete.Reading data from 0x9646000 --  68% complete.Reading data from 0x969a000 --  69% complete.Reading data from 0x96ee000 --  70% complete.Reading data from 0x9742000 --  71% complete.Reading data from 0x9795800 --  72% complete.Reading data from 0x97e9800 --  73% complete.Reading data from 0x983d800 --  74% complete.Reading data from 0x9891000 --  75% complete.Reading data from 0x98e5000 --  76% complete.Reading data from 0x9939000 --  77% complete.Reading data from 0x998d000 --  78% complete.Reading data from 0x99e0800 --  79% complete.Reading data from 0x9a34800 --  80% complete.Reading data from 0x9a88800 --  81% complete.Reading data from 0x9adc800 --  82% complete.Reading data from 0x9b30000 --  83% complete.Reading data from 0x9b84000 --  84% complete.Reading data from 0x9bd8000 --  85% complete.Reading data from 0x9c2b800 --  86% complete.Reading data from 0x9c7f800 --  87% complete.Reading data from 0x9cd3800 --  88% complete.Reading data from 0x9d27800 --  89% complete.Reading data from 0x9d7b000 --  90% complete.Reading data from 0x9dcf000 --  91% complete.Reading data from 0x9e23000 --  92% complete.Reading data from 0x9e76800 --  93% complete.Reading data from 0x9eca800 --  94% complete.Reading data from 0x9f1e800 --  95% complete.Reading data from 0x9f72800 --  96% complete.Reading data from 0x9fc6000 --  97% complete.Reading data from 0xa01a000 --  98% complete.Reading data from 0xa06e000 --  99% complete.Reading data from 0xa0c1800 -- 100% complete.


 34349056 bytes read: OK
>>>> Entering Critical Programming Phase DO NOT POWER OFF UNIT! <<<<
Un-Protect Flash Bank # 1
................................ done
NAND erase: device 0 whole chip

Erasing at 0x0 --   0% complete.Erasing at 0x500000 --   1% complete.Erasing at 0xa20000 --   2% complete.Erasing at 0xf40000 --   3% complete.Erasing at 0x1460000 --   4% complete.Erasing at 0x1980000 --   5% complete.Erasing at 0x1ea0000 --   6% complete.Erasing at 0x23c0000 --   7% complete.Erasing at 0x28e0000 --   8% complete.Erasing at 0x2e00000 --   9% complete.Erasing at 0x3320000 --  10% complete.Erasing at 0x3840000 --  11% complete.Erasing at 0x3d60000 --  12% complete.Erasing at 0x4280000 --  13% complete.Erasing at 0x47a0000 --  14% complete.Erasing at 0x4cc0000 --  15% complete.Erasing at 0x51e0000 --  16% complete.Erasing at 0x5700000 --  17% complete.Erasing at 0x5c20000 --  18% complete.Erasing at 0x6140000 --  19% complete.Erasing at 0x6660000 --  20% complete.Erasing at 0x6b80000 --  21% complete.Erasing at 0x70a0000 --  22% complete.Erasing at 0x75c0000 --  23% complete.Erasing at 0x7ae0000 --  24% complete.Erasing at 0x7fe0000 --  25% complete.Erasing at 0x8500000 --  26% complete.Erasing at 0x8a20000 --  27% complete.Erasing at 0x8f40000 --  28% complete.Erasing at 0x9460000 --  29% complete.Erasing at 0x9980000 --  30% complete.Erasing at 0x9ea0000 --  31% complete.Erasing at 0xa3c0000 --  32% complete.Erasing at 0xa8e0000 --  33% complete.Erasing at 0xae00000 --  34% complete.Erasing at 0xb320000 --  35% complete.Erasing at 0xb840000 --  36% complete.Erasing at 0xbd60000 --  37% complete.Erasing at 0xc280000 --  38% complete.Erasing at 0xc7a0000 --  39% complete.Erasing at 0xccc0000 --  40% complete.Erasing at 0xd1e0000 --  41% complete.Erasing at 0xd700000 --  42% complete.Erasing at 0xdc20000 --  43% complete.Erasing at 0xe140000 --  44% complete.Erasing at 0xe660000 --  45% complete.Erasing at 0xeb80000 --  46% complete.Erasing at 0xf0a0000 --  47% complete.Erasing at 0xf5c0000 --  48% complete.Erasing at 0xfae0000 --  49% complete.Erasing at 0xffe0000 --  50% complete.Erasing at 0x10500000 --  51% complete.Erasing at 0x10a20000 --  52% complete.Erasing at 0x10f40000 --  53% complete.Erasing at 0x11460000 --  54% complete.Erasing at 0x11980000 --  55% complete.Erasing at 0x11ea0000 --  56% complete.Erasing at 0x123c0000 --  57% complete.Erasing at 0x128e0000 --  58% complete.Erasing at 0x12e00000 --  59% complete.Erasing at 0x13320000 --  60% complete.Erasing at 0x13840000 --  61% complete.Erasing at 0x13d60000 --  62% complete.Erasing at 0x14280000 --  63% complete.Erasing at 0x147a0000 --  64% complete.Erasing at 0x14cc0000 --  65% complete.Erasing at 0x151e0000 --  66% complete.Erasing at 0x15700000 --  67% complete.Erasing at 0x15c20000 --  68% complete.Erasing at 0x16140000 --  69% complete.Erasing at 0x16660000 --  70% complete.Erasing at 0x16b80000 --  71% complete.Erasing at 0x170a0000 --  72% complete.Erasing at 0x175c0000 --  73% complete.Erasing at 0x17ae0000 --  74% complete.Erasing at 0x17fe0000 --  75% complete.Erasing at 0x18500000 --  76% complete.Erasing at 0x18a20000 --  77% complete.Erasing at 0x18f40000 --  78% complete.Erasing at 0x19460000 --  79% complete.Erasing at 0x19980000 --  80% complete.Erasing at 0x19ea0000 --  81% complete.Erasing at 0x1a3c0000 --  82% complete.Erasing at 0x1a8e0000 --  83% complete.Erasing at 0x1ae00000 --  84% complete.Erasing at 0x1b320000 --  85% complete.Erasing at 0x1b840000 --  86% complete.Erasing at 0x1bd60000 --  87% complete.Erasing at 0x1c280000 --  88% complete.Erasing at 0x1c7a0000 --  89% complete.Erasing at 0x1ccc0000 --  90% complete.Erasing at 0x1d1e0000 --  91% complete.Erasing at 0x1d700000 --  92% complete.Erasing at 0x1dc20000 --  93% complete.Erasing at 0x1e140000 --  94% complete.Erasing at 0x1e660000 --  95% complete.Erasing at 0x1eb80000 --  96% complete.Erasing at 0x1f0a0000 --  97% complete.Erasing at 0x1f5c0000 --  98% complete.Erasing at 0x1fae0000 --  99% complete.Erasing at 0x1ffe0000 -- 100% complete.
OK

>>>> Updating Nor Bootstrap <<<<
Copy to Flash... done
>>>> Updating Boot OS <<<<

Copy to Flash... ................done
Copy to Flash... ................done

>>>> Updating Kernels <<<<
NAND write: device 0 offset 0x220000, size 0x260800

>>>> Verifying Firmware Update <<<<

Updating Nor Bootstrap  : PASSED
Updating Bootloader : PASSED
Updating Kernel             : PASSED
Updating File System        : PASSED
Updating Unamed Block       : PASSED

BootOS Copyright (c) 2004-2011. All rights reserved.
boot image at 0x00220000..good
data bus walking 1's......pass
address bus walking 1's...pass
ddr device test...........pass
clearing ram..............done
copying to ram............done

BootOS Copyright (c) 2004-2011. All rights reserved.
BR71XX version 5.2.0.0-069R
warning: invalid partition table magic number
initialized partition table
initializing pci
achip:pcc:0x000000ff,prc:0x00000020,fc:0x00000000
pci init done

fpga_sensor_mode 255
hw_type=0, sku=0x0, ps_status=0xae, pwr_mgmt=0xff, radio_cfg=0xff, per_reset_ctrl=0x20
loading linux image 2
...................
Welcome.
restoring /etc2/./ppp
restoring /etc2/./nvram
restoring /etc2/./raddb
restoring /etc2/./stunnel
restoring /etc2/./stunnel/certs
restoring /etc2/./stunnel/private
restoring /etc2/./CertMgr
restoring /etc2/./CertMgr/keys
restoring /etc2/./CertMgr/certs
restoring /etc2/./CertMgr/tmp_keys
restoring /etc2/./CertMgr/tmp_certs
restoring /etc2/./snmpEngine
restoring /etc2/./ppp/hsdpa_apn_set
restoring /etc2/./stunnel/current
restoring /etc2/./imish-passwd
restoring /etc2/./log.conf
restoring /etc2/./smtpnot.conf
restoring /etc2/./system_env_vars
restoring /etc2/./env_vars
restoring /etc2/./nvram/startup-config
restoring /var2/./lib
restoring /var2/./lib/dpd
restoring /var2/./lib/dhcp
restoring /var2/./log
restoring /var2/./run
restoring /var2/./tmp
restoring /var2/./state
restoring /var2/./state/dhcp
restoring /var2/./history
restoring /var2/./run/utmp
restoring /flash/./log
restoring /flash/./cache
restoring /flash/./crashinfo
restoring /flash/./hotspot
restoring /flash/./hotspot/lib
restoring /flash/./hotspot/cgi-bin
restoring /flash/./floorplans
This can take some time, please be patient.
Sat Jan  1 00:00:00 UTC 2011
Converting APN 4.x configuration information to 5.x format
Starting daemons...
......
Running Secondary software, version 5.2.0.0-069R
Alternate software Primary, version 5.2.0.0-069R
Software fallback feature is enabled

Please press Enter to activate this console.
br7131-F23460 login:
---------------------------------------------------------------------------------------------------------------------------------------
After the AP upgrades, web browse into it via HTTPS.  https://192.168.0.7









Upgrade complete.

Monday, May 7, 2012

Cisco ASA Upgrade: Pre-8.3 to 8.3 Upgrade Process Steps

I went onsite today to do an upgrade of an ASA that was on version 8.2(1).  I wanted to get them to the latest version, which at this point is 8.4(3).  With that said, this is one of the pre-8.3 to post-8.3 upgrades, which means taking proper precautions. 

First and foremost, the release notes specifically say to run the command: no nat-control.  Apparently, this can cause you problems if you dont, so make sure you run it.  Next, I did the upgrade to 8.3.  Make sure you are running a minimum of 8.2 code.  If you are running an earlier version, you will have problems.  See below what the upgrade looks like:

-------------------------------------------------------------------------------------------------------------
ASA#sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

ASA up 242 days 19 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

ASA# copy tftp flash

Address or name of remote host []? 192.168.1.253

Source filename []? asa831-k8.bin

Destination filename [asa831-k8.bin]?

Accessing tftp://192.168.1.253/asa831-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa831-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15943680 bytes copied in 18.60 secs (885760 bytes/sec)
ASA#
ASA# config t
ASA(config)# no nat-control
ASA(config)# boot sys flash:/asa831-k8.bin
INFO: Converting flash:/asa831-k8.bin to disk0:/asa831-k8.bin
ASA(config)# exit
ASA# wr mem
Building configuration...
Cryptochecksum: e4f0f042 b3d96a18 8088cb61 283f6ceb

16670 bytes copied in 3.700 secs (5556 bytes/sec)
[OK]
ASA# reload
Proceed with reload? [confirm]
ASA#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
Restarting system.


Booting system, please wait...


CISCO SYSTEMS
Embedded BIOS Version 1.0(11)5 08/28/08 15:11:51.82

Low Memory: 631 KB
High Memory: 1024 MB
PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  00  00   8086   2578  Host Bridge       
 00  01  00   8086   2579  PCI-to-PCI Bridge 
 00  03  00   8086   257B  PCI-to-PCI Bridge 
 00  1C  00   8086   25AE  PCI-to-PCI Bridge 
 00  1D  00   8086   25A9  Serial Bus         11
 00  1D  01   8086   25AA  Serial Bus         10
 00  1D  04   8086   25AB  System            
 00  1D  05   8086   25AC  IRQ Controller    
 00  1D  07   8086   25AD  Serial Bus         9
 00  1E  00   8086   244E  PCI-to-PCI Bridge 
 00  1F  00   8086   25A1  ISA Bridge        
 00  1F  02   8086   25A3  IDE Controller     11
 00  1F  03   8086   25A4  Serial Bus         5
 00  1F  05   8086   25A6  Audio              5
 02  01  00   8086   1075  Ethernet           11
 03  01  00   177D   0003  Encrypt/Decrypt    9
 03  02  00   8086   1079  Ethernet           9
 03  02  01   8086   1079  Ethernet           9
 03  03  00   8086   1079  Ethernet           9
 03  03  01   8086   1079  Ethernet           9
 04  02  00   8086   1209  Ethernet           11
 04  03  00   8086   1209  Ethernet           5

Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(11)5) #0: Thu Aug 28 15:23:50 PDT 2008

Platform ASA5510

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 10 seconds.           9 seconds.          8 seconds.                                               
Launching BootLoader...
Boot configuration file contains 1 entry.


Loading disk0:/asa831-k8.bin... Booting...
Platform ASA5510

Loading...
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 138 files, 18038/62398 clusters
dosfsck(/dev/hda1) returned 0
IO memory 53248000 bytes

Processor memory 904806400, Reserved memory: 62914560 (DSOs: 0 + kernel: 62914560)

Total SSMs found: 0

Total NICs found: 7
mcwa i82557 Ethernet at irq 11  MAC: 503d.xxxx.xxxx
mcwa i82557 Ethernet at irq  5  MAC: 0000.0001.0001
i82547GI rev00 Gigabit Ethernet @ irq11 dev 1 index 05 MAC: 0000.0001.0002
i82546GB rev03 Ethernet @ irq09 dev 2 index 03 MAC: 503d.e506.2281
i82546GB rev03 Ethernet @ irq09 dev 2 index 02 MAC: 503d.e506.2280
i82546GB rev03 Ethernet @ irq09 dev 3 index 01 MAC: 503d.e506.227f
i82546GB rev03 Ethernet @ irq09 dev 3 index 00 MAC: 503d.e506.227e
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x7619cf67 0x1c19c12b 0xd092e5a4 0xaf40a06c 0x8f3437a4

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited      perpetual
Maximum VLANs                  : 50             perpetual
Inside Hosts                   : Unlimited      perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
Security Contexts              : 0              perpetual
GTP/GPRS                       : Disabled       perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 250            perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.


Cisco Adaptive Security Appliance Software Version 8.3(1)

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2010 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

*************************************************************************
**                                                                     **
**  Note that for a failover deployment, both devices in the pair      **
**  must have identical memory.                                        **
**                                                                     **
*************************************************************************
Reading from flash...
!!!!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.

INFO: MIGRATION - Saving the startup configuration to file

INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_1_0_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.2(1) "
....WARNING: interface Ethernet0/0 security level is 0.
*** Output from config line 199, "logging host outside 192..."
WARNING: interface Ethernet0/0 security level is 0.
*** Output from config line 200, "logging host outside 10...."
.WARNING: MIGRATION: During migration of access-list <outside_in> expanded
this object-group ACE
    permit tcp object-group WHATKNOTS host 5.6.7.7 eq smtp
WARNING: MIGRATION: During migration of access-list <outside_in> expanded
this object-group ACE
    permit tcp object-group LAB host 5.6.7.7 eq smtp
WARNING: MIGRATION: During migration of access-list <outside_in> expanded
this object-group ACE
    permit tcp object-group OUTSIDE_IN_HTTPS host 5.6.7.4 eq https
WARNING: MIGRATION: During migration of access-list <outside_in> expanded
this object-group ACE
    permit tcp object-group WhoKnows host 5.6.7.7 eq smtp
*** Output from config line 226, "access-group outside_in ..."
...
Cryptochecksum (unchanged): e4f0f042 b3d96a18 xxxxxxb61 283f6ceb
NAT migration logs:
nat (inside) 2 192.168.1.175 255.255.255.255

nat (inside) 2 192.168.1.175 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

INFO: NAT migration completed.
Real IP migration logs:
    ACL <outside_in> has been migrated to real-ip version

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201205070910.log'
Username: ******
Password: ****
This session is being monitored. 
Type help or '?' for a list of available commands.
ASA> en
Password: ********
ASA#
--------------------------------------------------------------------------------------------------------------------------------

Upgrade completed.  

Then, interestingly, going from 8.3(1) to 8.4(3), I got this below after going through the same process and reloading:
Shortened....
Reading from flash...
!!!!!
INFO: MIGRATION - Saving the startup configuration to file

INFO: MIGRATION - Startup configuration saved to file 'flash:8_3_1_0_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.3(1) "
........WARNING: interface Ethernet0/0 security level is 0.
*** Output from config line 314, "logging host outside 192..."
WARNING: interface Ethernet0/0 security level is 0.
*** Output from config line 315, "logging host outside 10...."
....
Cryptochecksum (unchanged): f96f318b ca7f4158 xxxxxxxxxxxxxxx
The flash device is in use by another task.
Username:
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201205070929.log'


 I didnt have any issues at all after doing these two upgrades.