Another Classic PIX Firewall tip - cooling 1

[Dakiraun]

As I mentioned in the little spurt before this, the older PIX firewalls have a horrible little heatsink. When you start running these Classics at full capacity, and keep them there, the 133 that powers them (or perhaps a different processor, depending on model) gets nice and hot.

Here's a picture of the monster heatsink (har har):

The small heatsink Cisco uses has no fan; it instead depends on the larger front case fan to blow some air its way. There are a couple problems with this design: 1) The front fan has a dust cover (basically a little sponge). If it gets the least bit dirty, it slows the airflow considerably. 2) The heatsink is so small, that even with good airflow, a processor working at 133MHz (or more) will still get too hot.

Here's a picture of the front fan and dust cover:

Now, if your old firewall is in production, then you likely can't just shut it down, SO, to avoid heat problems, CLEAN that dust cover out or (if your environment is pretty clean) remove it. When you CAN actually take the firewall off-line, put a nice Socket 7 fan & heatsink on it; best $15 you can spend on the PIX!

Good luck, hope this is helpful. [sig][/sig]

 

[jroysdon]

Speaking of dust problems on a PIX. About a year ago our PIX 520 was making some noises that sounded to me like a fan dying. The PIX was sealed, so I didn't want to just slice the warranty sticker, so I contacted Cisco, and they wanted like $1k to cross ship us a replacement, or around $750 for us to send ours in and get it fixed. Told my boss, and he agreed that we just take a look ourselves. Of course, it was just the lame power supply fan that was humming (having sucked a ton of dust in it's year or so of life). Anyway, when I sliced the sealed PIX and went to open the power supply, I noticed that the warranty tag on the power supply was already sliced (note, this was inside a warranty-sealed PIX). Anyway, the point is to just service these things yourself, especially since Cisco is in the habit of selling refurbs as new (or at least used parts in a new product).

I should post about the time I got a "new" router that had a config stored in NVRAM. I'll just mention it here real fast:

I get this router, brand new, I sliced the Cisco shipping tape. Hook up my console cable, and don't get the default initial config dialogue, but rather am prompted for an enable password and has a hostname set instead of the default 'router' name. Cracked it and found:
It had 'no service password-encryption' set, so I could see all the passwords (no enable secret set). So, I telnetted to the public IP set in this router from my PC, and the telnet and enable passwords worked on some live router (no doubt the replacement router Cisco shipped a customer with failed hardware, the NVRAM scavengened from it or the failed hardware had been repaired, and shipped to me as new with the old config still in it). Anyway, had full access to someone's Cisco router. The config was the exact same one as the router I had (probably tftp'd it off before they shipped it to Cisco).

Anyone else have any shady Cisco dealings? Hmm, I don't think I've ever ranted against Cisco, but this fealt kinda good ;-)

Oh, and if you do return something: Wipe NVRAM!
[sig][/sig]