IOS Version 7.0 is released

[netwalker1]

Dear All :
did anyone test the new IOS ?
what is the problems or the bugs ?
is it stable ?
should I upgrade now - or wait ?

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[vlf]

I upgraded a small firewall and am not having any problems. Granted, I'm not doing anything fancy on it. The only problem that I had with the upgrade was the DNS and WINS configuration for my VPN users didn't get set. It's set in the base group now, instead of for each group. But, it was easy to fix.

I also have it running on a brand new firewall. It has some really cool features. The only difficulties that I've had is going back and forth between the versions of code. You can't do a sh access-group anymore. Now it's sh runn access-group. Same with sh static - now sh runn static. ODD.

 

[netwalker1]

Great ...

Group :
any other comments ???

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[PGRAYSON]

If you have aliases mapping subnet masks to names, then the upgrade script will fail when converting VPN entries.

 

[netwalker1]

Opppsss ..
what is the solution then ?!?!!?

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[ChrisAC]

This isn't IOS! It's Pix OS/Finesse.

Chris.



**********************
Chris A.C, CCNA, CCSA
**********************

 

[netwalker1]

whatever
I need to make the upgrade , but I ned to know all the disadvantages and the problems which I should count .. !

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[Rookcr]

I am running a basic config with some NAT'ing and global out. It acts as a VPN Endpoint and it went smoothly. Running for 2 weeks bug free.

 

[ixleplix]

I upgraded today.

Everything went fine except...my client based VPNs choked. TAC says they have a solution, but I'm still waiting on it--I'll post the solution when I have it.

The good news is my Site to Site VPNs are working great otherwise I'd have to downgrade for awhile because I can't have those down during business hours.


*****************

What's ADD again?

 

[ixleplix]

Well, I fixed it because I got tired of waiting to hear from TAC--and the Tech support agent kept telling me how "Complex" my config was...

I had to change the split-tunnel access-list from an extended ACL to a standard ACL. I also had to add back in my DNS server option. I also lost the WINS server, but decided I didn't need it.

In 6.3(4) the commands associated with one of my client based VPNs looked like this:

vpngroup BlahBlahGroup address-pool Blahpool
vpngroup BlahBlahGroup dns-server PDC1
vpngroup BlahBlahGroup wins-server PDC1
vpngroup BlahBlahGroup default-domain my.stupid.domain
vpngroup BlahBlahGroup split-tunnel split5
vpngroup BlahBlahGroup idle-time 1800
vpngroup BlahBlahGroup max-time 14400
vpngroup BlahBlahGroup password ***************

ip local pool Blahpool X.X.7.1-X.X.7.6

access-list split5 permit ip X.Y.0.0 255.255.0.0 X.X.7.0 255.255.255.0
access-list split5 permit ip host PDC1 X.X.7.0 255.255.255.0
access-list split5 remark The previous 2 lines are for Blah VPN access

access-list 101 permit ip X.Y.0.0 255.255.0.0 X.X.7.0 255.255.255.0
access-list 101 permit ip host PDC1 X.X.7.0 255.255.255.0
access-list 101 remark The previous 2 lines are for Blah VPN access

nat (inside) 0 access-list 101

After the conversion the commands associated with this vpngroup looked like this:

group-policy BlahBlahGroup internal
group-policy BlahBlahGroup attributes
vpn-idle-timeout 30
vpn-session-timeout 240
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split5
default-domain value my.stupid.domain


tunnel-group BlahBlahGroup type ipsec-ra
tunnel-group BlahBlahGroup general-attributes
address-pool Blahpool
authentication-server-group (outside) none
default-group-policy BlahBlahAccess
tunnel-group BlahBlahGroup ipsec-attributes
pre-shared-key *

ip local pool Blahpool X.X.7.1-X.X.7.6

access-list split5 extended permit ip X.Y.0.0 255.255.0.0 X.X.7.0 255.255.255.0
access-list split5 extended permit ip host PDC1 X.X.7.0 255.255.255.0
access-list split5 remark The previous 2 lines are for Blah VPN access

access-list 101 extended permit ip X.Y.0.0 255.255.0.0 X.X.7.0 255.255.255.0
access-list 101 extended permit ip host PDC1 X.X.7.0 255.255.255.0
access-list 101 remark The previous 2 lines are for Blah VPN access

nat (inside) 0 access-list 101

This is how I fixed it:

PIX(config)# group-policy BlahBlahAccess attributes
PIX(config-group-policy)# no split-tunnel-network-list value split5
PIX(config-group-policy)# no split-tunnel-policy tunnelspecified
PIX(config-group-policy)# exit
PIX(config)# clear configure access-list split5
PIX(config)# access-list split5 standard permit X.y.0.0 255.255.0.0
PIX(config)# access-list split5 standard permit host PDC1
PIX(config)# access-list split5 remark The previous 2 lines are for Blah VPN access
PIX(config)# group-policy BlahBlahAccess attributes
PIX(config-group-policy)# split-tunnel-policy tunnelspecified
PIX(config-group-policy)# split-tunnel-network-list value split5
PIX(config-group-policy)# dns-server value PDC1
PIX(config-group-policy)# end

And finally this is what it looks like now with the VPN and split-tunnel working:

group-policy BlahBlahAccess internal
group-policy BlahBlahAccess attributes
dns-server value PDC1
vpn-idle-timeout 30
vpn-session-timeout 240
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split5
default-domain value my.stupid.domain


tunnel-group BlahBlahGroup type ipsec-ra
tunnel-group BlahBlahGroup general-attributes
address-pool Blahpool
authentication-server-group (outside) none
default-group-policy BlahBlahAccess
tunnel-group BlahBlahGroup ipsec-attributes
pre-shared-key *

ip local pool Blahpool X.X.7.1-X.X.7.6

access-list split5 standard permit X.Y.0.0 255.255.0.0
access-list split5 standard permit host PDC1
access-list split5 remark The previous 2 lines are for Blah VPN access

access-list 101 extended permit ip X.Y.0.0 255.255.0.0 X.X.7.0 255.255.255.0
access-list 101 extended permit ip host PDC1 X.X.7.0 255.255.255.0
access-list 101 remark The previous 2 lines are for Blah VPN access

nat (inside) 0 access-list 101


*****************

What's ADD again?

 

[Gungnir77]

Ixleplix

sorry to hear TAC didn't get back to you, I work on Cisco TAC's advanced security team (One of them anyhow). one thing that happens when you upgrade to 7.0 is that your split tunnel acl's don't get carried over correctly. In PIX 6.3 you can use extended acl's , but in 7.0, only standard acl's are allowed. But the upgrade will not convert the extended to standard, This causes some issues with existing VPNs

Gungnir77

 

[netwalker1]

is it a bug , and we shall wait a fix from Cisco ?
or Cisco will leave this problem as it is !?

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[snootalope]

I just upgraded mine a few days ago.. PIX 515 6.3(3) -> 7.02 & ADSM 5.02 (which is very sweet)

I removed all my VPN info before upgrading and I didn't see a single error. Begining to end wasn't more than 20 minutes. One thing you'll probably notice alot in the log is something referring to an "MSS Exceeded" error concerting internet connections..

here's the cure:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

-snooter

 

[netwalker1]

did u restore the VPN Configuration again ?
is it an easy task ?
did it go well after that ?

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]

 

[Gungnir77]

It is a bug, and it wll be fixed in future releases. The decision to go to standard access lists makes sense, but the problem with the upgrade not converting extended to standard was un intended. But for now, the best I can do is get the word out.

 

[Gungnir77]

snootalope, You can get around that MSS exceeded error by creating a tcp map that allows MSS exceeded packets to be passed through instead of dropped at the interface. just make sure to apply the class map to a group policy.