ASA5520 code upgrade to 9.1(5)

Similar Messages

• 302 Redirect Location Header Rewrite not working with code upgrade

  Hi,
  Description:
  We have a portal webservice hosted by an ACE4710. It has two services (www/https) on the same IP 10.1.1.1.
  One is a redirect service that redirects all requests to tcp/80 on this ip to the other which is a 'standard' https proxy service.
  The backend servers are http only. Externally everything needs to be https.
  So we have an ssl proxy and Location header http to https rewrite on the https service.
  The configuration below operates correctly on v5_1_2.
  But with a code upgrade to 5_3_1b, the Location header rewrite does not work.
  We've tried several different configurations and even 'ssl url location rewrite ".*". It just looks like the ACE is completely ignoring the configuration to rewrite the Location field.
  Reverting to the older code fixes the problem.
  Problem seen:
  Here is the problem as seen on the *client*. The 302 redirect Location header is NOT rewritten:
  Response headers:
  HTTP/1.1 302 FOUND
  Server: nginx
  Date: Fri, 20 Mar 2015 10:59:43 GMT
  Content-Type: text/html; charset=utf-8
  Content-Length: 295
  Connection: keep-alive
  Location: http://website.liveportal.nhs.uk/homepage/information
  Cache-Control: no-cache, no-store
  Set-Cookie: information=35a7831d-928d-4122-aef3-39ef48ac4440; Path=/; secure; HttpOnly
  X-Frame-Options: DENY
  HTTPSampleResult fields:
  ContentType: text/html; charset=utf-8
  DataEncoding: utf-8
  Config extract:
  1) Set up the servers (4 normal on tcp/80 and one for a redirect)
  rserver host WEBSERVICE-1
    ip address 192.168.1.1
    conn-limit max 200000 min 160000
    inservice
  ...and the same for the other three
  rserver redirect PORTAL_REDIRECT
    webhost-redirection https://%h/%p 302
    inservice
  2) Set up the server farms
  serverfarm host PORTAL_LIVE
    probe webping
    rserver WEBSERVICE-1 80
      inservice
    rserver WEBSERVICE-2 80
      inservice
    rserver WEBSERVICE-3 80
      inservice
    rserver WEBSERVICE-4 80
      inservice
  serverfarm redirect PORTAL_HTTP_REDIRECT
    rserver PORTAL_REDIRECT
      inservice
  3) Setup the ssl proxy and a location rewrite to https for responses from the servers
  action-list type modify http HTTPS_LOCATION
    header rewrite response Location header-value "http://(.*)" replace "https://%1"
  ssl-proxy service WEB_SSL_PROXY
    key webportal.key
    cert webportal.crt
    chaingroup root-chain
    ssl advanced-options SSL-SECURE-STRONG-WEB
  4) Set up the L4 services
  class-map match-all PORTAL_HTTP
    2 match virtual-address 10.1.1.1 tcp eq www
  class-map match-all PORTAL_SSL
    2 match virtual-address 10.1.1.1 tcp eq https
  5) Setup the policy maps - one for the reals servers with header rewrite for redirects
  policy-map type loadbalance http first-match PORTAL_HTTP
    class class-default
      serverfarm PORTAL_HTTP_REDIRECT
  policy-map type loadbalance http first-match PORTAL_SSL
    class class-default
      serverfarm PORTAL_LIVE
      action HTTPS_LOCATION
  6) Create the service policy
  policy-map multi-match EXTERNAL-SERVICES
    class PORTAL_SSL
      loadbalance vip inservice
      loadbalance policy PORTAL_SSL
      loadbalance vip icmp-reply
      appl-parameter http advanced-options PARAM-HTTP
      ssl-proxy server WEB_SSL_PROXY
    class PORTAL_HTTP
      loadbalance vip inservice
      loadbalance policy PORTAL_HTTP
      loadbalance vip icmp-reply
  7) Apply to the interface
  interface vlan 211
    description External Access
    ip address x.x.x.x 255.255.255.0
    alias x.x.x.x 255.255.255.0
    peer ip address x.x.x.x 255.255.255.0
    access-group input PERMIT-ALL
    service-policy input EXTERNAL-SERVICES
    no shutdown

  I found that the v5_3_1b code seems to need a bit of extra configuration and it now works ok.
  parameter-map type http PARAM_HTTP
  header modify per-request
  no persistence-rebalance
  case-insensitive

• 1410 slow down after code upgrade

  Hello everyone. We have a customer with about 12 1410s... they just upgraded the code on them and now have horrible performance even just opening up the configuration webpage. Anyone had similar issues? The release date of the code was May, so I would assume it is not totally the code or Cisco would have deffered that release by now.
  Thanks in advance!
  Shane

  Under normal conditions if everything is working fine we shouldnt upgrade. Upgrade sometimes leads to problems. Also when you upgrade make sure you dont isntall intermediate releases unless and otherwise it is very urgent. Wait for a complete release.

• X Code upgrade from Snow Lep to Lion a pain in the ..

  having HUGE hassles trying to upgrade my X code from Snow Leopard to Lion..encountered this problem by clicking on my Xcode program only to get a message along the lines of...only worked with Snow Leopard..so I downloaded new version from App store and it continually fails i have deleted older Xcode version..but still  the same..have gone to resources file and ran installer..keep getting: The installer encountered an error that caused the installation to fail..contact software manufacturer for assistance.I've tried to find an answer on forums but nothing has worked..sorry folks but I dont like Lion theres been a raft of hassles with this O/S  its Apples Vista..its frustrating I paid for last Xcode version..now its free and i cant install it !!..anyone with ideas on how i can install Xcode for lIon considering the issues I have outlined would be greatly appreciated....thanks

  Drag the Xcode folder to the Trash and restart. Run the Installer.

• CSS Code upgrade.

  Hi,
  We are upgrading a code on CSS 11503,
  Current version is sg0740306s
  We are upgrading to sg0810503.adi-gz
  I went through the prcedure which is very clear, I am planning to upgrade it manually, my concern is on creating the ftp-record, I downloaded filezilla and started ftp, my questions are on how to proceed from here,
  1) CSS management ip is 1.1.1.1 so what should be my pc ip?, I assigned 1.1.1.5 to my pc and I can ping the device from the CSS
  2) what type of cable do I need to use?
  3) I tried to open ftp in its default mode like when it starts up it will have a loop back address and 14147, when I click ok it will start and says logged on but in CSS when I create ftp-record with the ip,name and password and try to access ftp it never does
  FileZilla Server version 0.9.31 beta
  Copyright 2001-2009 by Tim Kosse ([email protected])
  Connecting to server...
  Connected, waiting for authentication
  Logged on
  On CSS side if I try to download the software from server it says
  "unable to connect to the server"
  Could you please let me know where I am going wrong??
  Thanks in Advance.
  Josh.

  Hi Josh,
  1. The IP address can be anything reachable by the CSS.
  2. Don't understand this.
  The loopback address and port 14147 are for administration. Check that you are actually running an FTP server by using the "netstat -a" command. Look for ports 20 and 21.
  If FTP is running, do you have a firewall/ACL that is blocking inbound connections?
  Check that your FTP record is pointing at the real address of the FTP server.
  ftp-record DEFAULT_FTP 1.1.1.5 wibble ...
  and that you have valid credentials on your FTP server (logonid/password).
  If that is working, try copying the running configuration to check that FTP is working as required before you kick off an upgrade:
  copy running-config ftp DEFAULT_FTP wibble.txt
  HTH
  Cathy

• WCS code upgrade

  I am installing 2 5508 controllers and I cannot add them to the WCS till I upgrade the code on the WCS. The new controllers are running 7.0.116.0 the WCS is on 6.0.132.0. How do I upgrade the WCS code opn the WCS?

  check out the release note for the latest WCS version for infos....
  http://www.cisco.com/en/US/docs/wireless/wcs/release/notes/WCS_RN7_0_172.html#wp83675
  page 179 in the configuration manual will guide you thru the steps...
  http://www.cisco.com/en/US/partner/docs/wireless/wcs/7.0MR1/configuration/guide/WCS70MR1.html
  Cheers,
  Ron

• ASA5520 VPN upgrade problems

  I just upgraded my ASA5520 from version 7.0(1) to 7.1(2) to 7.2(2). Prior to upgrade I had a static VPN connection to a service provider's Cisco firewall. I also have configured dynamic vpns from cisco vpn clients to access our network via the 5520. Since the software upgrade, the service providers connection still works, but now my dynamic cisco VPN connectsion receive the following error:
  IKE initiator: unable to find policy: Intf outside, Src: xxx.xxx.xxx.xxx, Dst yyy.yyy.yyy.y
  If I put the IP of the VPN client's internet accessing the ASA into the PEER in place of the Sevice providers IP, the VPN client works.
  Anyone have suggestions on how to allow the Static VPN connection to continue to work and allow dynamic VPN connections from any host to connect as they did in the 7.0(1) version? All was working well before upgrading the ASA software.

  The following links provides a configuration example for Configuring PIX-to-Router Dynamic-to-Static IPSec With NAT
  http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml

• WLC code upgrade, WCS, ap_3600

  i'm going to upgrade a 5508 wlc code from
  7.0.116.0
  to
  7.1.91.0
  to add 3600 series access points having it all manageable via WCS ver 7.0.230.0
  it seems to be possible, as it is explained in the compatibility matrix found on
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  now I have to download the file to the controller...
  AIR-CT5500-K9-SPECIAL-7-1-91-0.aes
  (direct update possible)
  before doing that I'd like to know if I will loose my configuration on the controller
  i'm concerned about that because the release document is not clear:
  - We highly recommend that you back up your controller's configuration files prior to upgrading the controller software. Otherwise, you must manually reconfigure the controller.
  - For busy networks, controllers on high utilization, or small controller platforms it is advisable to disable the 802.11a/b/g networks as a precautionary measure.
  - Step 5 Disable any WLANs on the controller.
  - Step 19 Re-enable the WLANs......
  - Step 22 If desired, reload your latest configuration file to the controller. (reload config after reenabling wlans????? why???)
  so will I loose my configuration?
  what is Field Upgrade Software? should i use that instead?
  another controller  another question .....: a cisco wlc 2100
  found 2 update files
  AIR-WLC2100-K9-7-0-230-0-ER.aes
  AIR-WLC2100-K9-7-0-230-0.aes
  why 2 update files this time? what file to update first?
  thank you in advance for your answers

  The 5508 has two files when you go to 7.2, which I would for the 3600.  You'll also want to download and install the FUS image.
  the 'legacy' WLC, like the 2100, have the .aes which is the OS for the WLC.  The -ER is an Emergency Recovery image, it's waht you get when you break the boot cycle.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC code upgrade path questions

  We running WCS 6.0.132(lastest) and our controllers are on 4.2.130, we now want to upgrade to keep up with the times, but don't want to change over to capwap yet.
  Question1:What's the latest LWAPP release code??
  Question2:Whats the differences between 4.2.207 (cisco's support page says this is the latest release) but there's even releases with much higher versions ie 6.0 how does this work it's very confusing to workout an upgrade path
  Cheers

  Hi Tyrone,
  I'm not an expert on Versioning but here are some basic details in response
  to your query
  4.2.207 is the latest release on the 4.2 Train and is probably an excellent choice
  if you are avoiding CAPWAP for the time being. You will see in the link below that
  there are multiple "simultaneous" Trains for the WLC (and most Cisco products). People
  were not huge fans of the early 5.x Trains (quite buggy) and CAPWAP was introduced
  in 5.2 and forward so this is why 4.2.207 seems like a good fit for you
  In controller software release 5.2 or later, Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points protocol (CAPWAP) in order to communicate between the controller and other lightweight access points on the network. Controller software releases prior to 5.2 use the Lightweight Access Point Protocol (LWAPP) for these communications.
  CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage a collection of wireless access points. CAPWAP is being implemented in controller software release 5.2 for these reasons:
        To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products that use CAPWAP
        To manage RFID readers and similar devices
        To enable controllers to interoperate with third-party access points in the future
  LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless. For example, the controller discovery process and the firmware downloading process when you use CAPWAP are the same as when you use LWAPP. The one exception is for Layer 2 deployments, which are not supported by CAPWAP.
  You can deploy CAPWAP controllers and LWAPP controllers on the same network. The CAPWAP-enabled software allows access points to join either a controller that runs CAPWAP or LWAPP. The only exception is the Cisco Aironet 1140 Series Access Point, which supports only CAPWAP and therefore joins only controllers that run CAPWAP. For example, an 1130 series access point can join a controller that runs either CAPWAP or LWAPP whereas an 1140 series access point can join only a controller that runs CAPWAP.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
  4.2.207 was released 24/Jul/2009 which does make it  the second newest version available in any train.
  http://www.cisco.com/en/US/products/ps6366/prod_release_notes_list.html
  Cheers!
  Rob

• Flash 7/ AS 2 code upgrade

  I have some code that has been running as AS1/Flash 6 for a
  while, and I need to upgrade it tp AS2/Flash 7. I'm having a number
  of problems and the one I can't resolve is the following:
  _root.N1["button"+count].ButtonText.text = NavArray
  I have cleaned up the declaration of variables and made sure
  the data types are compatible. The problem lies in the
  ..N1["button"+count].. part. It seems that the new compiler won't
  recognise this way of creating a series of addresses. If I type in
  a literal ..N1["button1"].. it works fine, but is limited to only
  one instance of the button. How can I create a composite name that
  will accept the text variable? Instead of the text I get an
  "undefined" error statement. Thanks!

  Thanks for the point about string length. It didn't make the
  difference, but what did, was the removal of a variable that I had
  assigned to the text box when creating it. The older version didn't
  mind me overwriting the variable name, but the newer version
  wouldn't accept that. Thanks for the help!

• Upload new LWAPP code to LAP before WLC code upgrade

  Hello,
  I read some where that I can pre-position (upload) the new LWAPP or CAPWAP to access points before I upgrade the WLC code. This will reduce the time it takes for the APs to download and run the new code from the WLC
  I am not able to find a document to instaruct me how to do it. I'd appriciate if someone can help me out with a link to a document.
  Thanks in advace
  BoG

  Hey there .. Check out this link
  http://www.my80211.com/cisco-wlc-cli-commands/2011/2/20/wlc-predownload-the-image-to-the-access-points-from-the-cont.html

• OIM 10g Utility Factory code -- Upgrading to 11g

  Hi all,
  I have a custom code in 10g which accesses the OIM API.
  It uses the UtilityFactory methods.
  We are now moving to 11g and I looked at the 11g documentation and see that it has the "OIMClient". It looks like it still supports the UtilityFactory.
  Can I still use the same code and configuration with 11g?What all needs to be changed if I continue using the UtilityFactory method?
  What needs to be done to change to the "OIMClient"
  Thanks
  M

  Officially I don't see the tcUtility method being mentioned in any OIM11g document, but only the usage of oimclient. Unofficially it can be used, search the forums where folks have provided a solution. (like: https://forums.oracle.com/forums/thread.jspa?messageID=9840840 )
  For oimclient, follow this: http://download.oracle.com/docs/cd/E17904_01/doc.1111/e14309/apis.htm#BCFEIBHH
  Note not all the code would work as it is with 11g, specially with regards to requests, object forms etc.
  HTH,
  BB

• WLC Code Upgrade

  We just got a WLC 4002 with 3.2.150.10 software version. I have followed a procedure to upgrade and I know I need to follow this path 3.2.150.10->4.1->4.2.176.0->5.2
  However, I have tried to transfer the 4.1.185 on my controller and I get a
  TFTP Failure while storing in flash!
  error.
  Has anybody experience this?? any adive?

  1. You could be either using a TFTP server that could not support file transfers greater than 32 MB (if this is the case, go to http://tftpd32.jounin.net/tftpd32_download.html and use TFTP32).
  2. Looks like you were upgrading the firmware without upgrading the Bootloader (ER).
  Using the same process as the firmware, download and install Bootloader (in the follwoing order)
  AIR-WLC4400-K9-4-1-171-0-ER.aes before you install firmware 4.1.185. Then
  AIR-WLC4400-K9-4-2-61-0-ER.aes and install AIR-WLC4400-K9-4-2-61-0.aes. Finally, install Bootloader
  AIR-WLC4400-K9-5-2-157-0-ER.aes before you install the final 5.x firmware you want.
  Sorry, it's a very long process but it's the only way.
  Have you seen this documentation:
  Wireless LAN Controller (WLC) Software Upgrade
  www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805f381f.shtml

• I am in woodsville,nh. at this time i have no service. do i need a code/upgrade

  I  am in Woodsville,nh. I have no service. do I need to a code/upgrade

  Finally got to the store to see what was going on. I didn't do it. My previous carrier was still holding my number even though it was working before. Verizon called and got it released and problem solved!!  Thanks!!

• 4948 Code Upgrade

  I have loaded new IOS onto my 4948 switch, using a TFTP server it is located in bootflash:, how do I force the switch to boot from the new code.

  I believe you'll have to enter global configuration mode to change the config-register to 0x2102 because the Catalyst 4948 by default appear to have a confi-register 0x2101 (See Cisco Document ID 50421). I know I changed the bootvar and that was not sufficient as I was required to change the config-register for the new IOS to load.