Anyone ever experienced problmes with Cisco PIXes and Gigabit Interfaces (Fibre to Cat6500s and Cat4000s) ?

Seeing some very strange interface lock ups and other odd behaviour.

Deano

 

Wrong forum Deano

 

Doh !

 

S'ok I moved it

 

There can't be many companies running Gigabit into PIX.....I guess that you've spoken to Cisco regarding the issue ?


Jeff

 

Jeff

Its complicated. My infrastructure boundary is the Cat6500 Gig port. The pix and Cat4000 beyond is part of a managed service. Currently the guys looking after the PIXs seem reluctant to fully engage Cisco which is frustrating. (especially as the PIXs were part of a design done by a couple of Cisco SEs.)

Theres the usual finger pointing at each side of the boundary. but some of the problems are odd and unrepeatable. bouncing interfaces sometimes works - once or twice we've seen the PIX kernel panic and reload which cures it, other time reloads dont help.

Its all the more frustrating as we're not even putting 256K of traffic to them - let alone a gig

Juts wondering if anyone had played with the Gig interfaces before (not your home setup is it Jeff ?)

Deano

 

Deano - I can talk to a CCIE security expert. Will need all the usual gumph though - revision, IOS, 6500 in Hybrid mode? etc etc etc

 

Gig fibre or gig copper?

Not much difference however I have had problems when the port has been left in Auto mode.

 

All fibre - 6500 is in hybrid (CatOS on Sup, IOS on MSFC). 6500 least doesnt give the option for auto on the gig ports. (Seen no end if issues with auto ont he 10/100 ports).

On one occasion we appeared to be getting arps between MSFC and PIX but no IP. reloads, port resets had no affect. Changed GBICs etc (full scratching **** and change anything mode). 20 mins later PIX kernel panicked and reloaded - worked perfectly - to me thats as typical of a Cisco Bug as I've seen.

Damn things are only there to do NAT. the F/W is being done by Nokias further down.

My view is a TAC case should have been raised a month ago . We cant see anything on Bug tracker but we'll keep plugging away.

RR - You have CSPM

Deano

 

Damn expensive NAT solutions....

Its unlikely that you'll find an answer without getting a TAC case raised....I'm assuming that you have all the latest versions of code etc ?

I love the fact that you are using a 1 Gig PIX (Its the 535 ?) as a NAT device and then firewalling further down into (I assume) a cluster of IP730s.....and that the PIX 'panics'.....

Not much help I'm afraid


Jeff

 

Jeff

Unfortunately Cisco were let loose with the spec sheets and design which was approved back in the midsts of time.

There are good reasons (historically our addressing is a "bag of ****") why we have to NAT separately. One "reason" for the PIXs was we could advertise our routes via RIP to save manual updates. Except the volume of RIP updates causes panics aswell so we had to turn it off.

I keep pushing for a TAC case but our "partner" is prevaricating.

Was really wondering if anyone else had seen Gig PIXs and ahd problems.

 

Well, I do think that the only people that will be able to help is Cisco themselves. You do appreciate that the Nokia boxes will do RIP/OSPF/BGP etc themselves (as well as NAT).

I'm not much help as the only devices that I've worked on with Gig (from a firewall perspective) are Netscreen 1000, Nokia IP730 and SonicWALL GX6500.....

Jeff

 

I know the nokias will do OSPF. I wanted to do OSPF to the Nokias but my TDA didn't - and there ended the discussion

 

Time to get a new TDA.........

 

Are you using the latest version of the PIX software 6.2(1)? This is the first thing to try and the first thing TAC will suggest.

Si

[Edited by SiCotty - 5/21/2002 9:09:53 AM]