Fail

April 9, 2013 ASA

ASA Upgrade to 9.0(2)

Reading Time: 4 minutes

“In theory there is no difference between theory and practice. In practice there is.” Yogi Berra

Usually, no matter how much planning, testing, thinking about, or stalling you build in to an upgrade project, the bill comes due at the end and isn’t what you expected. Maybe someone ordered the lobster, or multiple drams of Johnny Walker Blue, but either way you have a situation to deal with… right now. How you deal with it determines many things about your skills and your character, but that’s for another post as I’m going to try my best to keep this one short and to the point.

I recently had the wonderful experience of upgrading an Active/Passive failover pair of ASA units to the newest of the new code, 9.0(2) from 8.4.2(8). After the 8.3 kerfuffle (NAT changes automagically, anyone?) I was particularly keen to not miss any possible gotchas in this upgrade. I also scheduled a larger than usual maintenance window–even though we didn’t expect any downtime–just in case.

I should interject here, for those of you aghast at the thought that we would possibly implement new, some would say, bleeding edge code on production systems, a couple of things:

We always run bleeding edge code, usually because we have need of the bleeding edge features the code brings. In this case, IPv6 features sorely lacking in prior code versions
We have adopted a very aggressive IPv6 stance, as I have written about before, and we tend to find our aspirations and designs are well out in front of significant portions of the code available for our equipment
Noting the prior two items again, I’ll also add that Firewalls, in particular, seem to have code that is months or years behind the route/switch world. That holds true across all vendor platforms. Why? I don’t know, but that’s another post.

With our need-for-upgrade bona fides established, I dutifully read the entire Release notes for the 9.0(x) ASA code and while I was excited at many of the new features–mostly around IPv6–and disappointed at others (No OSPFv3 address families? Really?) something immediately jumped out at me: Page 19 and its disturbing title, “ACL Migration in Version 9.0”

Any time you see the word “migration” in any documentation referring to an upgrade of production code or configuration, you know two things:

It probably happens auto-magically, which is basically a synonym for “we’re going to bork your code but we’re only going to loosely tell you where, how, and why.”
You’d better have good backups and be prepared, because a roll-back is likely going to be as painful as just plowing ahead.

To summarize the boring details for you, prior to the new code you had two categories of Access Control Lists (ACLs): those for IPv4 and those for IPv6. Inside each of those macro-levels you had the normal standard and extended lists and whatever other features. You applied the IPv4 and the IPv6 access-lists to the interface in whatever direction and that was that. True to the dual-stack model, you really were running two parallel networks and never the ‘twain shall meet.

During and after the upgrade to 9.0(x) ASA code, a couple of things happen:

IPv6 standard ACLs are no longer supported, and any you have are migrated to extended ACLs.
If IPv4 and IPv6 ACLs are applied in the same direction, on the same interface they are merged.
The new keywords any4 and any6 are added in place of the old any keyword.
Supposedly, if certain conditions are met (and they were in my case) your IPv4 and IPv6 ACLs should be merged into one (they were not).

While it is a bit scary to have any vendor automagically migrating portions of your configuration to a new format, it happens and as long as they document well and you do your due diligence, things can work out just fine. Other times they completely go to hell because of an undocumented feature. This upgrade fell somewhere in the middle.

As it turns out, a critical fact was left out of the documentation. Namely, that all of your access-groups that had been applied in some direction or another would now, quite frankly, not be applied to anything. In other words, my firewalls were now letting anything out of the network and nothing in. I quickly applied my new access-lists to the interfaces a couple of times before I discovered that you can now only have one applied in any direction (par for most IOS devices).

Since these were production and I had some higher risk on the IPv4 side (we have a lot of rules, and a default-block outbound policy) than the IPv6 side, I did the following:

I blocked IPv6 in and out, then applied the IPv4 lists to the interfaces in the correct directions.
I hand migrated (notepad is your friend) the IPv6 access rules into the IPv4 lists and brought IPv6 access back online.
I then deleted the redundant (old) ACLs.

Everything came back, life was good, mostly nobody noticed anything. What’s the lessons learned from this experience? Besides don’t upgrade ASAs? How about these:

Always have a backup of your configuration, preferably taken a few minutes before you start the upgrade. In this case I didn’t use the backups for more than a reference, but they were available if I had wanted to roll back.
Know your configuration and your devices. This seems intuitive, but a lot of people would have gotten part way through this migration, saw that their ACLs were borked, and been lost. If you’re going to live on the edge, at least have a helmet.
Read the documentation. I did, and while it didn’t directly help, I at least knew ahead of time what was likely to break. I also knew once it broke what the likely problem area was. To tie this into the CCIE Lab (back to studying, so it’s on my mind) it’s a bit like being able to look at a network diagram and instinctively know where you’ll have problems (two routers doing redistribution between EIGRP and OSPF, check).

At the end of the day, it all worked out for a variety of reasons listed above. Would I suggest any readers out there try this sort of “no net” upgrade to bleeding edge code? Probably not. In my case, I’m a masochist it seems, and this is my therapy. Now on to my 6500 upgrade to 15.1(1)SY. I’m sure I’ll be writing about that not long from today.

November 21, 2010 Fail

Things I Hate, Episode 1

Reading Time: 3 minutes

Things I Hate, Episode 1

Brought to you by the Impediment-to-Sales Sales department

It was not long ago that I was sitting across a conference room table from our [insert large software vendor of choice here] expecting to have a conversation about the features and benefits of upgrading one of our major software packages to the newest version. This was our internal mail system, and as we had quite a few interconnected systems and sites, along with what we already knew of the major architectural changes in the new version, we knew the upgrade wouldn’t be easy. So, we acquiesced to our salesperson’s requests and set up the meeting. That was our first mistake.

After the requisite initial pleasantries were exchanged, we began discussing the product in question. We weren’t sold just yet on actually doing the upgrade, so one of the first questions we wanted answered was basically just a simple “Why do we want to upgrade?” In other words, we already have a working system, so what does this newest version bring to the table vis-a-vis new features, benefits, manageability, etc. Asking this question–and expecting a clear, useful answer–turned out to be not only an exercise in futility, but also mistake number two.

“It allows you to create pockets of collaboration by leveraging out-of-the-box, paradigm-shifting, synergies of strategic planning.”

But what does it do?

“The new version better leverages vertical interest segments in a transitory user base, which represents a shifting paradigm in strategy-focused mind-share and thought-leadership.”

The conversation went on like that for a bit before we finally decided to cut our losses and move on to some other topics around our upcoming license renewal, etc. As it turns out, substantial pockets of the sales-force at certain large software vendors seem to be trained in a language that sounds a lot like English, uses a lot of interesting words strung together in fairly obscure patterns, and in the end almost exactly fails to communicate anything at all useful. The unfortunate thing is that this was supposedly the expert in the product line who could answer our questions–he was brought along to the meeting specifically to speak “engineer-to-engineer.”

Now, I am not only a network engineer but also the IT Director for a multi-national manufacturing firm. I am used to straddling the line between engineering and management, and actually pride myself on being able to communicate complex engineering principles to c‑level executives in a way that makes sense, and accomplishes something. I don’t think that I’m so far gone on the engineering side that I have to have a team of PhDs come in every time I want to learn about a product. That said, I do expect that my time will be respected and when I want to know what your product has to offer that you will take the radical step as a vendor of bringing along someone who knows what the hell they’re talking about.

The moral of the story is that we did not then, nor have we since, upgrade to that new product version. Not out of spite or any bad feelings for the vendor as a whole, but simply because we finally found the answers we needed from a combination of white papers and some peer groups with whom we maintain relationships with. For you vendors who can’t seem to articulate what your product actually does without using a hodge-podge of terms poached from a buzz-word bingo card, my general gut reaction is that your product is probably not unique or helpful in any meaningful way–and that is not the first impression you as a vendor or salesperson want to make. I suspect I am not alone in that feeling, either.

July 27, 2010 DS3

TELCO FAIL

Reading Time: 5 minutes

Last Thursday afternoon, at approximately 2:25pm, there was a loud sucking sound that can only be heard by network engineers conditioned to expect bad, ugly things to happen at inopportune times, and all upstream connectivity to our corporate office died.

*Ka-phoot*

Predictably, IT was immediately assisted by many, many helpful people wandering by our area, sending emails, making phone calls, or stopping us in the hall to ask if we knew that the network was down. Usually in these situations the first couple of people get a good explanation of what we think the problem is, and what an ETA might be. After the 10th person, however, my responses tend to devolve a bit and I either end up giving a curt one-word answer, or feigning shock and amazement.

I should explain here that the way the architecture of our network works, we have our IP provider, SIP Trunks, Point-to-Point circuits, VPN end-points, and all of our external-facing servers in a very robust telecom hotel–The Westin Building, for those keeping score–in downtown Seattle. From there, we move everything over our DS3 to our corporate headquarters not far from Seattle. We also have many other dedicated circuits, IPsec tunnels, and assorted ballyhoo to other locations around the world, but for discussion here just keep in mind the three locations I’ve described.

So the DS3 that is our lifeline was down. It was after hours in our Canadian location so with any luck nobody would notice all night–they use a lot of critical services across another DS3, but that also routes through Seattle first. Additionally, it was a particularly nice day in Seattle (rare) and a lot of people were already out of the office when this link went down. Hopefully we could file a trouble ticket and get this resolved fairly quickly.

Within just a few minutes of filing said trouble ticket, I had a representative of the provisioning telecom on the line who said that, yes, they saw a problem and would be dispatching technicians. There were some other calls following that, but the short version is that by 5:30pm “everything was fixed” according to the telecom and would we please verify so they could close the ticket. Unfortunately, the problem was not fixed.

Now the fun began. To appease the telecom representative, I accepted the possibility that my DS3 controller card had coincidentally died or locked the circuit or some other bunch of weird pseudo-engineer guessing from the telecom representative. This meant I had to drive to our data center in Seattle, in rush hour traffic, to personally kick the offending router in the teeth.

After an hour or so of typically nasty Seattle rush-hour traffic I arrived at the datacenter and began testing. Our DS3 controller was showing AIP on the line, so more technicians were dispatched to find the offending problem. Meanwhile, I wandered over to the Icon Grill to get some dinner and an après-ski beverage or two.

Fast forward a few hours and the AIP condition on the DS3 controller was gone, but I now had an interface status of “up up (looped)” which is less than ideal, shall we say. I decided at this point to cut my losses and head home and possibly get some sleep while the telecom engineers and their cohort tried to figure out how this might be my fault.

With some three hours of sleep or so, I woke up at 5am and started looking at all of my emails, listening to all of my voicemails, and generally cursing anyone within earshot–mostly consisting of the cats–as my wife was still asleep. At this point I got on a conference bridge with the President of the telecom broker we use and together we managed to drag a rep in from the provisioning company who could then drag in as many engineers as needed to get the problem solved. Not, however, before I was rather pointedly told by said provisioning woman that I would have to pay for all of this cost since the problem was “obviously with my equipment, since her software showed no loops in the circuit.”

Once the engineers started hooking up testers to the circuit–physically this time–they could see a loop, but at the Seattle side (the side reporting the loop.) Another engineer saw a loop on the headquarters side, and still a third saw no loop at all. As it turns out, the circuit was provisioned by company “A” who then handed off to company “B” and finally to company “C” who terminated the circuit at the demarcation point at our headquarters. All for less than 20 miles, but I digress. Finally we all agreed to have Company “C” come onsite, interrupt the circuit physically at the demarcation equipment and look back down the link to see what he could see. As a precaution at this point, and tired of being blamed for ridiculous things, I and my staff physically powered down our routers on either side of the link. Since the loop stayed, that was the last time I had anyone point the finger my way. Small miracles and all of that.

Once the rep from Company “C” got onsite and interrupted the circuit for tests, he was still seeing “all green” down the line. Since the other engineers monitoring were still seeing a loop, they asked him to shut down the circuit. He did, and they still saw a loop. This was one of those “Aha” moments for all of us except the engineer from Company “C” who just couldn’t figure out what the problem might be. All of us suspected that the loop was between the Fujitsu OC‑3 box at our Demarc, and the upstream OC-48 Fujitsu Mux a couple of miles away and we finally convinced this guy to go check out the OC-48. Sure enough, a few minutes after he left our circuit came back on again. And we all rejoiced, and ate Robin’s Minstrels.

At the end of the day, we ended up with just short of 24 hours of downtime, for a DS‑3 from a major telecom provider that everyone here would recognize; 23 hours and 5 minutes, to be exact. So what was the problem, and the solution? Any telecom guys want to stop reading here and take a guess?

As it turns out, the original cause of our link going down was this same engineer pulling the circuit by mistake. When the trouble ticket was originally filed, he rushed out and “fixed” his mistake. But, what he hadn’t noticed the first time is two critical things:

(1) The circuit had failed over to the protect pair. DS3 circuits use one pair of fiber for the normally used (or working) circuit, and a separate fiber pair for the fail-over (or protect) circuit.

(2) The protect pair at the OC‑3 box at the demarcation point hadn’t ever been installed.

For lessons learned here, the main thing that comes to me is that we absolutely have to find a way to get true redundancy on this link, even if it means connecting our own strings between tin-cans. I should explain, by the way, that redundancy to this headquarters building is very difficult due to location: the last mile provider is the same no matter who we use to provision the circuit. In addition, with one major fiber loop in the area, even if we could get redundancy on the last mile we would still be at the mercy of that loop. We are at this point, after this incident, looking at a fixed LoS wireless option that has recently become available. Apparently we can get at least 20Mb/s although I haven’t heard any claims on the latency, so we’ll see.

I’m also shocked and appalled that three major telecoms, all working in concert, took almost a full day to run this problem to ground. I’m probably naive, but I expect more. The only saving grace in all of this is the level of professionalism and support I received from the telecom brokers we use. They were absolutely on top of this from the beginning, shepherded the whole process along, even facilitating communications between the players with their own conference bridge for the better part of a day. If anyone needs any telecom services brokered, anywhere in the world I’m told, contact Rick Crabbe at Threshold Communications.

With this summation done, my venting complete, and everything right with the world, I’m off for a beverage.

July 25, 2010 Uncategorized

ASA TU

Reading Time: 2 minutes

You ever have one of those weeks where everything that can go wrong, does? And even things that can’t go wrong, still do? Last week was that week for me. But more on that later.

I’m finally relaxing with a beer in my home office, Friday afternoon, after said hell-week, when suddenly I notice that my desk phone has mysteriously powered off. Beyond the visual cue of no screen display, and a nagging suspicion that something was still not right in the world, I also heard it when it shut down (The Cisco 7940 models in particular seem to make some noise when turning on and off.) Since this phone is using PoE from a Cisco ASA 5505, I glanced over at the 5505 to see what might be causing all of the unhappiness. Immediately I noticed that something wasn’t right, as the status light was orange for a second, then the whole unit rebooted. At that point the display lights go all green, then amber, then another reboot… ad naseum.

What the @#$!?

Trying to log in via either SSH or ASDM yields no love at all, so I hook up a console cable. There it is: the ASA apparently doesn’t have any OS to boot.

Again with the @#$!?

So, I take the cover off and pull out the *cough* expensive-as-hell *cough* flash card to double-check things on desktop computer. Sure enough, the computer reports that the flash card is not formatted. So I formatted it, reinstalled the OS and license information from–wait for it–the backup I had made recently. At this point I could have used this as another learning experience and re-configured the unit from scratch, just to test myself, but at the time I was trying to get some movie tickets purchased and had just gotten done with a very, very tiring week. Not surprisingly then, I took the easy way out and restored the configuration as well.

After a quick reinstall, the unit came back up and everything is fine.

My main lesson learned here–and I’m wondering if this is something that has happened to other people, or happens frequently with the ASA units–is that the Cisco ASAs seem to occasionally wipe out the installed flash card (cards plural if you have 5510s or bigger.) Either that, or the ridiculously expensive (like $300 or something) Cisco-branded 512mb flash cards are flakey as hell. I don’t tend to go with that last option, however, simply because when flash cards go bad they’re not usually amenable to being re-formatted and working properly again: it’s usually game-over, buy another one.

So, another random problem at least solved in the short-term. I’ll keep everyone posted on whether or not this happens again. I haven’t seen anything indicating that this is a known issue, but admittedly I haven’t really been looking. Auto-magically wiping out the entire boot OS, configuration, licenses, etc. would seem to be a fairly non-useful type of bug to have–even by, say, Microsoft standards… let alone Cisco.

So, has anyone seen this before?