PIX OS upgrade blues

Discussion in 'Cisco' started by barret bonden, Jan 29, 2010.

  1. We wanted a 2nd PIX to be used in case the primary fails (not a
    failover box situation) ; We own a 515 with 6.3 and bought one with 6.2
    I tried to move the config file from the 6.3 to the 6.2 machine.
    It fails to run the "interface" command and there may be other problems. I
    want to upgrade the 6.2 to 6.3. I cant find "Smartnet" support for a
    purchase of 6.3 but I have a pix631.bin file from the original machine on
    CD.

    Can I transfer it to the 6.2 machine or will the whole thing blow up with a
    "activation key" problem on the 6.2 PIX?
     
    barret bonden, Jan 29, 2010
    #1
    1. Advertising

  2. "barret bonden" <> writes:
    > We wanted a 2nd PIX to be used in case the primary fails (not a
    >failover box situation) ; We own a 515 with 6.3 and bought one with 6.2
    > I tried to move the config file from the 6.3 to the 6.2 machine.
    >It fails to run the "interface" command and there may be other problems. I
    >want to upgrade the 6.2 to 6.3. I cant find "Smartnet" support for a
    >purchase of 6.3 but I have a pix631.bin file from the original machine on
    >CD.


    I'm not sure what problem you had with the "interface" command,
    because interface as a command has been pretty much the same
    throughout the whole PIX version timeline. Setup on version 6.2
    vs. 6.3 shouldn't give you any issue.

    Is the "new" box licensed right to match? The license is stored
    seperate than the config. Are the interfaces there? Is it working
    otherwise? I could see problems with the interface command if the box
    isn't licensed, where it might not bring recognize interfaces until it
    is licensed properly.


    The PIX hardware is EOL'd and nothing is available for it any longer,
    no licenses, no new Smartnet, no spares. Etc. Thats why you can't find
    anything to buy.


    >Can I transfer it to the 6.2 machine or will the whole thing blow up with a
    >"activation key" problem on the 6.2 PIX?


    You won't be able to use the same activation key on the new box, as
    the activation keys are tied to the hardware serial # of the box. They
    are unique for each box, non transferable.
    They are not tied to the version of code running on the box.

    If your "new" box doesn't have a license activated, you bought
    yourself a doorstop, because you can't buy PIX licenses any longer
    sorry to say.
     
    Doug McIntyre, Jan 29, 2010
    #2
    1. Advertising

  3. Doug:

    Very kind of you to help. I'll post the config and some 6.2 errors as it
    trys to digest the 6.3 code below for your entertainment.

    If I understand you I will not have "activation key" explosions if I move
    a 6.3 OS to the 6.2 box ( I know nothing of Activation keys ; sounded like
    it might be an OS copy protection ) ; I was worried the PIX631.bin from our
    first PIX's CD was in some way tied to that PIX's hardware. I saw myself
    moving the 6.3 OS onto the 6.2 box and having it not run. I've been
    blindsided so often by Cisco idiosyncrasies that I'm just trying to cover my
    ass with my client prior to acting.
    The 6.2 box looks healthy

    As to the config code: When I TFTP'd the 6.3 box's config to the "new" 6.2
    PIX I got this:
    -------------------------
    ERROR: invalid IP address interface
    invalid IP address interfacesion 6.2(2)st name [test]
    ERROR: invalid IP address interface
    bad port udp
    Config Error -- fixup protocol sip udp 5060
    ERROR: invalid IP address interface
    Config Error -- access-list outside_access_in permit tcp any interface
    outside o
    bject-group PCA
    ..ERROR: invalid IP address interface
    Config Error -- access-list outside_access_in permit tcp any interface
    outside r
    ange 3060 3064
    ERROR: invalid IP address interface
    Config Error -- access-list outside_access_in permit udp any interface
    outside r
    ange 3060 3064
    ERROR: invalid IP address interface
    Config Error -- access-list outside_access_in permit tcp any interface
    outside e
    q 3000
    ERROR: invalid IP address interface
    Config Error -- access-list outside_access_in permit tcp any interface
    outside e
    q 3333
    Warning: Start and End addresses overlap with broadcast address.
    outside interface address added to PAT pool
    dmz interface address added to PAT pool
    ..
    WARNING: TFTP download incomplete!

    Config Failed
    tftp: Unspecified Error

    -----------------------------------------------------------
    And here is the 6.3 config I need to run on the 6.2 box :
    Saved

    : Written by enable_15 at 13:51:53.709 UTC Wed Jan 27 2010

    PIX Version 6.3(1)

    interface ethernet0 auto

    interface ethernet1 auto

    interface ethernet2 auto

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    nameif ethernet2 dmz security50

    enable password xxxxxxxxxxxxxxx encrypted

    passwd xxxxxxxxxxxxx encrypted

    hostname xxxxxxxxxxxxxx

    domain-name xxxxxxxxxxxxxxxxx

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol ils 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    names

    name 192.168.0.101 networks1

    name 192.168.0.102 networks2

    name 192.168.0.112 networksf2

    name 192.168.0.111 networksf1

    name 192.168.2.121 networksweb

    name 192.168.0.103 networks3

    name 192.168.0.104 networks4

    object-group network networksServers

    network-object networks1 255.255.255.255

    network-object networks2 255.255.255.255

    network-object networks3 255.255.255.255

    network-object networks4 255.255.255.255

    object-group network networksServers_ref

    network-object 192.168.2.10 255.255.255.255

    network-object 192.168.2.11 255.255.255.255

    network-object 192.168.2.12 255.255.255.255

    network-object 192.168.2.13 255.255.255.255

    object-group service xxxxxxxxxx tcp-udp

    description Pxxxxxxxxxxx Standard Ports

    port-object range 5631 5632

    object-group service PCAnyWeb tcp-udp

    description PCAnywhere and Web Services

    port-object range 5631 5632

    port-object range 80 80

    object-group service networks tcp

    port-object range 6690 7008

    access-list inside_outbound_nat0_acl permit ip any 192.168.0.192
    255.255.255.192

    access-list outside_access_in permit tcp any interface outside object-group
    PCAnyWeb

    access-list outside_access_in permit icmp any any echo

    access-list outside_access_in permit icmp any any echo-reply

    access-list outside_access_in permit tcp any host 192.168.0.42 range 10000
    10005

    access-list outside_access_in permit tcp any host 192.168.0.122

    access-list outside_access_in permit udp any host 192.168.0.122

    access-list outside_access_in permit tcp any interface outside range 3060
    3064

    access-list outside_access_in permit udp any interface outside range 3060
    3064

    access-list outside_access_in permit tcp any host 192.168.0.124

    access-list outside_access_in permit tcp any host 192.168.0.170 eq https

    access-list outside_access_in permit udp any host 192.168.0.200 eq 60080

    access-list outside_access_in permit tcp any interface outside eq 3000

    access-list outside_access_in permit tcp any interface outside eq 3333

    access-list dmzin permit tcp host networksweb object-group
    networksServers_ref object-group networks

    pager lines 24

    logging timestamp

    logging monitor debugging

    logging trap debugging

    logging host inside 192.168.0.244

    mtu outside 1500

    mtu inside 1500

    mtu dmz 1500

    ip address outside XX.22.123.34 255.255.255.240

    ip address inside 192.168.0.2 255.255.255.0

    ip address dmz 192.168.2.1 255.255.255.0

    ip verify reverse-path interface outside

    ip audit name checkit attack action alarm reset

    ip audit interface outside checkit

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool testsupport 192.168.0.210-192.168.0.220

    pdm location 192.168.0.31 255.255.255.255 inside

    pdm location networksf1 255.255.255.255 inside

    pdm location 192.168.2.33 255.255.255.255 inside

    pdm location networksweb 255.255.255.255 dmz

    pdm location networks1 255.255.255.255 inside

    pdm location networks2 255.255.255.255 inside

    pdm location networksf2 255.255.255.255 inside

    pdm location 0.0.0.0 255.255.255.255 inside

    pdm location 192.168.2.10 255.255.255.255 dmz

    pdm location 192.168.2.11 255.255.255.255 dmz

    pdm group networksServers inside

    pdm group networksServers_ref dmz reference networksServers

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    global (dmz) 1 interface

    nat (inside) 0 access-list inside_outbound_nat0_acl

    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (dmz,outside) tcp interface www networksweb www netmask
    255.255.255.255 0 0

    static (dmz,outside) tcp interface pcanywhere-data networksweb
    pcanywhere-data netmask 255.255.255.255 0 0

    static (dmz,outside) tcp interface 5632 networksweb 5632 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 10000 192.168.0.42 10000 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 10001 192.168.0.42 10001 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 10002 192.168.0.42 10002 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 10003 192.168.0.42 10003 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 3060 192.168.0.122 3060 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 3061 192.168.0.122 3061 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 3062 192.168.0.122 3062 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 3063 192.168.0.122 3063 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 3064 192.168.0.122 3064 netmask
    255.255.255.255 0 0

    static (inside,outside) udp interface 3061 192.168.0.122 3061 netmask
    255.255.255.255 0 0

    static (inside,outside) udp interface 3060 192.168.0.122 3060 netmask
    255.255.255.255 0 0

    static (inside,outside) udp interface 3062 192.168.0.122 3062 netmask
    255.255.255.255 0 0

    static (inside,outside) udp interface 3063 192.168.0.122 3063 netmask
    255.255.255.255 0 0

    static (inside,outside) udp interface 3064 192.168.0.122 3064 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 5001 192.168.0.124 5001 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface https 192.168.0.170 https netmask
    255.255.255.255 0 0

    static (inside,outside) udp interface 60080 192.168.0.200 60080 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 3000 192.168.0.13 3000 netmask
    255.255.255.255 0 0

    static (inside,outside) tcp interface 3333 192.168.0.13 3333 netmask
    255.255.255.255 0 0

    static (inside,dmz) 192.168.2.10 networks1 netmask 255.255.255.255 0 0

    static (inside,dmz) 192.168.2.11 networks2 netmask 255.255.255.255 0 0

    static (dmz,inside) 192.168.0.121 networksweb netmask 255.255.255.255 0 0

    static (inside,dmz) 192.168.2.12 networks3 netmask 255.255.255.255 0 0

    static (inside,dmz) 192.168.2.13 networks4 netmask 255.255.255.255 0 0

    access-group outside_access_in in interface outside

    access-group dmzin in interface dmz

    route outside 0.0.0.0 0.0.0.0 ww.ww.ww.81 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    http server enable

    http 192.168.0.31 255.255.255.255 inside

    http networksf1 255.255.255.255 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-pptp

    telnet 0.0.0.0 0.0.0.0 inside

    telnet timeout 33

    ssh 0.0.0.0 0.0.0.0 outside

    ssh timeout 20

    console timeout 0

    vpdn group PPTP-VPDN-GROUP accept dialin pptp

    vpdn group PPTP-VPDN-GROUP ppp authentication chap

    vpdn group PPTP-VPDN-GROUP client configuration address local testsupport

    vpdn group PPTP-VPDN-GROUP client configuration dns xxx.ww.65.2
    xxx.xx.101.15

    vpdn group PPTP-VPDN-GROUP pptp echo 60

    vpdn group PPTP-VPDN-GROUP client authentication local

    vpdn username b0ldtech password b066331

    vpdn enable outside

    username dealer password 2.F4KZtwVCnjQVaH encrypted privilege 2

    username guest password YgTVHyk8JI2n.b2E encrypted privilege 2

    username art1 password F/IZF.kOBNKpyTM1 encrypted privilege 2

    username robert password wqEpZlHyXB1vk/uT encrypted privilege 2

    terminal width 80

    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx

    : end






    "Doug McIntyre" <> wrote in message
    news:4b62656c$0$33859$...
    > "barret bonden" <> writes:
    >> We wanted a 2nd PIX to be used in case the primary fails (not a
    >>failover box situation) ; We own a 515 with 6.3 and bought one with 6.2
    >> I tried to move the config file from the 6.3 to the 6.2 machine.
    >>It fails to run the "interface" command and there may be other problems. I
    >>want to upgrade the 6.2 to 6.3. I cant find "Smartnet" support for a
    >>purchase of 6.3 but I have a pix631.bin file from the original machine
    >>on
    >>CD.

    >
    > I'm not sure what problem you had with the "interface" command,
    > because interface as a command has been pretty much the same
    > throughout the whole PIX version timeline. Setup on version 6.2
    > vs. 6.3 shouldn't give you any issue.
    >
    > Is the "new" box licensed right to match? The license is stored
    > seperate than the config. Are the interfaces there? Is it working
    > otherwise? I could see problems with the interface command if the box
    > isn't licensed, where it might not bring recognize interfaces until it
    > is licensed properly.
    >
    >
    > The PIX hardware is EOL'd and nothing is available for it any longer,
    > no licenses, no new Smartnet, no spares. Etc. Thats why you can't find
    > anything to buy.
    >
    >
    >>Can I transfer it to the 6.2 machine or will the whole thing blow up with
    >>a
    >>"activation key" problem on the 6.2 PIX?

    >
    > You won't be able to use the same activation key on the new box, as
    > the activation keys are tied to the hardware serial # of the box. They
    > are unique for each box, non transferable.
    > They are not tied to the version of code running on the box.
    >
    > If your "new" box doesn't have a license activated, you bought
    > yourself a doorstop, because you can't buy PIX licenses any longer
    > sorry to say.
     
    barret bonden, Jan 29, 2010
    #3
  4. "barret bonden" <> writes:
    > Very kind of you to help. I'll post the config and some 6.2 errors as it
    >trys to digest the 6.3 code below for your entertainment.


    > If I understand you I will not have "activation key" explosions if I move
    >a 6.3 OS to the 6.2 box ( I know nothing of Activation keys ; sounded like
    >it might be an OS copy protection )


    Yes, the Activation Key is the license for the box. Each license is
    unique, and tied to the hardware serial #. Neither the OS image or
    configuration is tied to a particular box, they should be able to move.

    > I was worried the PIX631.bin from our
    >first PIX's CD was in some way tied to that PIX's hardware.


    The OS image is the same on every PIX, as long as its valid, it will
    run on any PIX you load it on.

    > I saw myself
    >moving the 6.3 OS onto the 6.2 box and having it not run. I've been
    >blindsided so often by Cisco idiosyncrasies that I'm just trying to cover my
    >ass with my client prior to acting.
    > The 6.2 box looks healthy


    Your config looks clean, I don't remember when ports and object-groups
    were introduced, but most likely not in 6.2. But you fail out long
    before then. I'd recommend you run a later 6.3 anyway.

    I still suspect your "new" box isn't licensed.

    pix(config)# show activation-key
    Serial Number: 12345678 (0xbc614e)

    Running activation key: 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
    Licensed Features:
    Failover: Enabled
    VPN-DES: Enabled
    VPN-3DES: Enabled
    Maximum Interfaces: 6
    Cut-through Proxy: Enabled
    Guards: Enabled
    Websense: Enabled
    Throughput: Unlimited
    ISAKMP peers: Unlimited


    pix(config)# show interface
    interface ethernet0 "outside" is up, line protocol is up
    Hardware is i82559 ethernet, address is 00aa.0000.003b
    IP address 209.165.201.7, subnet mask 255.255.255.224
    MTU 1500 bytes, BW 100000 Kbit half duplex
    1184342 packets input, 1222298001 bytes, 0 no buffer
    Received 26 broadcasts, 27 runts, 0 giants
    4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort
    1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf drops
    0 output errors, 28075 collisions, 0 interface resets
    0 babbles, 0 late collisions, 117573 deferred
    0 lost carrier, 0 no carrier
    ....

    Otherwise, your TFTP may be garbled up? Your error listings sure are.
    I'm not sure what is valid or isn't in there.
     
    Doug McIntyre, Jan 29, 2010
    #4
  5. Doug:

    Many thanks. It worked; I was able to move a 631.bin to the new PIX and it
    took; solved all the issues with the config.
    Without your help I was in a mess; Cisco TAC would not even deal with me as
    the hardware was too old. WOuld not even answer the question you so kindly
    did.
    I must say, in the hopes that someone from Cisco reads this; the firm sucks;
    that is to say your customer care , you support of your aging hardware is an
    insult to my customers and to myself as a consultant.
    I will never recomend a Cisco firewall again (and I have sold many).



    "Doug McIntyre" <> wrote in message
    news:4b634c96$0$33859$...
    > "barret bonden" <> writes:
    >> Very kind of you to help. I'll post the config and some 6.2 errors as it
    >>trys to digest the 6.3 code below for your entertainment.

    >
    >> If I understand you I will not have "activation key" explosions if I
    >> move
    >>a 6.3 OS to the 6.2 box ( I know nothing of Activation keys ; sounded
    >>like
    >>it might be an OS copy protection )

    >
    > Yes, the Activation Key is the license for the box. Each license is
    > unique, and tied to the hardware serial #. Neither the OS image or
    > configuration is tied to a particular box, they should be able to move.
    >
    >> I was worried the PIX631.bin from our
    >>first PIX's CD was in some way tied to that PIX's hardware.

    >
    > The OS image is the same on every PIX, as long as its valid, it will
    > run on any PIX you load it on.
    >
    >> I saw myself
    >>moving the 6.3 OS onto the 6.2 box and having it not run. I've been
    >>blindsided so often by Cisco idiosyncrasies that I'm just trying to cover
    >>my
    >>ass with my client prior to acting.
    >> The 6.2 box looks healthy

    >
    > Your config looks clean, I don't remember when ports and object-groups
    > were introduced, but most likely not in 6.2. But you fail out long
    > before then. I'd recommend you run a later 6.3 anyway.
    >
    > I still suspect your "new" box isn't licensed.
    >
    > pix(config)# show activation-key
    > Serial Number: 12345678 (0xbc614e)
    >
    > Running activation key: 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
    > Licensed Features:
    > Failover: Enabled
    > VPN-DES: Enabled
    > VPN-3DES: Enabled
    > Maximum Interfaces: 6
    > Cut-through Proxy: Enabled
    > Guards: Enabled
    > Websense: Enabled
    > Throughput: Unlimited
    > ISAKMP peers: Unlimited
    >
    >
    > pix(config)# show interface
    > interface ethernet0 "outside" is up, line protocol is up
    > Hardware is i82559 ethernet, address is 00aa.0000.003b
    > IP address 209.165.201.7, subnet mask 255.255.255.224
    > MTU 1500 bytes, BW 100000 Kbit half duplex
    > 1184342 packets input, 1222298001 bytes, 0 no buffer
    > Received 26 broadcasts, 27 runts, 0 giants
    > 4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort
    > 1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf
    > drops
    > 0 output errors, 28075 collisions, 0 interface resets
    > 0 babbles, 0 late collisions, 117573 deferred
    > 0 lost carrier, 0 no carrier
    > ...
    >
    > Otherwise, your TFTP may be garbled up? Your error listings sure are.
    > I'm not sure what is valid or isn't in there.
    >
     
    barret bonden, Feb 6, 2010
    #5
  6. barret bonden

    alexd Guest

    Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, barret
    bonden chose the tried and tested strategy of:

    > I must say, in the hopes that someone from Cisco reads this; the firm
    > sucks; that is to say your customer care , you support of your aging
    > hardware is an
    > insult to my customers and to myself as a consultant.
    > I will never recomend a Cisco firewall again (and I have sold many).


    Are you saying that you would normally recommend EOL hardware to one of your
    customers?

    --
    <http://ale.cx/> (AIM:troffasky) ()
    19:02:27 up 1 day, 23:42, 5 users, load average: 0.11, 0.35, 0.18
    DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
    AND TIME STARTED FLOWING REVERSELY
     
    alexd, Feb 6, 2010
    #6
  7. barret bonden

    bod43 Guest

    On 6 Feb, 17:58, "barret bonden" <> wrote:
    > Doug:
    >
    >   Many thanks. It worked; I was able to move a 631.bin to the new PIX and it
    > took; solved all the issues with the config.
    > Without your help I was in a mess; Cisco TAC would not even deal with me as
    > the hardware was too old. WOuld not even answer the question you so kindly
    > did.
    > I must say, in the hopes that someone from Cisco reads this; the firm sucks;
    > that is to say your customer care , you support of your aging hardware is an
    > insult to my customers and to myself  as a consultant.
    >  I will never recomend a Cisco firewall again (and I have sold many).


    How long do you think a company should support
    products no longer in production?

    In my experpience Cisco seem to support stuff for
    longer then anyone else I have noticed.

    Here is an extract from the End of Sale announcement for
    the Pix 515. I do not know when the announcement was
    made.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d3b4.html

    "End-of-Sale Schedule

    End of Sale: May 24, 2002 (No longer available for purchase)

    End of Software Support: May 24, 2005

    End of Hardware Support: May 24, 2007 (hardware repairs or exchanges
    are no longer available)

    "Cisco is committed to providing hardware support for this product for
    a period of five years after the end-of-sale date.""

    You are asking for support on something that
    they stopped selling nearly eight years ago!!!!

    I wish you well in your search for a supplier of firewalls
    that has a clearer investment protection policy than Cisco.

    Please let us know when you find one.
     
    bod43, Feb 6, 2010
    #7
  8. The customer had a 6.31 era PIX. He wanted a backup PIX in case the
    production unit failed. He is not rich, and paid good money for the first
    unit while new; he was acting as a rational business person in looking for
    and finding a matching unit.
    As his consultant he expected I could get it working; all nice, rational
    thoughts.
    Cisco could understand this.
    Cisco could care about supporting good old customers.
    No, I'm wrong about that:
    But I'll never put myself or a customer in that spot again.
    For the record thousands of firms around the world support their older
    hardware for just the obvious rational reasons above.
    Live and learn about Cisco.



    "alexd" <> wrote in message
    news:...
    > Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, barret
    > bonden chose the tried and tested strategy of:
    >
    >> I must say, in the hopes that someone from Cisco reads this; the firm
    >> sucks; that is to say your customer care , you support of your aging
    >> hardware is an
    >> insult to my customers and to myself as a consultant.
    >> I will never recomend a Cisco firewall again (and I have sold many).

    >
    > Are you saying that you would normally recommend EOL hardware to one of
    > your
    > customers?
    >
    > --
    > <http://ale.cx/> (AIM:troffasky) ()
    > 19:02:27 up 1 day, 23:42, 5 users, load average: 0.11, 0.35, 0.18
    > DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
    > AND TIME STARTED FLOWING REVERSELY
    >
     
    barret bonden, Feb 6, 2010
    #8
  9. I can still find parts for my old Chevy, but more to the point: if one of
    my customers from 20 years ago calls and asks for

    advice (just a little bit of advice, not a lot of my time on the phone or a
    free house call, just a little bit of help) , I do not tell them

    in so many words to #$@#$@ themselves.

    In dealing with this issue across the country I've found that Cisco's rep
    for this kind of thing, again to be polite, sucks. It is not just

    my experience. "Arrogant " was used more than once.

    Lots of firms, when they own a market, get this way. But I'm old enough to
    recall Ashton Tate ( Remember them ? No? That's my point. ) and Novell in
    similar frames of mind.

    They owned their markets too, and a lot tighter than Cisco does now.



    "bod43" <> wrote in message
    news:...
    On 6 Feb, 17:58, "barret bonden" <> wrote:
    > Doug:
    >
    > Many thanks. It worked; I was able to move a 631.bin to the new PIX and it
    > took; solved all the issues with the config.
    > Without your help I was in a mess; Cisco TAC would not even deal with me
    > as
    > the hardware was too old. WOuld not even answer the question you so kindly
    > did.
    > I must say, in the hopes that someone from Cisco reads this; the firm
    > sucks;
    > that is to say your customer care , you support of your aging hardware is
    > an
    > insult to my customers and to myself as a consultant.
    > I will never recomend a Cisco firewall again (and I have sold many).


    How long do you think a company should support
    products no longer in production?

    In my experpience Cisco seem to support stuff for
    longer then anyone else I have noticed.

    Here is an extract from the End of Sale announcement for
    the Pix 515. I do not know when the announcement was
    made.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice09186a008032d3b4.html

    "End-of-Sale Schedule

    End of Sale: May 24, 2002 (No longer available for purchase)

    End of Software Support: May 24, 2005

    End of Hardware Support: May 24, 2007 (hardware repairs or exchanges
    are no longer available)

    "Cisco is committed to providing hardware support for this product for
    a period of five years after the end-of-sale date.""

    You are asking for support on something that
    they stopped selling nearly eight years ago!!!!

    I wish you well in your search for a supplier of firewalls
    that has a clearer investment protection policy than Cisco.

    Please let us know when you find one.
     
    barret bonden, Feb 6, 2010
    #9
  10. "barret bonden" <> writes:
    >The customer had a 6.31 era PIX. He wanted a backup PIX in case the
    >production unit failed. He is not rich, and paid good money for the first
    >unit while new; he was acting as a rational business person in looking for
    >and finding a matching unit.
    > As his consultant he expected I could get it working; all nice, rational
    >thoughts.
    > Cisco could understand this.
    > Cisco could care about supporting good old customers.
    > No, I'm wrong about that:
    > But I'll never put myself or a customer in that spot again.

    ....


    FWIW: Another way to look at this is to compare the the expected
    lifetime for hardware for various companies. In the computer/datacomm
    world, you get about 3 good years out of a piece of gear. If you get 5
    years out of it, you're out ahead. If you get 8 years out of it,
    you're on your last legs. Yeah, a car is built to last longer, but
    just the same as a car, you need to realize they have a finite lifespan
    and plan for the eventuality of needing to replace it at some time.

    If the end-customer had had another companies piece of gear, say a
    10-year old Watchguard, or a Nokia, or a Checkpoint, or a Sonicwall,
    etc. etc. You wouldn't even have the opportunity to find something
    matching to setup a HA pair. You'd be in the same position Cisco wants
    to put you in now, to do a technology refresh to get something current
    in hardware. Its only because Cisco has been doing this for quite some
    time, and has been so popular, and has supported their old stuff for
    so long that its even an option to consider for you. You just happened
    to fall outside the support envelope.
     
    Doug McIntyre, Feb 7, 2010
    #10
  11. barret bonden

    alexd Guest

    Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, barret
    bonden chose the tried and tested strategy of:

    > The customer had a 6.31 era PIX. He wanted a backup PIX in case the
    > production unit failed. He is not rich, and paid good money for the first
    > unit while new; he was acting as a rational business person in looking for
    > and finding a matching unit.
    > As his consultant he expected I could get it working; all nice, rational
    > thoughts.


    Unfortunately, you and your customer's idea of rational may not be the same
    as that of an organisation whose main commitment is to its shareholders.

    > Live and learn about Cisco.


    You're the consultant. It's up to you to know about the pros and cons of any
    solution you recommend.

    The only way you can support something indefinitely, independent of the
    whims of a particular company or its business model, is if you develop
    itself or if you've got the source code.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    20:19:47 up 3 days, 59 min, 5 users, load average: 0.00, 0.00, 0.00
    DIMENSION-CONTROLLING FORT DOH HAS NOW BEEN DEMOLISHED,
    AND TIME STARTED FLOWING REVERSELY
     
    alexd, Feb 7, 2010
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?VGltc2FsaXZl?=

    Network blues

    =?Utf-8?B?VGltc2FsaXZl?=, Dec 19, 2004, in forum: Wireless Networking
    Replies:
    9
    Views:
    720
    Carey Holzman
    Dec 23, 2004
  2. RL \(Bob\) Coppedge, MCSE/MCDBA/MCT

    292 Blues...

    RL \(Bob\) Coppedge, MCSE/MCDBA/MCT, Jun 6, 2005, in forum: MCSE
    Replies:
    6
    Views:
    982
  3. notkailen
    Replies:
    1
    Views:
    4,207
    Aaron Leonard
    Mar 15, 2006
  4. Nigel Stapley

    Dem Old Hyperlink Blues

    Nigel Stapley, Apr 17, 2006, in forum: Firefox
    Replies:
    0
    Views:
    415
    Nigel Stapley
    Apr 17, 2006
  5. Austin Nights

    Got the Technical Support Blues?

    Austin Nights, Jul 7, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    460
    Jimchip
    Jul 7, 2003
Loading...

Share This Page