Month: July 2013

Uploading ICX 10 GB Ports on Demand Licence

Posted on Updated on


1) Copy the licence from tftp

copy tftp license XX.XX.XX.XX ICX6610-10G-LIC-POD.xml unit 1

2) Verify licence

ICX6610-24 Router#sh license
Index License Name Lid License Type Status License Period License Capacity
Stack unit 1:
1 ICX6610-10G-LIC-POD XXXXX Normal Active Unlimited 4

3) I realised that after that, the ports dd not automatically come up so I had to change port speeds 

interface ethernet 1/3/1
speed-duplex 10G-full
!
interface ethernet 1/3/2
speed-duplex 10G-full

4) Walaaa!!!

ICX6610-24 Router#sh int bri

Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name
1/3/1 Up Forward Full 10G None Yes N/A 0 748e.f8e6.XXXC
1/3/2 Up Forward Full 10G None Yes N/A 0 748e.f8e6.XXXC

 

Upgrading firmware on brocade ICX6610

Posted on Updated on


1) Confirm existing firmware

ICX6610-24 Router#sh flash
Stack unit 1:
Compressed Pri Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
Compressed Sec Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
Compressed Boot-Monitor Image size = 369491, Version:07.3.01T7f5
Code Flash Free Space = 51511296
2) Copy file from tftp to primary flash (had to copy to primary because there is an existing bug that did not allow to copy from tftp to secondary)
ICX6610-24 Router#copy tftp flash 79.XX.9.1XX FCXR08000a.bin primary
ICX6610-24 Router#Flash Memory Write (8192 bytes per dot)
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….^C
ICX6610-24 Router#
TFTP to Flash Done.
3) Confirm that flile has been copied

ICX6610-24 Router#sh flash
Stack unit 1:
Compressed Pri Code size = 8874046, Version:08.0.00aT7f3 (FCXR08000a.bin)
Compressed Sec Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
Compressed Boot-Monitor Image size = 369491, Version:07.3.01T7f5
Code Flash Free Space = 49414144
4) Verify MD5
ICX6610-24 Router#verify md5 pri

ICX6610-24 Router#verify md5 pri
ICX6610-24 Router#………………………………………………………………………………………………………………………Done
Size = 8874046, MD5 6b5ce5f7f370e4803418149f4e14d449

Check against the MD5 value provided during IOS download

6B5CE5F7F370E4803418149F4E14D449 ICX6610\Images\FCXR08000a.bin

Walaaa :)….we are up and running 🙂

Upgrading Palo Alto Software to 5.0.6

Posted on Updated on


1) First Check that the content Update is up to date or update if required.

Device – Dynamic Updates – applications and Threats

2013_07_12_18_33_25_Greenshot

2) My current version was 4.1.6. Inorder to upgrade to 5.0.6, we have to make sure that the base firmware 5.0.0 is downloaded (no need to install it). We then download and install v5.0.6. And finally install it. Finally 🙂

Device – Software

2013_07_12_19_03_17_Greenshot

Palo Alto Update Server down!! WTF???

Posted on Updated on


1) Confirm connectivity

admin@PA-500> ping host 10.2.232.1
PING 10.2.232.1 (10.2.232.1) 56(84) bytes of data.
64 bytes from 10.2.232.1: icmp_seq=1 ttl=255 time=0.488 ms
64 bytes from 10.2.232.1: icmp_seq=2 ttl=255 time=0.469 ms
64 bytes from 10.2.232.1: icmp_seq=3 ttl=255 time=0.468 ms
64 bytes from 10.2.232.1: icmp_seq=4 ttl=255 time=0.489 ms
64 bytes from 10.2.232.1: icmp_seq=5 ttl=255 time=0.445 ms
64 bytes from 10.2.232.1: icmp_seq=6 ttl=255 time=0.435 ms
64 bytes from 10.2.232.1: icmp_seq=7 ttl=255 time=0.442 ms
^C
— 10.2.232.1 ping statistics —
7 packets transmitted, 7 received, 0% packet loss, time 5997ms
rtt min/avg/max/mdev = 0.435/0.462/0.489/0.026 ms

2) Try pinging the update server

admin@PA-500> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (199.167.52.13) 56(84) bytes of data.
^C
— updates.paloaltonetworks.com ping statistics —
6 packets transmitted, 0 received, 100% packet loss, time 5013ms

3) Confirm connectivity

admin@PA-500> ping host ya.ru
PING ya.ru (77.88.21.3) 56(84) bytes of data.
64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=1 ttl=58 time=1.80 ms
64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=2 ttl=58 time=1.24 ms
64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=3 ttl=58 time=1.48 ms
64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=4 ttl=58 time^C
— ya.ru ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3038ms
rtt min/avg/max/mdev = 1.249/1.487/1.802/0.204 ms

4) What the fuck is happening?

admin@PA-500> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (199.167.52.13) 56(84) bytes of data.
^C
— updates.paloaltonetworks.com ping statistics —
15 packets transmitted, 0 received, 100% packet loss, time 14016ms

admin@PA-500> traceroute host updates.paloaltonetworks.com
traceroute to updates.paloaltonetworks.com (199.167.52.13), 30 hops max, 40 byte packets
1 (10.2.232.1) 1.091 ms 1.137 ms 1.247 ms
2 (81.23.6.65) 4.064 ms 4.154 ms 4.169 ms
3 (83.220.63.5) 2.813 ms 2.823 ms 2.900 ms
4 (62.140.239.81) 1.861 ms 1.868 ms 1.870 ms
5 (62.140.245.49) 2.544 ms 2.615 ms 2.960 ms
6 (62.140.245.81) 56.934 ms 56.698 ms 56.605 ms
7 (213.242.110.217) 50.186 ms 50.005 ms 50.183 ms
8 (4.68.70.10) 58.485 ms 63.608 ms 63.486 ms
9 (67.17.74.41) 63.464 ms 63.457 ms 63.525 ms
10 (67.17.105.2) 191.497 ms 191.114 ms 191.204 ms
11 (64.210.28.142) 182.979 ms 181.979 ms 181.966 ms
12 (66.151.144.29) 180.588 ms 180.550 ms 180.499 ms
13 (66.151.157.250) 182.051 ms 181.039 ms 180.905 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
admin@PA-500> telnet port 443 host updates.paloaltonetworks.com
Trying 199.167.52.13…

Connected to updates.paloaltonetworks.com.
Escape character is ‘^]’.
^^]
^C^H
^^]
Connection closed by foreign host.
admin@PA-500> request anti-virus upgrade download latest

Server error : No update information available

I have network connectivity but the servers are down!!1 How on earth are the update servers for a firewall down ???

Palo Alto Team….do sth!

 

====================EDITED UPDATE============

So after all the runting, I visited the Device->Software webpage, clicked on Check Now and a lis of the sotware updates came up 🙂

But the IP address was still unreachable. So guys, if you ever get the connectivity error….first try checking for the updates instead of wasting time runting 🙂

Factory reset process on Palo Alto

Posted on Updated on


1) Connect to the console and power off the firewall. When it starts to boot up, wait for the autoboot prompt and enter maint

Autoboot to default partition in 5 seconds.
Enter ‘maint’ to boot to maint partition.

INIT: version 2.86 booting

Welcome to PanOS
Setting clock (utc): Fri Jul 12 00:40:17 PDT 2013 [ OK ]
Starting udev: [ OK ]
Setting hostname PA-500: [ OK ]
Checking filesystems:
Running filesystem check on pancfg: [ OK ]
Running filesystem check on panrepo: [ OK ]
[ OK ]
Remounting root filesystem in read-write mode: [ OK ]
mount: can’t find / in /etc/fstab or /etc/mtab
Enabling /etc/fstab swaps: [ OK ]
INIT: Entering runlevel: 3
Entering non-interactive startup
Starting Networking: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Starting portmap: [ OK ]
Starting NFS statd: [ OK ]
Starting panhttpd: [ OK ]
Starting sshd: [ OK ]
Starting ha-sshd: [ OK ]
Starting xinetd: [ OK ]
Starting ntpd: [ OK ]
Starting NFS services: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
Starting PAN Software: [ OK ]

2) Select Factory Reset option

Welcome to the Maintenance Recovery Tool
Welcome to maintenance mode. For support please contact Palo Alto
Networks.

866-898-9087 or support@paloaltonetworks.com

Welcome to the Maintenance Recovery Tool

Factory Reset

WARNING: Performing a factory reset will remove all logs and configuration.

Using Image:
(X) panos-4.1.6

< Factory Reset >

< Advanced >

 3) Factory reset starts

(X) panos-4.1.6

Percent Complete

0 %

Factory Reset Status

Factory Reset Status: Success

 4) Reboot and login using admin admin

Bootstrapping [panos ] into partition “sysroot0”
Installing packages into /mnt/swm/sysroot0/…
Installing: glibc-2.9-4.pan
Installing: zlib-1.2.3-3.pan
Installing: libgcc-4.3.3-4.pan
Installing: libstdc++-4.3.3-5.pan
Installing: popt-1.12-1.pan
Installing: chkconfig-1.3.30.1-2.pan
Installing: mktemp-1.5-23.2.2
Installing: bzip2-libs-1.0.3-3.pan
Installing: sed-4.1.5-5.pan
INIT: Sending processes the TERM signal
Stopping PAN Software: [ OK ]
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: nfsd: last server has exited, flushing export cache
[ OK ]
Shutting down NFS services: [ OK ]
Stopping ha-sshd: [ OK ]
Stopping sshd: [ OK ]
Stopping xinetd: [ OK ]
Shutting down ntpd: [ OK ]
Stopping NFS statd: [ OK ]
Stopping portmap: [ OK ]
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Stopping Networking: SIOCGIFFLAGS: No such device
[ OK ]
Starting killall: [ OK ]
Sending all processes the TERM signal…
Sending all processes the KILL signal…
Saving random seed:
Syncing hardware clock to system time
Unmounting pipe file systems:
Unmounting file systems:
Please stand by while rebooting the system…
sd 0:0:0:0: [sda] Synchronizing SCSI cache
Restarting system.
Welcome to the PanOS Bootloader.

U-Boot 4.1.6.0-7 (Build time: Apr 18 2012 – 22:20:45)
BIST check passed.
PEREGRINE board revision major:2, minor:1, serial #: 0006C112377
OCTEON CN5220-CP pass 2.0, Core clock: 500 MHz, DDR clock: 265 MHz (530 Mhz data rate)
DRAM: 1024 MB
Clearing DRAM…….. done
Using default environment

Flash: 32 MB
PCIe: Port 0 link active, 1 lanes
Net: octeth0, octeth1, octeth2, octeth3
Bus 0 (CF Card): not available

ata0: SATA max UDMA/133: lba 48 mode
Model: WDC WD2503ABYX-01WERA1 Firm: 01.01S02 Ser#: WD-WMAYP4400518
Type: Hard Disk
Supports 48-bit addressing
Capacity: 239429.0 MB = 233.8 GB (490350672 x 512)

USB: (port 1) No USB devices found.

Autoboot to default partition in 5 seconds.
Enter ‘maint’ to boot to maint partition.

Allocating memory for ELF segment: addr: 0xffffffff81100000 (adjusted to: 0x1100000), size 0x984d80
## Loading Linux kernel with entry point: 0xffffffff81105cd0 …
Bootloader: Done loading app on coremask: 0x3
Linux version 2.6.32.13-mp-4.1.6.0.7 (build@cobalt.paloaltonetworks.local) (gcc version 4.3.3 (Cavium Networks Version: 2_0_0 build 99) ) #2 SMP Wed Apr 18 23:09:37 PDT 2012
CVMSEG size: 2 cache lines (256 bytes)
Cavium Networks SDK-2.0
bootconsole [early0] enabled
CPU revision is: 000d0708 (Cavium Octeon+)
Checking for the multiply/shift bug… no.
Checking for the daddiu bug… no.
Determined physical RAM map:
memory: 0000000000046000 @ 00000000019da000 (usable after init)
memory: 0000000006400000 @ 0000000001b00000 (usable)
memory: 0000000007c00000 @ 0000000008200000 (usable)
memory: 0000000020000000 @ 0000000020000000 (usable)
memory: 000000000fc00000 @ 0000000410000000 (usable)
INIT: version 2.86 booting

Welcome to PanOS
Setting clock (utc): Fri Jul 12 00:47:25 PDT 2013 [ OK ]
Starting udev: [ OK ]
Setting hostname 500: [ OK ]
Checking filesystems:
Running filesystem check on sysroot0: [ OK ]
Running filesystem check on pancfg: [ OK ]
Running filesystem check on panrepo: [ OK ]
[ OK ]
Remounting root filesystem in read-write mode: [ OK ]
Enabling /etc/fstab swaps: [ OK ]
INIT: Entering runlevel: 3
Entering non-interactive startup
Starting Networking: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Starting portmap: [ OK ]
Starting NFS statd: [ OK ]
Starting sshd: [ OK ]
Starting ha-sshd: [ OK ]
Starting xinetd: [ OK ]
Starting ntpd: [ OK ]
Starting NFS services: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
Starting PAN Software: [ OK ]

500 login: admin

6) I couldnt get the default password correct several times – don’t know why…but finally it worked

Login incorrect

login: admin
Password:
Login incorrect

login: Login timed out after 60 seconds

PA-HDF login: admin
Password:
Login incorrect

login: Login timed out after 60 seconds

PA-HDF login: admin
Password:
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.

7) Enter configuration mode

admin@PA-500> configure
Entering configuration mode
[edit]

8) Set the devices management IP address

admin@PA-500# set deviceconfig system ip-address 10.2.232.3 netmask 255.255.255.0 default-gateway 10.2.232.1 dns-setting servers primary 10.1.200.3 secondary 10.1.200.5

[edit]
admin@PA-500# commit

………….55%…75%…98%……….100%
Configuration committed successfully

[edit]

9) Confirm connectivity

admin@PA-500> ping host 10.2.232.1
PING 10.2.232.1 (10.2.232.1) 56(84) bytes of data.
64 bytes from 10.2.232.1: icmp_seq=1 ttl=255 time=0.505 ms
64 bytes from 10.2.232.1: icmp_seq=2 ttl=255 time=0.465 ms
64 bytes from 10.2.232.1: icmp_seq=3 ttl=255 time=0.475 ms
64 bytes from 10.2.232.1: icmp_seq=4 ttl=255 time=0.472 ms
64 bytes from 10.2.232.1: icmp_seq=5 ttl=255 time=0.470 ms
64 bytes from 10.2.232.1: icmp_seq=6 ttl=255 time=0.477 ms
64 bytes from 10.2.232.1: icmp_seq=7 ttl=255 time=0.518 ms
64 bytes from 10.2.232.1: icmp_seq=8 ttl=255 time=0.458 ms
^C
— 10.2.232.1 ping statistics —
8 packets transmitted, 8 received, 0% packet loss, time 6995ms
rtt min/avg/max/mdev = 0.458/0.480/0.518/0.019 ms

Boot Brocade switch as a Layer 3 device from Secondary flash

Posted on Updated on


Confirm that the router image is installed.

ICX6610-24 Switch#show flash
Stack unit 1:
Compressed Pri Code size = 5320842, Version:07.3.00aT7f1 (/foundry/FGS/os/FCXS07300a.bin)
Compressed Sec Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
Compressed Boot-Monitor Image size = 369491, Version:07.3.01T7f5
Code Flash Free Space = 52822016

Configure the switch to reboot from the secondary image.
ICX6610-24 Switch#boot system flash sec
secondary From Secondary image flash
ICX6610-24 Switch#boot system flash secondary
Are you sure? (enter ‘y’ or ‘n’): y
Halt and reboot
Rebooting(2)…
*
$
ICX Boot Code Version 7.3.01 (grz07301)
Enter ‘a’ to stop at memory test
Enter ‘b’ to stop at boot monitor
BOOT INFO: load monitor from boot flash, cksum = b4d2
BOOT INFO: verify flash files………
BOOT INFO: load image from secondary copy…

platform type = 8
PCIE-1 LTSSM status: 22
PCIE Switch status: 0
…………………
…..
Starting Main Task …CPSS DxCh Version: cpss3.4 release
Pre Parsing Config Data …

Parsing Config Data …

Copyright (c) 1996-2011 Brocade Communications Systems, Inc.
UNIT 1: compiled on Dec 02 2011 at 11:46:03 labeled as FCXR07300a
(6803305 bytes) from Secondary /foundry/FGS/os/FCXR07300a.bin
SW: Version 07.3.00aT7f3
Boot-Monitor Image size = 369491, Version:07.3.01T7f5 (grz07301)
HW: Stackable ICX6610-24
==========================================================================
UNIT 1: SL 1: ICX6610-24 24-port Management Module
Serial #: BXP2551H0BX
License: ICX6610_BASE_ROUTER_SOFT_PACKAGE (LID: dzrHKKGjFdz)
P-ENGINE 0: type E02B, rev 01
==========================================================================
UNIT 1: SL 2: ICX6610-QSFP 10-port 160G Module
==========================================================================
UNIT 1: SL 3: ICX6610-8-port Dual Mode(SFP/SFP+) Module
==========================================================================
800 MHz Power PC processor 8544E (version 0021/0023) 400 MHz bus
65536 KB flash memory
512 MB DRAM
STACKID 1 system uptime is 9 seconds
The system : started=warm start reloaded=by “reload”

……………………
ICX6610-24 Router>
Power supply 2 detected.
Power supply 2 is up.

ICX6610-24 Router>en
No password has been assigned yet…
ICX6610-24 Router#

 

Note that the hostname has not changed to ICX6610-24 Router

How to Check SFP connected to Brocade ICX 6610 switch

Posted on Updated on


I have 2 10Gb SFPs connected to the switch. Needed to confirm that the switch recognises them.

ICX6610-24 Switch#show media
1/1/1:C 1/1/2:C 1/1/3:C 1/1/4:C 1/1/5:C 1/1/6:C 1/1/7:C 1/1/8:C 1/1/9:C 1/1/10:C 1/1/11:C 1/1/12:C 1/1/13:C 1/1/14:C 1/1/15:C 1/1/16:C 1/1/17:C 1/1/18:C 1/1/19:C 1/1/20:C 1/1/21:C 1/1/22:C 1/1/23:C 1/1/24:C
1/2/1:– 1/2/2:– 1/2/3:– 1/2/4:– 1/2/5:– 1/2/6:– 1/2/7:– 1/2/8:– 1/2/9:– 1/2/10:–
1/3/1:XG-SR 1/3/2:XG-SR 1/3/3:– 1/3/4:– 1/3/5:– 1/3/6:– 1/3/7:– 1/3/8:–

 

ICX6610-24 Switch#show media ethernet 1/3/1
Port 1/3/1: Type : 10G XG-SR(SFP +)
Vendor: FINISAR CORP. Version: A
Part# : FTLX8571D3BCL Serial#: ANF0KN3
ICX6610-24 Switch#show media ethernet 1/3/2
Port 1/3/2: Type : 10G XG-SR(SFP +)
Vendor: FINISAR CORP. Version: A
Part# : FTLX8571D3BCL Serial#: ANG04LP