Showing posts with label upgrade. Show all posts
Showing posts with label upgrade. Show all posts

Wednesday, 16 March 2022

pscp file to cisco router

I was trying to copy files to a cisco ASR 1001x router.

I was having issues due to internal FW rules etc. I could SSH so probably SCP would work.


I needed to enable the following command on the ASR router

ip scp server enable

However it still wasn't working.

I needed to run the pscp command on my server with the files with the -scp switch to force the old protocol

pscp -scp filename.bin username@x.x.x.x:filename.bin


I had to fill in the second filename.bin for the destination otherwise it would not work


Posted by at No comments:
Labels: , , , , , , , ,

Thursday, 29 November 2018

upgrade 3850 from 3.x.x to 16.x.x

Prep work

Create usb drive copy files to it, create folder for old files
Create a test plan to use post upgrade
Take backup of running config
Take backup of current software
Download the new software to be installed

Doco from Cisco:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-8/release_notes/ol-16-8-3850.html#id_67699

Important note

Create some local users and check aaa config there is a bug with users coming over and you get locked out of the switch

username admin algorithm-type scrypt secret cisco
(this is type 9, the best at time of writing)



Upgrade

  • Make space in flash if needed (most of the time there will be lots of space)
software clean
request platform software package clean


  • Copy the new software to the switch (usb or tftp/ftp etc)
dir usbflash:
copy usbflash:/filename.bin flash:
Usually format the usb drive as fat32
Watch out for network cables boot below the usb port pushing the USB drive up. I've had that cause IO error in the past.


  • Regenerage ssh keys this is needed going from 3.x.x to 16.x.x
conf t
crypto key generate rsa general-keys modulus 2048
exit

  • Start putty or other console program with logging
sudo minicom -C switch-upgrade.txt

  • Install software onto all switches in the stack (out of hours).
software install file flash:/filename.bin switch 1-2 verbose new force
stack reload now, yes
safe config, yes
reboot will take 10-20 minutes


  • Post installation checks
once reloaded check show ver
Test the switch, is everything working as expected ?

Set boot variable
boot system switch all flash:packages.conf
sh boot


After some testing clean up other files
request platform software package clean switch all file flash:
yes to delete old files
yes to save config
Posted by at No comments:
Labels: , ,

Monday, 18 April 2016

Upgrading the RAM in a Cisco ASA

1 - Backup config
2 - Take picture of cables
3 - Label cables
4 - power off ASA and un-cable
5 - Unscrew and open case
6 - Install the new DIMM
7 - re-cable and power on
8 - confirm upgrade with sh ver | i RAM
Posted by at No comments:
Labels: , , ,

Thursday, 28 January 2016

update/upgrade cisco router image


*** Download image from Cisco website (you need a valid contract)

*** Backup
Your config
Your current image file
Your vlan.dat file

*** Make sure we have enough free space (Flash and RAM)
show flash
sh mem
dir

*** Connect to the inside interface or configure a free interface
Make sure you have an IP on the same network on your laptop you may need do a static assign

conf t
interface fa 0/0
ip address 172.17.19.219 255.255.255.0
wr

*** Copy the image file onto the router

copy tftp flash

IP of TFTP server  (you can use serva or tftpd)

Source file name the full filename as it appears  on the TFTP server

Destination file name what it will be saved on the router (leave the same)

Erase flash before copying ? N (if you have free space)

sh flash (verify your new image has been uploaded)

*** Set the boot variable
conf t

boot system flash file-name-of-ios-image.bin
eg
boot system disk0:c7200p-adventerprisek9-mz.152-4.M9.bin

sh run | i boot

If there is two remove the old one

no boot system flash old-ios-image.bin

copy run start

*** Reload the router
Before rebooting its a good idea to connect via console cable with logging turned on
This way if there is an issue you have a log file to upload to Cisco TAC
You can also watch the upgrade/boot progress and not panic while you are waiting ;)
reload

*** Verify
Once booted back up do

sh ver (to verify)

sh ver | i System image

Posted by at No comments:
Labels: , , , ,

Wednesday, 15 May 2013

update/upgrade the Cisco ASA image

Backup your config and current images (ASA software, ASDM, anyconnect, orig.json)
Also check for certs and licenses

Check what IPS modules are running active ASA
show modules
You may need to shutdown/uninstall the old unused IPS 
ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload
ciscoasa# show modules


Download the new images from the Cisco website
Grab the latest asdm/anyconnect while you are there

Check ASA and ASDM compatibility
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl_x4b


Connect to the device with the console cable and putty logging enabled

Copy images to the device
TFTP the images to the Cisco device, you can use a laptop and the tftpd server

Alternatively if you have ssh access to the ASA you can run the command
On the ASA run "ssh scopy enable"
From your PC run pscp.exe asa931-smp-k8.bin username@100.100.100.100:asa931-smp-k8.bin

Its also possible to put the images on a fat(msdos) formated USB drive and plug into the ASA and copy from there.

Verify the IOS image
On the ASA run verify disk0:/asa825-k8.bin
Take a screen shot of output

Check and update boot settings

sh boot

BOOT variable = disk0:/asa861-2-smp-k8.bin
Current BOOT variable = disk0:/asa861-2-smp-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =

You can see what image is set to boot. You can copy this image off for safe keeping if you want

The the following command will copy the new ASA image from flash to disk
boot system flash:/filename-of-new-ASA-image.bin
eg
boot system disk0:/asa914-smp-k8.bin
Remove old boot value
no boot system disk0:/asa910-smp-k8.bin
The following command will copy the new ASDM image from flash to disk
asdm image flash:/filename-of-new-ASDM-image.bin
eg
asdm image disk0:/asdm-731-101.bin

Save the config
wr mem

Reload the device to apply the new image
reload

You can watch the console for any error/warning messages. The ASA should boot up with the new image without issue. If there are issues you can roll back to the old image and call cisco support with your log files.

Don't forget to upload images to the secondary device and reload that too



The first thing we need to confirm is the model number and the software version currently running on the ASA ? If its 8.2 or lower that complicates things. A RAM upgrade might be required depending on the model. If its 8.2 we will most likely have to re-write the config by hand but it depends on what is configured. This is because Cisco made major changes to how NAT works on the ASA from 8.2 -> 8.3. See here. If the ASA is running 8.3 or later we should be good to go. Below is an outline of steps.

 Preparation
Ensure we have support with Cisco and access to an account that can log a call if required. Record the serial number from the device.
Ask all users to log out of anyconnect before the maintenace window
Identify a system test plan. How do you use your ASA ? Internet access, VPN’s with third parties, remote access VPNs (anyconnect). Web server NAT’s to public IP’s etc.
Connect to the ASA via the console cable with putty logging enabled. Ensure console logging is enabled on the ASA.
Save the running config. Backup the running config, IOS/ASDM and anyconnect images.
Failover the ASA to ensure the secondary ASA is working as is and running the same software version as primary.
Download the latest IOS/ASDM and anyconnect images from Cisco and upload to both ASA’s primary and secondary.
Verify the IOS image.
Just before starting the upgrade, take a basic base line:
  • log your session
  • terminal pager 0
  • sh conn count
  • sh xlate count
  • sh vpn-sessiondb summary
  • sh crypto isakmp sa
  • sh ver
  • sh inv
  • sh interface ip br
  • sh run | i image
for use after the upgrade is complete. 
If you have a monitoring solution, check for any existing alerts. Take a screenshot of your dashboard for comparison after upgrade is complete.


Steps
Save the config.
Reload the ASA to apply the new image (your ASA will failover)
Watch the console output as its boots up make a note of any errors.
Once the image is applied, make sure the updated ASA is active, failover to it.
Ensure everything is working as expected on the new software version. You will need to run your systems test plan here, internet access, VPNs, anyconnect etc.
Once confirmed apply the new image on the other ASA and reload that.
Failover and repeat tests to ensure both ASA are functioning as expected on the new software version.
Ensure you have saved the config “wr”.

 Post upgrade tasks
Compare your base line, you will want to see active connections/xlates happening. The numbers won’t be as high outside business hours. We will want to see VPNs up. You might need to generate some traffic on the LAN to get VPNs to come up.
Check your monitoring and ensure everything is working as expected.
Check show ver for licenses applied
Check the anyconnect interface for cert applied
Optionally delete old image files from the ASA. There is usually plenty of space on  them but for some older models it can be an issue.
Normally the new software will be consuming more RAM, your monitoring solution might report this. It can be ignored. The upgrade may also change some SNMP values so you might find some checks in your monitoring solution are no longer working and will need to be resolved.

Sample CLI
*** Before changes take screenshots
sh conn count
sh xlate count
sh crypto isakmp sa


*** Confirm secondary is standby ready
sh failover state

*** Fail over onto secondary
no failover active

*** Set the boot variable
sh boot
boot system disk0:/asa9-12-3-12-smp-k8.bin

*** Set the ASDM variable
sh run | i asdm image
asdm image disk0:/asdm-7122.bin

*** If upgrading any connect
Log off all anyconnect users (may need to disable anyconnec too)
vpn-sessiondb logoff anyconnect
webvpn
no enable OUTSIDE
no anyconnect enable
vpn-sessiondb logoff anyconnect

no anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1
no anyconnect image disk0:/anyconnect-linux64-4.7.01076-webdeploy-k9.pkg 2
no anyconnect image disk0:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 3

sh vpn-sessiondb anyconnect

anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.9.04043-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.9.04043-webdeploy-k9.pkg 3

anyconnect enable

You can delete the old anyconnect file off the ASA if you get strange issues with sessions held open
show webvpn anyconnect

*** Save config and Reload the secondary
wr
reload

*** Wait 10 minutes

*** check for the secondary to reboot
sh standby 
waiting it to show as standby ready

*** Fail back over to secondary (new software)
no failover active

*** basic tests
ping 8.8.8.8
sh dns (if anysetup)
sh conn count
sh xlate count
sh crypto isakmp sa
anyconect portal login and check version

*** Customer tests
If all is good failback to primary and complete same steps to install new software on primary
no failover active (check if boot var is set)
connect to vpn.domain.com etc check for any cert issues
Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)