Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1477
Views
0
Helpful
14
Replies

FWSM 4.1

Go to solution
jack samuel
Level 1
Level 1

‎02-06-2012 12:43 PM - edited ‎03-11-2019 03:24 PM

Hello,

I have got a replacement for my faulty fwsm,does anybody know the new  FWSM which is shipped contains which IOS bydefault?????. And do we require a license (activation key) to upgrade from 3.2 to 4.1.?????? or the existing activation of 3.2 will work for 4.1.

FWSM# sh version

FWSM Firewall Version 3.2(5)

Device Manager Version 5.2(1)F

FWSM up 1 days 0 hours

failover cluster up 1 days 0 hours

Hardware:   WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz

Flash STI Flash 8.0.0 @ 0xc321, 20MB

0: Int: Not licensed        : irq 5

1: Int: Not licensed        : irq 7

2: Int: Not licensed        : irq 11

The Running Activation Key is not set, using default settings:

Licensed features for this platform:

Maximum Interfaces          : 256      

Inside Hosts                : Unlimited

Failover                    : Active/Active

VPN-DES                     : Enabled  

VPN-3DES-AES                : Enabled  

Cut-through Proxy           : Enabled  

Guards                      : Enabled  

URL Filtering               : Enabled  

Security Contexts           : 2        

GTP/GPRS                    : Disabled 

BGP Stub                    : Disabled 

VPN Peers                   : Unlimited

Serial Number:

Running Activation Key:  

Thanks

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-07-2012 01:18 PM

Hello Jack,

That is correct, you will need to get into the CLI to get the IOS version with the show version command.

Now regarding the license, you need to have the same license on both devices in order for failover to work:

The two units in a failover configuration must  have the same major (first number) and minor (second number) software  version. However, you can use different versions of the software during  an upgrade process. For example, you can upgrade one unit from Version  3.1(1) to Version 3.1(2) and have failover remain active. Cisco  recommends to upgrade both units to the same version to ensure long-term  compatibility.

You might receive this syslog because of an incompatible license:

FWSM-1-105045: (Primary) Mate license (number contexts) is not compatible 
with my license (number contexts).
FWSM-1-105001: (Primary) Disabling failover.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-08-2012 12:53 PM

Hello jack,

That is correct, if you have an activation key installed on your device and you do an upgrade the activation key will remain activated.It will not disappear.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-09-2012 09:54 AM

Hello Jack,

Yeap, finally we are on the same page lol

That is all you need!

Please mark the question as answered so future users can learn from here.

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
14 Replies 14

Go to solution
jack samuel
Level 1
Level 1

‎02-07-2012 12:15 PM

Hello Experts

Can anybody put some light on the query above

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-07-2012 12:34 PM

Hello Jack,

I have got a replacement for my faulty fwsm,does anybody know the new  FWSM which is shipped contains which IOS bydefault?????.

There is no bydefault on this scenarios, In your case the ios version you got is 3.2(5) as you can see on the show version.

And do we require a license (activation key) to upgrade from 3.2 to 4.1.?

Nop. please read the following link, it will help you on this query

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html#wp215348

And for your information:

Note If you do not have an activation key entered (0x000) before upgrading, then when you enter the show version command after upgrading, you see the following message: 

The running activation key is not valid

This cosmetic issue can be ignoredl; the FWSM is not affected.

Regards,

Do rate helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Julio Carvajal

‎02-07-2012 12:50 PM

Thanks for ur reply Julio

  • The show version i posted b4 is for the existing active (live ) FWSM, the RMA part is still in the box, so once i will insert in the chasis only at that time i will come to know which IOS it is
  • At present the Running Activation Key: 0x00000000 this means it doesn't have any activation key and it is in the deafult key which came when delivered by factory.At present this pair is working in Active/standby with this above key.
  • Any major command changes that can be caution b4 upgrading as my FWSM is running without multiple context
  • The release note does'nt provide a clear view of license (activation key) that we can go upgrade without fear from 3.2 to 4.1,Below are the only lines which are seen in the release notes.

The FWSM supports the following licensed features:

Multiple security contexts. The FWSM supports two virtual contexts plus one admin context for a total of three security contexts without a license. For more than three contexts, obtain one of the following licenses:

20

50

100

250

BGP stub support.

GTP/GPRS support

Thanks pls reply.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-07-2012 01:18 PM

Hello Jack,

That is correct, you will need to get into the CLI to get the IOS version with the show version command.

Now regarding the license, you need to have the same license on both devices in order for failover to work:

The two units in a failover configuration must  have the same major (first number) and minor (second number) software  version. However, you can use different versions of the software during  an upgrade process. For example, you can upgrade one unit from Version  3.1(1) to Version 3.1(2) and have failover remain active. Cisco  recommends to upgrade both units to the same version to ensure long-term  compatibility.

You might receive this syslog because of an incompatible license:

FWSM-1-105045: (Primary) Mate license (number contexts) is not compatible 
with my license (number contexts).
FWSM-1-105001: (Primary) Disabling failover.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Julio Carvajal

‎02-07-2012 10:30 PM

Dear Julio,

  • My main concern is if i m upgrading to 4.1 will it require a new activation-key or the old activation key will work.There is no information in the release notes for the same.
  • Any major command changes in 4.1 that can be caution me b4 upgrading as my FWSM is running without multiple context.
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-08-2012 10:11 AM

Hello Jack,

You do not need the activation key to do the upgrade, you need the activation key to failover to work.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Julio Carvajal

‎02-08-2012 11:33 AM

Dear Julio,

Still i m in doubt, it is not clear to me julio,

  • My FWSM  in 3.2 are already in failover so if i  upgrade to 4.1 again i will require a upgrade license.?????
  • How the current failover is working with default   settings you can see the show version above.

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-08-2012 11:39 AM

Hello Jack,

lol I think we are not communicating properly!

Here is the thing, you do not need an activation key to run a upgrade on the FWSM.

Now you have a failover cluster on your network and you want to introduce this new FWSM in that cluster, for that to work you will need to have the same license than before, so you DO need to upgrade the license to make it work.

Without it you will have a license mismatch and failover will not work.

Hope this time this can help!

Regards,

Do rate all the helpful posts!!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Julio Carvajal

‎02-08-2012 12:48 PM

Hello Julio,

Dear  yes we are not communicating properly,

Here is the thing, you do not need an activation key to run a upgrade on the FWSM ???

this means after upgrading from 3.2 to 4.1 you dont have to get the new activation key for failover to work.  The existing activation-key of 3.2 will work???

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-08-2012 12:53 PM

Hello jack,

That is correct, if you have an activation key installed on your device and you do an upgrade the activation key will remain activated.It will not disappear.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Julio Carvajal

‎02-08-2012 10:36 PM

Dear Julio,

The Conclusion what i have reached to is:

  • The new FWSM which came from RMA has to be upgraded according to the IOS of secondary Active FWSM to match the failvoer.

  • I have to ask Cisco for the activation key for the new FWSM to work with failover with existing secondary.

  • After the 2 version are same and both FWSM are in active/standby, i can move to upgrade to 4.1, after upgrading to 4.1 i do not need to have activation key again as the same key will work for 4.1.

Thanks Julio

0 Helpful

Go to solution
r.kuwahara
Level 1
Level 1
In response to jack samuel

‎02-09-2012 12:21 AM

Hello guys,

Somebody knows how can I read the compact flash partition (cf:4 and cf:5) for Firewall Service Module? I would like to check the content of the compact flash partition before make the upgrade to a new release.

Thanks!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jack samuel

‎02-09-2012 09:54 AM

Hello Jack,

Yeap, finally we are on the same page lol

That is all you need!

Please mark the question as answered so future users can learn from here.

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Julio Carvajal

‎02-09-2012 11:52 AM

Dear Julio,

Thanks for ur help and being to be pateints for explaining me. I have given you the rating on each reply,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card