FWSM: tftp-problem

Hi

We update fwsm acl's by editing textfiles (partial automatically) (with 'clear configure access-list ' in the top and 'access-list commit' in the bottom)and then ssh to the fwsm and tftp'ing the ACL's.

However scripting this process with expect has caused the active fwsm to partially freeze on the management access (normal traffic ok) (Configuration update in progress by another process....) with no recover except forced failover and reload. The problem has not occured when doing it manually: copy tftp run tftp-server filename wr

...which is what the expect-script also does...only quicker of course, which may be the problem.

The problem does not occur every time and seems (but not always) to be worst if the ACLs are 200kb+ . The ssh tftp-session is scriptet with perl-expect ver. 1.15-5 on a debian etch with a standard openssh. The FWSMs are running ver. 3.1.12 - older versions causes other management problems and since this is a production setup we try to avoid using the newest available OS'es unless we know there is a fix for this problem. There are abount 25k lines of ACL and 300 servers directly connected behind the firewall.

Has anyone seen anything similar? Any ideas for a workaround? And what is best practice for acl updates (~ 55 same security level interfaces in single mode). Noone has been able to tell us a way to do this in ADSM/security manager.

Thanks Tommy, Denmark

Reply to
tmo
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.