R55 to R62 Upgrade Help

[raggy]

Im currently running.

Nokia IPSO 3.9 on 2 firewalls using VRRP and R55
Management is SPLAT also on R55

We have decided to make the move to NGX so i attempted the management upgrade 1st. (using new hardware)

Basically this is what i did:

Upgrade_Export original box.
Build new box from scratch to R55 with same hostname and ip address and apply same HFA as original.
Upgrade_Import my exported config.
connect to new box and everything worked great.
On new box do a patch add cd using original R62 disc and everything completed successfully.
Attach NGX licences using SmartUpdate.
Connect to dashboard and push policy.

This is where I had my 2 problems.

1) Nothing was being logged.
2) None of my site to site VPN's would connect (mixture of edge devices and cisco interoperable devices).

I have been through every SK for the logging issue i could find. I have even re-established SIC.

Just wondered if im missing something here. Any help or ideas would be most welcome!

TIA

[melipla]

Well the first step would be to try to identify why the log functionality isn't working. Can you verify that logs are being sent to the managment server w/fw monitor or tcpdump?

If the logs are being received but not recorded then there could be issues w/files (or directories) in $FWDIR/log--did you do any of the procedures in the SK's that referred to cleaning out that directory?

If the logs are not being sent: Does the new management server use the same IP as the old server? If it's not using the same IP, have you tried updating each object's log master and log server? If it's using the same IP, are you able to route to it from other hosts / does the switch's arp tables only have the "new" MAC addr?

Can you give the output of this splat command on the management server: "fw unloadlocal"?

[raggy]

Thanks for the reply.

I did clean out the /log directory as the SK suggested but it didnt work.

I will attempt your questions this coming weekend as I have to do any work out of business hours.
One thing i did try was a telnet on port 257 from the firewall to the management and i was getting no response. I understood this should have been opened by implied rules? Anyway i added the rule manually but still no response.
The ip address is exactly the same but obviously the mac address will be different. Could that really be an issue?

[melipla]

Quote:

Originally Posted by raggy

One thing i did try was a telnet on port 257 from the firewall to the management and i was getting no response. I understood this should have been opened by implied rules?

You have Telnet? Ah to be running IPSO... Did you see the corresponding log entry for your telnet attempt? For this, I would turn on implied logging (Policy -> Global Properties -> Firewall -> Implied checkbox at bottom) and see if you get any additional info. Running "netstat -an" would also show if someone's connected at least too.

Quote:

Originally Posted by raggy

Anyway i added the rule manually but still no response.
The ip address is exactly the same but obviously the mac address will be different. Could that really be an issue?

I was more concerned for short-term as I've seen cisco retain MAC arp data for longer then necessary. I don't think its an issue if the old server is no longer running. Especially if you can route to the new server from internal / connect with smart center etc.