IPSO Install Problem - Nokia IP1260

[Glenn.Lynn]

Hi all,

I've come across a strange install problem whereas I'm unable to get an ipso.tgz file onto a Nokia IP1260 firewall to build it. Hopefully somebody will have seen this before.

I’ve been trying to install IPSO 3.7 on a Nokia IP1260 that is currently running IPSO 3.8.The IP1260 currently has IPSO 3.8.x loaded (I believe as I don’t have the password and cannot log into it). This is now a lab firewall and needs to be rebuilt with IPSO 3.7.

I’ve set up an FTP server and loaded ipso.tgz into the root of the ftp server. I’ve broken into the boot manager and initiated an FTP download of the IPSO image from the FTP server (Using the “install” menu selection).

The firewall connects to the FTP server and issues the port and nlst commands successfully.
The FTP server attempts to connect the Firewall on a port >1023 and eventually times out with a connection socket error 10060.

A network trace shows the FTP server initiating a data connection to the requested port with the SYN flag set. No return is forthcoming from the Nokia.

I’ve tried differing FTP servers (3Com doesn’t work as it doesn’t support the nlst command) and am currently using the Fastream http/ftp server and this is configured for active ftp sessions (Not Passive). I know that this server works with Nokias as I used it to install a previous IP1260. I’m also using a switch to connect the Nokia and FTP Server as I believe there is known issue with cross-over cables and Nokia firewalls. I’ve also tried various combinations

Anonymous and User account FTP connection.
Different cables.
Different Duplex/ Speed settings + hardwired and auto detect on the ftp server.

All variations have resulted in the same error. I suspect it could be a Bootmanager issue as I’m all out of other options at this time. I can’t check the version number on a previous successfully built firewall as it’s now operational.

The only thing I haven't tried is setting the FTP server for passive operation however this was not done previously and I successfully built another 1260 using a similar process.

Any help would be most useful.

Thanks

[Glenn.Lynn]

Hi,

I think I may have solved this. The Nokia is using a broadcast mac address as it’s source for FTP packets. The FTP server is trying to send an active ftp data connection to the firewall with a mac broadcast as the destination mac. This is apparently down to the revision of the BootManager whereas it’s unable to determine the correct Mac Address for it’s local interface. Please find the fix below

Enter the boot manager

boot the debug kernel

BOOTMGR[1]> boot kernel.debug

Log on to unit.


# Checking the revision number

Nokia[admin]# ipsctl hw:eeprom:revision

hw:eeprom:revision = 6


# Change the Revision

Nokia[admin]# ipsctl -w hw:eeprom:revision 5

Description

Customers have reported seeing this problem on newer Nokia IP12XX
platforms after performing a Nokia IPSO downgrade.Customers who previously
ran the same version of Nokia IPSO on other IP12XX units are finding they
can not do so with the newer units.

Note: This will also cause telnet and ssh inaccessibility so if downgrade
was done through these protocols, customer may loose access to the unit.

Resolution
Nokia recently changed the EEPROM Revision on the IP12XX platform from
Revision 5 to Revision 6.Support for this Revision can only be found in
the following Nokia IPSO releases:

3.8 from the release date
3.7.1 Build016 and above
3.7 Build043 and above
3.7.89 Build008 and above

Customers with the newer units will either have to migrate to the newer
builds / versions or change the EEPROM Revision on their units.

The change in EEPROM Revision was necessary to support DC power supplies
beginning in Nokia IPSO 3.8.Support for Revision 6 was made available in
older versions, but only starting in the builds noted above.

The EEPROM is used mostly in manufacturing to store information about the
system.Some of the stored variables are used by Nokia IPSO for
identification purposes.A change in the variable count or information
requires a Revision change.