Link to home
Create AccountLog in
Avatar of w6hr
w6hr

asked on

PIX Upgrade Errors

I have a Cisco PIX 515E which has been running well for months.  It has the two built-in interfaces (0 = outside; 1 = inside).  In anticipation of reconfiguring my network to add a DMZ, today I installed a third network interface (2 = dmz).  On reboot, the new network interface is recognized, however is shows up as IRQ 11 which is also used by the inside interface.  Is this a problem or is this normal?  Also, on reboot I get the following messages on the console which did not appear prior to adding the third interface.
"Cannot select private key."  
    and
"Cannot remove route entry because it does not exist."
Otherwise the PIX seems to work normally except that when I first boot the PIX and then attempt to access the PIX from an ssh session, I get:
"ssh_exchange_identification: Connection closed by remote host"
However, only if I start the PDM tool, ssh will once again work. Running PDM seems to generate a new key.
I have not yet done any work to configure the DMZ and currently the new (third) interface is  shutdown.  So my questions are whether all of this is normal expected behavior after installing an extra interface, or have I introduced a problem by adding the new interface?  What are the boot messages telling me?  Did it matter which of the two available slots I installed the new interface card in?  Why do I have to start PDM in order to get ssh to work?
Avatar of Les Moore
Les Moore
Flag of United States of America image

This does not sound like expected behavior. Where did you get the new NIC card? Is it the proper Cisco part numer? With the 515E there should only be one slot available even though there are two physical slot covers. One slot is taken up by the vpn accelerator board.
Avatar of w6hr
w6hr

ASKER

I got the NIC card off of eBay.  I actually have 3 PIXs.  One is a 515E the other two are 515s.  Adding the NICs to the 515s (which have the Restricted license) seemed to work as expected.  My original questions all concerned the 515E ( which has the Unrestricted license and is my main production firewall).  I suspect the NICs may not be original Cisco manufacture but will need to pull the units and check.

My 515E does not have a VPN accelerator card installed so both slots were open.  I installed the NICs in the bottom slots in all 3 PIXs.  
Avatar of w6hr

ASKER

Just to clarify, I got 3 NICs off of eBayat the same time and installed one in my 515E and one in each of my two 515s.  Also do you know the Cisco part number I could look for when I pull the unit out of service and look at the NICs?
This document shows how to identify the PIX-1FE card that you have
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a0080094509.shtml

Notice there were some issues with some models of this card..
Avatar of w6hr

ASKER

Thanks, I checked and all three of the network interfaces are type i82559.  That means the two built-in interfaces and the new Ethernet card I installed are all the same hardware type.
Did you resolve this on your own? What was  your solution?
ASKER CERTIFIED SOLUTION
Avatar of w6hr
w6hr

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
So, your PIX now has a "personality" but it works just fine. I could live with it, too for a good while.
Avatar of w6hr

ASKER

Well put !!
Closed, 500 points refunded.
modus_operandi
EE Moderator