Friday 9 September 2016

The last big jobs

I had two big jobs to do today, plus a visit to my eye doctor (everything is fine).

The first was, I have a raid of three 3tb drives on one of the servers. Silly, really, I know perfectly well that the Seagate 3tb drives were a disaster. But I'm such an optimist.

They haven't actually failed, but they've been moaning about lost interrupts and suchlike, so I decided to replace them with a pair of Seagate 4tb drives, which I've found to be pretty good. Loading up the data onto those took a *long* time, even though they were partly loaded before I began. So I switched the load to a backup server, took the main server out of action, and the data update took five hours! And that's even using gigabit ethernet (which has proved to be *such* a good idea).

Then off to have my eyes gazed at.

Then back to the other big job; one I've been worrying about for ages. Switching from the Pix 525 to the Pix 515. I'll explain why this was necessary.

The Pix 525 is big and lovely, and can handle 330 mbits of data. Best of all, the one I have has ASDM, which is a very user-friendly way to setting the configuration. The Pix 515 that I have, doesn't have this.

The reason I'm using Pixes instead of the more modern ASA series, is that even a mighty 525 can be had for £45 on Ebay (the 515E is £25), the ASA5505 handles less throughput than the 525, and is £160 on ebay. To get the performance of a 525, you'd need a 5510, costing £260 on Ebay. So the 525 is the firewall of choice, with the 515E a good alternative.

So I did all the complicated setup work (which computer has what sort of access to where) using the ASDM on the 525. Then I saved it to a text file, and fed the text file into the 515, saving me a lot of hard work in composing that text file by hand. But why not just use the 525? Because the 525 that I have, has a "failover" licence. It's supposed to be the secondary firewall of a pair, and if the primary fails, the secondary takes over. But Cisco don't want me to use the failover as a primary, so every 24 hours, it reboots, and there's an interruption in service for a few minutes. Which is going to get annoying. So I'm using the 515E, which isn't as powerful, but can still push through 190 mbits, and since I only (only!) have a 100 mbit line, 190 is more than enough.

I thought it would just be a matter of, move the ethernet cables from the 525 to the 515. But it's never that simple.

The first problem was that although the 515 knew that the lines were up, it said that they were "administratively down". I still dont know what that means, but the cure is:

interface ethernet0
no shutdown

The other problem I had (and I don't know if it really is a problem) is lots of messages "packet length 941 bytes exceeds configured limit of 512 bytes". DNS requests are supposed to be shorter than 512 bytes, but apparently, accoring to my logs, many aren't.
You fix this with "fixup protocol dns maximum-length 768" which I also don't understand, it's just a magic spell.

No comments:

Post a Comment