|
|
This document describes the procedure for downgrading from firmware version 3.1.0 to version 3.0.6 for Cisco 11000 Series Secure Content Accelerator. This document contains the following sections:
The following file is used to downgrade the firmware image. This file, located in the /306/fw directory, is used only for the purpose stated previously. This file is referred to as the "firmware image" throughout the remainder of this document.
When the firmware is downgraded, some configuration is lost. You can save the configuration, edit the file, and reload it following the downgrade procedure. Be aware that configurations for features not supported in 3.0.6 firmware cannot be used after the device has been downgraded. Additionally, keys might need to be loaded and any remote management shared-secret must be set before the saved configuration can be reloaded. Instructions are presented within each management session-specific section in this document. After the configuration file has been exported, use the steps presented immediately below to alter information that might cause device conflicts. Comment out a line by inserting "# " (POUND SIGN and SPACE) at the beginning of it.
 |
Note By commenting out lines instead of deleting them, you might be able to reuse the configuration file with another firmware version at a later date. |
1. Open the saved configuration file using any text editor.
2. Find the ### Password ### section. Comment out these lines if found:
sntp-server <IP address>
no sntp-server
3. Find the ### Telnet ### section. Comment out this line if found:
telnet port <portID>
4. Find the ### Web Management ### section. Comment out this line if found:
web-mgmt port <portID>
5. Find the ### SNMP Subsystem ### section. Comment out these lines if found:
snmp trap-type enterprise ssl-cert-expire
snmp trap-type enterprise ssl-cert-invalid
snmp trap-type enterprise ssl-certify-fail
snmp trap-type enterprise ssl-neg-failure
6. Find the ### SSL Subsystem ### section. Comment out the lines pertaining to any backend-server name and configuration and reverse-proxy-server name and configuration. For servers, comment out these lines if found:
session-cache size <cacheSize>
session-cache timeout <timeoutSecs>
session-cache enable
no clientauth enable
clientauth enable
certgroup clientauth
clientauth verifydepth <depth>
clientauth error cert-other-error fail
clientauth error cert-other-error failhtml
clientauth error cert-other-error ignore
clientauth error cert-other-error redirect <URL>
clientauth error cert-not-provided fail
clientauth error cert-not-provided failhtml
clientauth error cert-not-provided ignore
clientauth error cert-not-provided redirect <URL>
clientauth error cert-has-expired fail
clientauth error cert-has-expired failhtml
clientauth error cert-has-expired ignore
clientauth error cert-has-expired redirect <URL>
clientauth error cert-not-yet-valid fail
clientauth error cert-not-yet-valid failhtml
clientauth error cert-not-yet-valid ignore
clientauth error cert-not-yet-valid redirect <URL>
clientauth error cert-has-invalid-ca fail
clientauth error cert-has-invalid-ca failhtml
clientauth error cert-has-invalid-ca ignore
clientauth error cert-has-invalid-ca redirect <URL>
clientauth error cert-has-signature-failure fail
clientauth error cert-has-signature-failure failhtml
clientauth error cert-has-signature-failure ignore
clientauth error cert-has-signature-failure redirect <URL>
clientauth error cert-revoked fail
clientauth error cert-revoked failhtml
clientauth error cert-revoked ignore
clientauth error cert-revoked redirect <URL>
no httpheader client-cert
httpheader client-cert
no httpheader server-cert
httpheader server-cert
no httpheader session
httpheader session
no httpheader pre-filter
httpheader pre-filter
httpheader prefix <"prefix">
ephrsa
redirect
7. Replace any secpolicy noexport56 reference with a reference to another security policy.
8. Continue with the configuration restoration procedures within the session-specific section.
We recommend using the serial console for downgrading the Secure Content Accelerator. Follow these instructions for downgrading using a serial management session.
1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator. An FTP URL is preferable. An HTTP URL can only be used with a server that accepts PUT commands.
2. Connect to the Secure Content Accelerator via a serial management session at 9,600 baud.
3. If desired, save the running configuration for reloading following the downgrade using the copy running-configuration command. Enter the URL, including the protocol, for the configuration file when prompted. An FTP URL is preferable. An HTTP URL can only be used with a server that accept posts (PUT).
4. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.1.0".
5. Enter these commands to load the firmware image, where protocol is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.
enable
copy to flash protocol://serverip/path/css-sca-2fe-k9.v3.1.0-to-3.0.6.phr
reload
6. Wait for several minutes for the device to reload and reboot.
7. Change the terminal baud to 115,200, and reconnect to the Secure Content Accelerator.
8. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.0.6".
9. If you wish to reload the saved configuration, follow these steps:
a. Refer to the section "Maintaining Device Configuration" above for configuration file editing directions.
b. Enter the copy to startup-configuration command to reload the saved configuration. Enter the URL for the saved configuration file when prompted.
c. Reboot the device using the reload command.Wait for several minutes for the device to reload and reboot. Depending upon the content of the configuration, one or more syntax error messages might be displayed during the restore operation and can be ignored. After the Secure Content Accelerator has been rebooted, management port assignments changed by the configuration file become active.
10. Continue with configuration as desired.
Follow these instructions for downgrading using a telnet management session.
1. Copy the firmware image to an HTTP, FTP, or TFTP server on the same LAN as the Secure Content Accelerator.
2. Connect to the Secure Content Accelerator using the IP address previously assigned to it.
3. If desired, save the running configuration for reloading following the downgrade using the copy running-configuration command. Enter the URL, including the protocol, for the configuration file when prompted. An FTP URL is preferable. An HTTP URL can only be used with a server that accept posts (PUT).
4. Check the existing firmware version using the show device command. The returned text should contain "MaxOS 3.1.0".
5. Enter these commands to load the firmware image, where prot is HTTP, FTP, or TFTP; serverip is the IP address of the server; and path is the path to the firmware image file.
enable
copy to flash prot://serverip/path/css-sca-2fe-k9.v3.1.0-to-3.0.6.phr
reload
6. You will see a status message stating the connection to the device was lost. Wait for several minutes for the device to reload and reboot. The telnet connection to the device is lost.
7. Connect to the device via a serial management session at 115,200 baud.
8. Enter Privileged and Configuration modes, and assign an IP address to the device with these commands:
enable
configure
ip address <IPaddress>
9. Continue configuration using a serial management session, or reconnect to the device using telnet and the IP address assigned to it.
|
Note If the device had been set to one-port mode prior to the downgrade, you must reset the device to one-port mode using a serial configuration session prior to reconnecting with telnet. |
10. Check the firmware version by using the show device command. The returned text should contain "MaxOS 3.0.6'.
11. If you wish to reload the saved configuration, follow these steps:
a. Refer to section "Maintaining Device Configuration"above for configuration file editing directions.
b. Enter the copy to startup-configuration command to reload the saved configuration. Enter the URL for the saved configuration file when prompted.
c. Reboot the device using the reload command. Depending upon the content of the configuration, one or more syntax error messages might be displayed during the restore operation and can be ignored. After the Secure Content Accelerator has been rebooted, management port assignments changed by the configuration file become active. The telnet connection is closed, and you must reconnect to the device.
12. Continue with configuration using a serial management session or reconnect to the device using telnet.
Follow these instructions for downgrading using a remote CLI management session.
1. Copy the firmware image to the computer from which you configure the Secure Content Accelerator.
2. Open the existing configuration manager application (cscacfg) using the desktop shortcut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.
3. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.
4. The following commands assume only one device has been discovered by the configuration manager. If more than one Secure Content Accelerator is listed, use the on form of the command to specify the desired device.
|
Note You can set the on-prefix to direct commands to a single device. |
attach
enable
5. If only one Secure Content Accelerator is listed, use the show device command. If more than one device is listed, use the command on devname show device, where devname is the name of the device. The returned text should contain "MaxOS 3.1.0".
6. If desired, save the running configuration for reloading following the downgrade using the write file command. Enter the path and file name for the configuration file when prompted.
7. Enter these commands to load the firmware image, where path is the path to the firmware image file.
copy to flash path/css-sca-2fe-k9.v3.1.0-to-3.0.6.phr
reload
8. Quit the configuration manager. If you wish to continue with configuration via the remote configuration manager, you must remove the 3.1 version and install the 3.0.6 version as described in "Remote Configuration Manager Replacement" below. Make sure you downgrade all 3.1.0 devices before removing the 3.1 version of the configuration manager.
|
Note If the device had been set to one-port mode prior to the downgrade, you must reset the device to one-port mode using a serial configuration session prior to reconnecting with the remote configuration manager. |
9. To continue configuring the device with the 3.0.6 remote configuration manager, open the application (cscacfg) using the desktop short cut or the Start button (Windows) or entering cscacfg at a Unix or Linux prompt.
10. Display all Secure Content Accelerators found by the configuration manager by entering the show device list command. If the device is not listed, use the discover command.
11. Attach to the device and check the firmware version using the show device command. The returned text should contain "MaxOS version 3.0.6".
12. If you wish to reload the saved configuration, follow these steps:
a. Refer to the section "Maintaining Device Configuration" above for configuration file editing directions.
b. Reload the individual keys using the same name for the key entities as used prior to downgrade.
c. If a remote management shared-secret were set previously, reset it using a serial console management session at 115,200 baud.
d. With the remote configuration manager, enter the copy to running-configuration command to reload the saved configuration. Enter the URL for the saved configuration file when prompted. Depending upon the content of the configuration, one or more syntax error messages might be displayed during the restore operation.
e. Copy the reloaded configuration to the startup-configuration and reboot the device using these commands:
write flash
reload
|
Note Make sure you downgrade all 3.1.0 devices before removing the 3.1.0 version of the remote configuration manager. |
Use these instructions for installing the 3.0.6 remote configuration manager in Linux. Installing the 3.0.6 remote configuration manager will replace the 3.1.0 installation. If the 3.1.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.0.6 distribution directory has been downloaded onto the local file system. Enter the following commands at a Linux prompt:
mount -o map=off /mnt/cdrom
cd /mnt/cdrom/306/Linux/i386
./install_cscacfg
Use these instructions for removing the 3.1.0 remote configuration manager and installing the 3.0.6 remote configuration manager in Solaris. If the 3.1.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate path and file names if the 3.0.6 distribution directory has been downloaded onto the local file system.
1. Remove the previous installation with pkgrm.
2. Enter this command:
pkgadd -d /cdrom/cdrom0/306/Solaris/Sparc
3. When the package is presented for installation, press Enter to install it.
4. Type q after installation to exit.
Use these instructions for removing the 3.1.0 remote configuration manager and installing the 3.0.6 remote configuration manager in Windows NT or Windows 2000.
1. Remove the 3.1.0 Configuration manager using Add/Remove Programs in the Control Panel.When the Install Shield Wizard opens, select the Remove option button and click Next. Follow the screen prompts as they are displayed.
2. If the 3.1.0 distribution CD is not in the CD drive, insert it now. Alternatively, use the appropriate icon, path, and file names if the 3.0.6 distribution directory has been downloaded onto the local file system.
3. Double-click the CD icon.
4. Double-click the 306 icon.
5. Double-click the MSWin icon.
6. Double-click the WinNT icon (Windows NT) or Win2K icon. (Windows 2000).
7. Double-click the setup.exe application icon.
8. Follow the displayed Install Shield instructions.
Follow these instructions for downgrading using a GUI management session.
1. Open a Web browser and connect to the Secure Content Accelerator.
2. Ensure that the General>Status page is displayed.
3. The Release panel should contain "3.1.0.N", where N is any number.
4. If desired, save the running configuration for reloading following the downgrade using this procedure:
a. Click Tools to activate the Tools tabs.
b. Click the Preferences tab.
c. Right-click Download in the Running Configuration panel. Select either Save Target As... (Internet Explorer) or Save Link As... (Netscape) to save the configuration file.
5. Click Tools to activate the Tools tabs.
6. Click the Firmware tab.
7. Type the path and firmware image file name or URL in the Upload Firmware text box, or click Browse and navigate to and select the firmware image file from the local file system.
8. Click Upload to load the firmware image into the GUI.
9. Click Install Image next to the file information in the Installable Firmware Images panel.
10. After the new firmware has uploaded, click the Restart tab.
11. Click Reboot to reload the device. Wait several minutes for the device to reboot.
12. Connect to the device via a serial management session at 115,200 baud.
13. Enter Privileged and Configuration modes, and assign an IP address to the device with these commands:
enable
configure
ip address <IPaddress>
14. Continue configuration using a serial management session, or reconnect to the device using the GUI and the IP address assigned to it.
|
Note If the device had been set to one-port mode prior to the downgrade, you must reset the device to one-port mode using a serial configuration session prior to reconnecting with the GUI. |
15. Click General to activate the General tabs.
16. The Release panel should contain "3.0.6".
17. If you wish to reload the saved configuration, follow these steps:
a. Refer to the section "Maintaining Device Configuration" above for configuration file editing directions.
b. Click Tools to ensure the Tools tabs are active.
c. Click the Preferences tab.
d. Type the configuration file path and file name in the Configuration File Upload text box, or click Browse... to navigate to and select the file.
e. Click Upload to load the configuration file into the GUI.
f. Click Copy to Startup next to the appropriate entry in the Configuration Files Uploaded panel.
g. Click the Restart tab.
h. Click Reboot to reload the device. After the Secure Content Accelerator has been rebooted, management port assignments changed by the configuration file become active. The connection to the device is lost.
18. Continue with configuration as desired.
CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That's Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0201R)
Copyright © 2002, Cisco Systems, Inc.
All rights reserved.
Posted: Mon Aug 19 22:10:51 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.