We update fwsm acl's by editing textfiles (partial automatically)
(with 'clear configure access-list <>' in the top and 'access-list
commit' in the bottom)and then ssh to the fwsm and tftp'ing the ACL's.
However scripting this process with expect has caused the active fwsm
to partially freeze on the management access (normal traffic ok)
(Configuration update in progress by another process....) with no
recover except forced failover and reload. The problem has not occured
when doing it manually:
copy tftp run
....which is what the expect-script also does...only quicker of course,
which may be the problem.
The problem does not occur every time and seems (but not always) to be
worst if the ACLs are 200kb+ . The ssh tftp-session is scriptet with
perl-expect ver. 1.15-5 on a debian etch with a standard openssh. The
FWSMs are running ver. 3.1.12 - older versions causes other management
problems and since this is a production setup we try to avoid using
the newest available OS'es unless we know there is a fix for this
problem. There are abount 25k lines of ACL and 300 servers directly
connected behind the firewall.
Has anyone seen anything similar? Any ideas for a workaround? And what
is best practice for acl updates (~ 55 same security level interfaces
in single mode). Noone has been able to tell us a way to do this in