Has anyone running a GSM or FSM series L3 managed switch tried firmware 7.3.1.7?I'm really curious about stability of this new release. 7.1.1.7 and 7.2.1.6 were not very stable (IP routing, VLAN, spanning tree). We had first hand experience with 7.1.1.7 and others reported bad experiences with 7.2.1.6.We're currently running 6.2.0.14 for stability reasons, but I wish we could make use of some of the new features found in the 7.x.x.x releases such as MAC based VLANs and LAG hash algorithm selection.None of the release notes mention fixes related to IP routing, VLAN, or spanning tree stability problems, though, so I'm hesitant to actually use that version in production.If I absolutely have to, I can break our stack apart to get a switch for testing because one of our GSM7352S doesn't have many ports in use and they can be moved to a different switch temporarily. It's a bit of a hassle after that, though, because you then have a switch that's not the same as the others and various split stack configuration issues.

We did go ahead and split our stack and did a test install of 7.3.1.7. All seems ok at first glance except for one thing.The config directive 'ip http secure-server' seems to be no longer implemented. All config directives beginning with 'ip http' seem to be missing. The manual for this version of firmware indicates I should be able to use that config directive.That section of the manual states that the web server is on by default. Well, the insecure port 80 server is indeed running and works, but the port 443 (SSL) server is disabled upon upgrade.When I find a way to re-enable the SSL web GUI, I'll report back.

Well, I don't know why SSL was disabled on upgrade, but I did figure out how to get it enabled again.Apparently 'ip http secure-server' is a global mode command that isn't entered in config mode. In other words, you don't have to type 'conf t' before entering it. Go figure.I'm hoping to get some time Sunday to put this through its paces.

Well, I didn't have a chance to put it through its paces yet, but I thought I'd report my experiences so far.The switch is linked back to the rest of our network with a single 1Gbps link. It is otherwise disconnected from the stack. It has no hosts or other ports in use for anything. It has its own IP address, different than the stack it was separated from. All IP addresses on the switch were removed or changed after disconnecting from the stack and before reconnecting it to the rest of the network.It is running MSTP, a routed VLAN, and several unused layer 2 VLANs.It reloaded yesterday without any apparent reason. Nothing was logged. Not a good sign. That's one of the problems we'd had with previous 7.x.x.x firmwares.I'm going to try increasing the logging level to see if I can catch why it reloads if it reloads again.

It reloaded again a couple of days ago.I suspect that someone is trying various ssh vulnerability attacks against the switch and one of those causes a reload.I'm going to investigate the possibility of using an ACL to block all access to the switch from all locations accept our management workstations. Of course, I'll be watching for the absence of future reloads. It's hard to definitively determine the absence of something.With prior 7.x.x.x versions, I couldn't get ACLs to do that, but maybe this version will or I'll discover what I missed before ;) .

I got ACLs working to restrict access to the switch IP. I applied:conf taccess-list 110 permit ip 0.0.0.0 0.0.0.0access-list 110 permit ip 0.0.0.0 0.0.0.0access-list 110 deny ip any 0.0.0.0access-list 110 permit everyaccess-list 110 deny everyip access-group 110 inexitsaveWe'll see if the reloads go away. If so, something at the IP layer on the network was tickling the switch into reloading. If not, then it might be something at layer 2 or a cause internal to the switch.

Firmware 7.3.1.7 | NETGEAR Communities

25 Replies

advantagecom
Novice
Jul 13, 2010
We left our test switch with v8.0.1.2 exposed to the Internet for about 45 days. We never experienced any reloads or hangs. Given that we have about 6000 *new* malicious IP addresses attack or probe our network every day and there are thousands of attacks across our network every hour, I'd say that's a good result.

Our test switch is no longer connected to the Internet because we're using it in some internal server testing, but we're happy enough with the results that we will likely push this firmware out to production in the near future.

alex74

Aspirant

Jul 14, 2010

advantagecom wrote:
We left our test switch with v8.0.1.2 exposed to the Internet for about 45 days. We never experienced any reloads or hangs. Given that we have about 6000 *new* malicious IP addresses attack or probe our network every day and there are thousands of attacks across our network every hour, I'd say that's a good result.

Our test switch is no longer connected to the Internet because we're using it in some internal server testing, but we're happy enough with the results that we will likely push this firmware out to production in the near future.

advantagecom wrote:
We left our test switch with v8.0.1.2 exposed to the Internet for about 45 days. We never experienced any reloads or hangs. Given that we have about 6000 new malicious IP addresses attack or probe our network every day and there are thousands of attacks across our network every hour, I'd say that's a good result. Our test switch is no longer connected to the Internet because we're using it in some internal server testing, but we're happy enough with the results that we will likely push this firmware out to production in the near future.

Hi,

Is it worth upgrading to 8.* version from 7.1.1.7 ? Is it much more stable than 7.1 ?

Thanks,

advantagecom
Novice
Jul 14, 2010
alex74 wrote:
Hi,

Is it worth upgrading to 8.* version from 7.1.1.7 ? Is it much more stable than 7.1 ?

Thanks,

In our experience, the entire 7.x.x.x line of firmwares is buggy and unstable. 7.1.1.7 is even worse than 7.3.1.7. We had massive problems with STP and L3 routing with the 7.x.x.x firmwares. Furthermore, the 7.x.x.x firmwares are vulnerable to multiple remote DOS attacks that leave you with a hard-locked switch that requires a power cycle to get it going again.

Yes, it is definitely worth the upgrade. Just make sure you follow the instructions Netgear supplies.

alex74 wrote:
Hi, Is it worth upgrading to 8.* version from 7.1.1.7 ? Is it much more stable than 7.1 ? Thanks,

alex74

Aspirant

Jul 15, 2010

advantagecom wrote:
In our experience, the entire 7.x.x.x line of firmwares is buggy and unstable. 7.1.1.7 is even worse than 7.3.1.7. We had massive problems with STP and L3 routing with the 7.x.x.x firmwares. Furthermore, the 7.x.x.x firmwares are vulnerable to multiple remote DOS attacks that leave you with a hard-locked switch that requires a power cycle to get it going again.

Yes, it is definitely worth the upgrade. Just make sure you follow the instructions Netgear supplies.

advantagecom wrote:
In our experience, the entire 7.x.x.x line of firmwares is buggy and unstable. 7.1.1.7 is even worse than 7.3.1.7. We had massive problems with STP and L3 routing with the 7.x.x.x firmwares. Furthermore, the 7.x.x.x firmwares are vulnerable to multiple remote DOS attacks that leave you with a hard-locked switch that requires a power cycle to get it going again. Yes, it is definitely worth the upgrade. Just make sure you follow the instructions Netgear supplies.

Upgraded to 8.*, had a big issue with switches as they didn't take older config and decided to go into infinite rebooting loop. I manually removed config - that worked so I just copy-pasted everything back in and that was it... There was no problem upgrading switch from 7.1->7.2->7.3 though.

vsu
Tutor
Mar 13, 2012
Just a note which might be useful for FSM73xx switch users who are stuck with the 7.3.1.7 firmware (because there was no 8.x version released for these models, and now they are EOL).

Any attempt to connect to the switch using recent OpenSSH versions will crash and reboot the switch (this happens before the authentication, when the SSH2_MSG_KEXDH_INIT message is sent). The workaround which will allow SSH management connection is to put this in ~/.ssh/config:
Host
HostKeyAlgorithms ssh-rsa,ssh-dss

The default HostKeyAlgorithms value is now a long string which probably overflows some buffer in the “FreSSH.0.8” server implementation used on this switch.

Forum Discussion

Firmware 7.3.1.7

25 Replies

Related Content

New - RS700S Firmware Version 1.0.9.16 Released

Rbr50 firmware

New - RBE970 / RBE971 Firmware Version 9.13.2.1 Released

New - RS700 Firmware Version 1.0.10.8 Released

New - RBE770 / RBE771 Firmware Version 10.5.20.7 Released

NETGEAR Academy

ProSupport for Business