PIX/ASA Failover conditions

Similar Messages

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• Using ACS with PIX/ASA

  Hi there,
  We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
  We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
  Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
  aaa-server XXXXX protocol tacacs+
  accounting-mode simultaneous
  reactivation-mode depletion deadtime 1
  max-failed-attempts 1
  aaa-server XXXXX inside host <SERVER>
  key <SECRET>
  timeout 5
  aaa authentication telnet console XXXXX LOCAL
  aaa authentication enable console XXXXX LOCAL
  aaa authentication ssh console XXXXX LOCAL
  aaa authentication http console XXXXX LOCAL
  aaa authentication serial console XXXXX LOCAL
  aaa accounting command XXXXX
  aaa accounting telnet console XXXXX
  aaa accounting ssh console XXXXX
  aaa accounting enable console XXXXX
  aaa accounting serial console XXXXX
  aaa authorization command XXXXX LOCAL
  Problems:
  Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
  Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
  PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.
  1st Attempt = Server 1
  2nd Attempt = Server 2
  3rd Attempt = Server 3
  4th Attempt = Server 4
  This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
  With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
  “WARNING: Fallback authentication is configured, but reactivation mode is set to
  timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
  mechanism.”
  The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".
  The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
  As RSA SecurID token can only be used once this fails and locks the account.
  Any ideas on how to make two of Ciscos leading security products work together better?

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• What happened to PDF document 22040 – "PIX/ASA: Monitor and Troubleshoot Performance Issues"?

  Hi, does anyone knows what was happened to the following PDF notes in Cisco? The PDF file is only contains 1 page compared to the original notes in html format which is about a few pages.
  If there is alternative link for this document, please let me know. Thanks.
  Document ID: 22040
  PIX/ASA: Monitor and Troubleshoot Performance Issues
  http://www.cisco.com/image/gif/paws/22040/pixperformance.pdf <PDF Notes, but 1 page only?>
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml  < HTML Notes>

  Hi experts / marcin
  can anyone of you let me know about my question related to vpn ?
  Jayesh

• "authorization exec" on PIX/ASA

  I'm seeing posts that hit all around my questions, and based on my intereptation of the documentation it appears that there is no "shell exec" authorization available to the PIX when configured to use a TACACS+ server for authentication. Is this true? The problem I have is that whenever I create a new username in SecureACS that user (w/default settings) is immediately able to login and get a shell prompt on our PIX and ASA devices. I see no means (other than a NAR) that will restrict the user from getting a shell. Am I missing something?
  I know I can do command authorization, but exec authorization seems to be a glaringly missing feature.
  For example, how do I allow a user to be authenticated for a WebVPN session (via TACACS), but not be allowed to login via SSH for administration?

  Hi,
  Yes, you are correct, currently there is no shell exec on pix/asa, that we have on all routers and switches. In case you are using TACACS+ for WebVPN, and dont want to allow them to login via SSH for administration, probably you can try the same login that is used in Access Points,
  Actually what happens in, if you have ever came across mac authentication on AP's. On local database of AP, user accounts are created using the mac address as username/password. But interesting thing is, they have *autocommand* in the end i.e.
  username xxxx password xxxx
  username xxxx autocommand exit
  So what actually happens here is, though user is authenticated, but if that user tried to use their MAC address to log into AP [If they think they are cleaver enough], then they will login in and will be kicked out automatically.
  Havnt tried this yet, probably we can use same logic with PIX/ASA. Making use of "auto command" under "TACACS+ Settings" for a group/user.
  Probably, I'll do a small re-create of it and will let you know, you try at your end.
  Regards,
  Prem

• Automatic jump to privilege level 15 in PIX/ASA

  Hi, with IOS router and switch I'm able to authorize the user to jump automatically to the correct privilege level in login phase, as configured in authorization privilege field in ACS.
  With PIX/ASA the jump does not run: why ?
  thank you in advance
  RS

  I have to disagree here.
  It's not a security feature. The privilege level feature was never properly implemented in the PIX/ASA. You may call it a bug
  I would have been a security feature if it would be implemented on all privilege levels besides level 15, so that users were prevented from going directly to priv. exec mode. But on the ASA/PIX, it does not work for any level (as the feature was not implemented).
  Regards
  Farrukh

• Pix/Asa OSPF passive interface

  Hi.
  I am going to have an OSPF process for two internal interfaces. But I also have one external interface where I do not want any OSPF traffic going out. I have not so far found any OSPF PASSIVE INTERFACE type of commands om PIX/ASA. Is there any one out there who knows if there is one command like that or how one can stop OSPF packet from going out. I presume that an outgoing access-list will not stop this traffic.
  Regards Bjorn

  Hi,
  Don't define external interface as partecipating to OSPF process.
  That is you have to define the two interface partecipating to OSPF process:
  view: "Enabling OSPF ". Here is the link:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ip.html#wp1041629.
  I hope this helps.
  Best regards.
  Massimiliano.

• ASA Failover messages

  I'm having trouble finding definitions for
  "show failover history" responses.  Phrases like the following:
  Just Active
  and
  Active Drain
  Any ideas?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jim,
  Thanks for your post trying to find the documentation that shows definitions of ASA failover messages.
  The responses can be found in Table 26-4 of the Cisco Security Appliance Command Reference, Version 7.2.
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s3_72.html#wp1285887
  Thanks,
  Janel Kratky

• CiscoWorks LMS cannot add PIX/ASA in software repository

  Hi,
  I can see that LMS in RME Software Management cannot add PIX/ASA software saying not supported.
  Any configuration issues.
  I have got another problem. CiscoWorks LMS need to download IOS on cisco router, the process fails in RME Software Mgt. But the LMS is nated when it goes through the router.
  i guess the script does not know the natted ip when running it on the router. If there is a way that I can specify the natted IP of the LMS. Fortunately, it is a nated static IP.
  Thanks,
  Ashley

  Hi Joseph,
  It is working fine. My mistake, issue with TFTP source interface.
  However, I had got a small issue.
  I have got a cisco router which RME accesses with ip natted ip, which you have indicated and It is working fine with RME. RME can manage the router perfectly.
  However, DFM is leaving this router in questioned mode. So, the SNMP Credentials must be ok since it is good with RME.
  Do I have to specify the Natted DFM ip as well for this router? Or something else must be done.

• Converting PIX/ASA logs into CSV

  I work as a network forensics analyst for a gov't agency. We are getting large amounts of PIX and ASA logs being pushed to our Syslog server. I'm trying to create a script to parse/convert the standard PIX/ASA logs into CSV files in order to assist with integration to other products. Has anyone had success with this, or have a perl / shell script(awk grep, etc) written for this task?  I would like to capture as much data as possible.

  What syslog server are you using? The free kiwi syslog has an option to spin a new file based on the time or day to a text file automatically which can be archived later. Seems like kiwi can export in .csv format. http://www.kiwisyslog.com/help/syslogwebaccess/index.html?export_to_csv.htm
  -KS

• AAA problems PIX/ASA

  Hello
  I have a problem with authentication on my network. Here I have support level 2 and level 3.
  Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
  I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
  My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
  the only firewalls on my line is this Authorization below
  Authorization TACACS + aaa command LOCAL
  I have to configure anything else?
  I can not create command line only for Firewalls.
  I'm missing something? something missing?
  my firewall and IOS versions:
  Pix: 6.3
  ASA 6x, 7x, 8x
  thanks for help
  Digite um texto ou endereço de um site ou traduza um documento.
  Cancelar
  Ouvir
  Ler foneticamente
  Tradução do português para inglês

  My problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
  There is a way to create separate privileges between switches and firewalls?
  output of routers and firewalls. Switches and routera are the same
  switches
  aaa authentication login ACS-AUTH group ACS-TACACS local
  aaa authorization config-commands
  aaa authorization exec ACS-AUTH group ACS-TACACS local
  aaa authorization commands 15 default group ACS-TACACS local
  aaa accounting exec default start-stop group ACS-TACACS
  aaa accounting commands 15 default start-stop group ACS-TACACS
  firewalls
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (transit) host x.x.x.x
  aaa-server RADIUS protocol radius
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa accounting enable console TACACS+
  aaa accounting ssh console TACACS+
  aaa accounting command privilege 15 TACACS+

• ASA Failover when Firewalls are at different sites - help

  I am implementing a solution for a customer whereby they have two Cisco ASA 5520X firewalls. They wish for the firewalls to be in an Active-Standby state.
  This not only means that if one firewall dies, the other will take over. It also means that any configuration changes made on the primary are copied to the backup.
  The only catch is, both firewalls are at different sites. There is no layer 2 WAN link running between the sites. They are seperated by both the internet cloud on one side and their internal company MPLS cloud on the other.
  The diagram, that I have taken from my GNS3 simulation and modified slightly, shows the setup. All of the IP addresses (and AS numbers) are made up. Any reflection on real world IPs is unintentional and just a coincidence.
  The diagram is probably too overcrowded with IP information than is needed in this question - but the basic idea is the following:
  1. Under normal conditions traffic will flow to the internet from the remote MPLS site and leave via the firewall (PAT) at site1 - however note the public range of 23.23.23.0/24 is configured at both Site-1 and Site-2 - so at the moment the internet cloud is prefering Site-1 to reach that range.
  2. If the internet link fron INT-PRI at Site-1 fails, remote MPLS traffic destined for the internet will be forwarded out to the internet at Site-2.
  3. If the two MPLS links to Site-1 fail, INT-PRI will stop advertising the public range to the internet PE routers and traffic from the remote MPLS router destined for the internet will go out via Site-2.
  I have the tracking and dynamic routing failover setup between the sites all configured and worked out (I can provide the details of how INT-PRI tracks a sponge address in the MPLS cloud to determine whether or not it advertises the public range to the internet etc etc if you want, but on this question I want to focus on the firewalls).
  Currently the customer has resigned to having to do manual copying between the firewalls every time a change is made (i.e. there is no dynamic failover configured and the Site-2 firewall is just a clone that is kept up to date by their change management team).
  Is there a smart way to set up an Active-Standby configuration between these distant sites? Or at the very least dynamically copy the configuraiton to the backup everytime a change is made? My first though would be some kind of EEM or TCL script but I'm not that experienced with either. Alternatively, if there is smart was to get the two firewalls talking over Layer 2 it might be a better way forward.
  Thanks in advance. Apologies for this question being too wordy.

  You could used Ethernet over MPLS (EoMPLS) or Virtual Private Lan Services (VPLS), though if I remember correctly this is limited to certain platforms and IOS versions.
  Here is a design guide you could have a read through on the options
  http://www.cisco.com/c/en/us/products/collateral/data-center-virtualization/data-center-interconnect/white_paper_c11_493718.html#wp9000079
  EoMPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/config_guide/eompls.html
  VPLS configuration guide:
  http://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_5/configuration/guide/cpt95_configuration/cpt95_configuration_chapter_011000.html
  Please remember to rate and select a correct answer

• MS Windows Media Server and PIX/ASA upgrade

  I've just replaced a PIX 515 with an ASA5510 and have lost connectivity between a remote host running MS Windows Media Player trying to stream video back to a Windows Media Server behind the firewall.
  I've opened all TCP/UDP ports inbound to the server from any source IP, to no avail. When I put the PIX 515 back, the problem goes away. Port blocking is not the issue, since all inbound ports are open from any IP.
  Is there an 'inspect' statement or some other configuration in the new ASA that needs to be added, so it will pass the video stream as it works in the PIX 515?
  Will Cisco TAC assist in an issue that may or may not be application related?
  Thanks for any tips or direction,
  Marc

  I fixed it:
  CSCsd82714 Bug: RTSP fails with Windows media player
  Symptom:
  RTSP stream setup is failing with "inspect rtsp" enabled for clients to a
  statically translated server behind the firewall
  Conditions:
  Client on the outside is connecting to a server behind the PIX. The server
  has a static configured and access-lists allowing this traffic:
  static (DMZ,outside) 172.16.1.1 10.1.1.1 netmask 255.255.255.255
  access-list outside_access_in permit ip any host 172.16.1.1
  access-group outside_access_i in interface outside
  Setting up a connection, the client information is passed to the server.
  The server information is passed back to the host. The host then sends a
  reset before the SETUP message is passed
  Workaround:
  Disable "inspect rtsp" within the configuration

• CSM error message on ASA Failover interface

  Hello
  We use CSM 4.4 to manage our ASA firewalls.                   
  One of them is a failover pair. CSM now always creates a warning message when approving an activity, stating:
  FWSVC Access Rules Warnings ->  The following interfaces GigabitEthernet0/3,management, are not bound to any Access Rules and remain wide open for traffic to lower security level interfaces
  Is there a way to surpress those messages?
  Or is it required to configure an access-list to the lan-based failover interface?
  Thanks
  Patrick

  Hi Bro
  Yes, there is a way to suppress these error messages by issuing the command "no logging message " in that particular context but I wouldn't advise to do so.
  Perhaps, this could indicate a legitimate error on your part. If you could paste the show run output here, that would be great. We could advice your accordingly.
  Regards,
  Ram

• ASA failover: secondary ASA disabled failover on its own

  Hi all
  I have a failover pair of ASA 5520 (Software Version 8.2(4)4)
  located in two different data centers.
  Because of a network issue the layer 2 connection between both locations has been interrupted for a couple of seconds and the ASAs went into split-brain as one would expect them to do.
  The thing is that after approx. 1 minute the secondary ASA switched off its failover configuration (i.e. "show run" gives "no failover") without anybody telling it to do so. Here is the "show failover history" of the device:
  07:57:34 MESZ Aug 15 2011
  Standby Ready              Just Active                HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Just Active                Active Drain               HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Drain               Active Applying Config     HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Applying Config     Active Config Applied      HELLO not heard from mate
  07:57:34 MESZ Aug 15 2011
  Active Config Applied      Active                     HELLO not heard from mate
  07:58:03 MESZ Aug 15 2011
  Active                     Cold Standby               Failover state check
  07:58:18 MESZ Aug 15 2011
  Cold Standby               Disabled                   HA state progression failed
  At this point failover was switched off completely and the split-brain remained even after the layer-2-connection has been reestablished.
  This is no good.:( I have searched for "HA state progression failed" without any useful result/explanation.
  Why did the device switch off failover on its own and how can we assure that it won't do this again?
  Best regards,
  Grischa

  Yes, only thing I needed to do was issuing "failover" on the secondary. It detected its active mate and went properly into standby:
  09:16:18 MESZ Aug 15 2011
  Disabled                   Negotiation                Set by the config command
  09:16:19 MESZ Aug 15 2011
  Negotiation                Cold Standby               Detected an Active mate
  09:16:21 MESZ Aug 15 2011
  Cold Standby               Sync Config                Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync Config                Sync File System           Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Sync File System           Bulk Sync                  Detected an Active mate
  09:16:31 MESZ Aug 15 2011
  Bulk Sync                  Standby Ready              Detected an Active mate
  I guess we will go the TAC way if we encounter this situation a second time. This time we will be warned and know where to look at.
  Is there really no documentation available of the "HA state progression failed" message? What does it mean and how is it triggered usually?
  Regards,
  Grischa