Write erase on ASA 5540

Hi,
I have a 5540 ASA 8.2 , I'am thinking of erasing the configs and upgrade the ios to the latest version , would that have any impact an the existing licenses .
mainly the anyconnect
Thanks,

you can erase your config without losing the licenses. They are not stored in the config.
Do you have 2GB of RAM? That is the requirement for the actual software.

Similar Messages

How do I get an ASA-5540 back to default config?

Is there an easy way to re-apply the default config that comes with a new ASA-5540? I'd like to have our ASA-5540 be back to its default with 192.168.1.1 on the inside interface and act as a DHCP server so I have connect a PC to it to begin initial configuration using the ASDM.
The ASA-5540 is running on asa723-k8.bin.

configure factory-default
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c4_72.html#wp2039866
a simple "write erase/reload" would also do the trick.

ASA 5505 + ASA 5540 static VPN, ssh and rdp problems

Greetings!
I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
Everything works fine, but there is a small problem that is really annoying me.
From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
What can I do to get rid of this problem?
Thanks in advance.

Dear Fedor,
You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
class-map TCP_TIMEOUT
      match access-list rdp_ssh
policy-map global_policy
     class TCP_TIMEOUT
          set connection timeout idle 0:30:00
          set connection timeout half 0:30:00
* Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
Let me know.
Portu.
Please rate any post you find useful.

ASA 5540 _ I want to ping across inside to outside for testing

ASA 5540 8.2 (5)
I have tried many combinations of command line syntax suggested in this forum but none are providing success so far.
I want to ping from the Inside Interface across to the Outside Interface and visa versa.
I have tried various ACLs as well as "inspect icmp" in the config, etc still no go.
I can ping each interface from the console command line but cannot ping across each interface.
Is this even possible ?
I am open to suggestions.
thanks
Troy
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0
ASA-5540-LAB#
ASA-5540-LAB# ping 192.168.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-5540-LAB# ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-5540-LAB# ping inside 192.168.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA-5540-LAB# ping outside 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA-5540-LAB#

Hi Troy,
Remember that the ASA is a security device, so by design it does't support what you are trying to accomplish.
" For For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network."
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1059645
Even if you are trying to ping from the ASA since I see you are trying to do a "source" ping. The source of the packet will be an internal IP address going to the outside IP.
Luis Silva

CiscoWorks LMS 4.0.1 and ASA 5540

I've added an ASA-5540 to the group of systems I backup each night. When the admin logs into the ASA in the morning, he sees the "save configuration" flag has been set. This started the same day CiscoWorks saved teh configuration. What is CiscoWorks doing to set this flag, and how do I stop it? It should only be reading the configuration. Thanks.

Ideally LMS should not save configuration only when LMS is taking the backup of configuration. This can be easily tested, if you try to run an instant job for Configuration Archive under Configuration > Sync Archive and see it on the ASA if it shows "save configuration" flag set.
It should be something else on either LMS or somewhere outside. In LMS it could be something like a NetConfig Job which may save configuration or other options like deploy configuration, which is very unlikely.
Before we stop it, we need to test and confirm, it is actually LMS,. You can also try to suspend the device once from LMS to see if next day you still see similar flag set.
Once we confirm it is LMS, we can test which action of LMS is doing it and how to prevent.
-Thanks
Vinod
** Encourage Contributors. RATE them**

High CPU due to dispatch unit in cisco ASA 5540

Hi Any suggestion help
High CPU due to dispatch unit in cisco ASA 5540
ciscoasa# sh processes cpu-usage
PC Thread 5Sec 1Min 5Min Process
0805520c ad5afdf8 0.0% 0.0% 0.0% block_diag
081a8d34 ad5afa08 82.6% 82.1% 82.3% Dispatch Unit
083b6c05 ad5af618 0.0% 0.0% 0.0% CF OIR
08a60aa0 ad5af420 0.0% 0.0% 0.0% lina_int
08069f06 ad5aee38 0.0% 0.0% 0.0% Reload Control Thread
08072196 ad5aec40 0.0% 0.0% 0.0% aaa
08c76f3d ad5aea48 0.0% 0.0% 0.0% UserFromCert Thread
080a6f36 ad5ae658 0.0% 0.0% 0.0% CMGR Server Process
080a7445 ad5ae460 0.0% 0.0% 0.0% CMGR Timer Process
081a815c ad5ada88 0.0% 0.0% 0.0% dbgtrace
0844d75c ad5ad2a8 0.0% 0.0% 0.0% 557mcfix
0844d57e ad5ad0b0 0.0% 0.0% 0.0% 557statspoll
08c76f3d ad5abef8 0.0% 0.0% 0.0% netfs_thread_init
09319755 ad5ab520 0.0% 0.0% 0.0% Chunk Manager
088e3f0e ad5ab328 0.0% 0.0% 0.0% PIX Garbage Collector
088d72d4 ad5ab130 0.0% 0.0% 0.0% IP Address Assign
08ab1cd6 ad5aaf38 0.0% 0.0% 0.0% QoS Support Module
08953cbf ad5aad40 0.0% 0.0% 0.0% Client Update Task
093698fa ad5aab48 0.0% 0.0% 0.0% Checkheaps
08ab6205 ad5aa560 0.0% 0.0% 0.0% Quack process
08b0dd52 ad5aa368 0.0% 0.0% 0.0% Session Manager
08c227d5 ad5a9f78 0.0% 0.0% 0.0% uauth
08bbf615 ad5a9d80 0.0% 0.0% 0.0% Uauth_Proxy
08bf5cbe ad5a9798 0.0% 0.0% 0.0% SSL
08c20766 ad5a95a0 0.0% 0.0% 0.0% SMTP
081c0b4a ad5a93a8 0.0% 0.0% 0.0% Logger
08c19908 ad5a91b0 0.0% 0.0% 0.0% Syslog Retry Thread
08c1346e ad5a8fb8 0.0% 0.0% 0.0% Thread Logger
08e47c82 ad5a81f0 0.0% 0.0% 0.0% vpnlb_thread
08f0f055 ad5a7a10 0.0% 0.0% 0.0% pci_nt_bridge
0827a43d ad5a7620 0.0% 0.0% 0.0% TLS Proxy Inspector
08b279f3 ad5a7428 0.0% 0.0% 0.0% emweb/cifs_timer
086a0217 ad5a7230 0.0% 0.0% 0.0% netfs_mount_handler
08535408 ad5a7038 0.0% 0.0% 0.0% arp_timer
0853d18c ad5a6e40 0.0% 0.0% 0.0% arp_forward_thread
085ad295 ad5a6c48 0.0% 0.0% 0.0% Lic TMR
08c257b1 ad5a6a50 0.0% 0.0% 0.0% tcp_fast
08c28910 ad5a6858 0.0% 0.0% 0.0% tcp_slow
08c53f79 ad5a6660 0.0% 0.0% 0.0% udp_timer
080fe008 ad5a6468 0.0% 0.0% 0.0% CTCP Timer process
08df6853 ad5a6270 0.0% 0.0% 0.0% L2TP data daemon
08df7623 ad5a6078 0.0% 0.0% 0.0% L2TP mgmt daemon
08de39b8 ad5a5e80 0.0% 0.0% 0.0% ppp_timer_thread
08e48157 ad5a5c88 0.0% 0.0% 0.0% vpnlb_timer_thread
081153ff ad5a5a90 0.0% 0.0% 0.0% IPsec message handler
081296cc ad5a5898 0.0% 0.0% 0.0% CTM message handler
089b2bd9 ad5a56a0 0.0% 0.0% 0.0% NAT security-level reconfiguration
08ae1ba8 ad5a54a8 0.0% 0.0% 0.0% ICMP event handler
I want exact troubleshooting.
(1) Steps to follow.
(2) Required configuration
(3) Any good suggestions
(4) Any Tool to troubleshoot.
Suggestions are welcome

Hello,
NMS is probably not the right community to t/s this. You probably want to move this to Security group (Security > Firewalling).
In the meanwhile, i have some details to share for you to check, though i am not a security/ASA expert.
The Dispatch Unit is a process that continually runs on single-core ASAs (models 5505, 5510, 5520, 5540, 5550). The Dispatch Unit takes packets off of the interface driver and passes them to the ASA SoftNP for further processing; it also performs the reverse process.
To determine if the Dispatch Unit process is utilizing the majority of the CPU time, use the command show cpu usage and show process cpu-usage sorted non-zero
show cpu usage (and show cpu usage detail) will show the usage of the ASA CPU cores:
ASA# show cpu usage
CPU utilization for 5 seconds = 0%; 1 minute: 1%; 5 minutes: 0%
show process cpu-usage sorted non-zero will display a sorted list of processes that are using the CPU usage.
In the example below, the Dispatch Unit process has used 50 percent of the CPU for the last 5 seconds:
ASA# show process cpu-usage sorted non-zero
0x0827e731 0xc85c5bf4 50.5% 50.4% 50.3% Dispatch Unit
0x0888d0dc 0xc85b76b4 2.3% 5.3% 5.5% esw_stats
0x090b0155 0xc859ae40 1.5% 0.4% 0.1% ssh
0x0878d2de 0xc85b22c8 0.1% 0.1% 0.1% ARP Thread
0x088c8ad5 0xc85b1268 0.1% 0.1% 0.1% MFIB
0x08cdd5cc 0xc85b4fd0 0.1% 0.1% 0.1% update_cpu_usage
If Dispatch Unit is listed as a top consumer of CPU usage, then use this document to narrow down what might be causing the Dispatch Unit process to be so active.
Most cases of high CPU utilization occur because the Dispatch Unit process is high. Common causes of high utilization include:
Oversubscription
Routing loops
Host with a high number of connections
Excessive system logs
Unequal traffic distribution
More t/s details can be shared by the ASA members from the community.
HTH
-Thanks
Vinod

Dmz dns query on asa 5540

Hi Expert.
How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?
What is the configuration required on ASA 5540 ?
Thanks

Hi Samir,
By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.
If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.
Access-list DMZ permit tcp host host eq 80
Access-list DMZ deny ip any any
access-group DMZ in interface DMZ
Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)
WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.
Mike

Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth

Hello all,
I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
We opened a TAC case with Cisco, and this is their response:
The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?

My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either.

Seeing ASA 5540 with High CPU Utilization

I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. Please help us troubleshoot the root cause of the CPU high utilization on Cisco ASA 5540.

This doc is a good starting point:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml

Could i make NTP on ASA 5540

hi..
i have asa 5400,
can i make NTP server on asa 5540.

The ASA cannot work as an NTP server, it can only use an NTP server to set its time using the "ntp server" command.
I hope it helps.
PK

I do 'write erase' on AP, but configuration remains

On my Cisco Access Point Aironet 1200, I do 'write erase', 'reload'. I noticed that some configuration remains(such as BVI IP address).
What am I missing ? Why this configuration remains in spite of 'write erase' and how can I make sure that the whole configuraiton is wiped out from AP 1200 ?
p#wri erase
Erasing the nvram filesystem will remove all configuration files! Continue? [con
firm]
[OK]
Erase of nvram: complete

Hi, I don't see any setting on DHCP. I pasted the running config configuration below, however, it makes no difference after what happened.
I think I messed up.
I did 'delete flash:env_vars', reload.
Then upon power cycling the device it appears now only with a prompt "ap:". I will need to read more to understand this, but it seems I delete the entire image, right ?
I guess I would need to load image thru tftp at this point, correct ?
Building configuration...
Current configuration : 1534 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret xxx.
username Cisco password xxx
ip subnet-zero
no aaa new-model
bridge irb
interface Dot11Radio0
--More-- no ip address
no ip route-cache
ssid myyoursours
authentication open
guest-mode
short-slot-time
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
--More-- bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.43.545.20 255.255.252.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging snmp-trap emergencies
logging snmp-trap alerts
logging snmp-trap critical
logging snmp-trap errors
logging snmp-trap warnings
bridge 1 route ip
line con 0
transport preferred all

BR1310 with 12.3(4)JA write erase

After a write erase and a reload my Bridge boots up as an AP with the DOT110 radio shutdown and no ssid?
is this normal?
regards Bernhard

Yes thats right. i saw it in the release notes. but when i upgrade the bridge and set it back to default the antenna alignement doesnt work anymore bc there is no ssid and the interface is shut. so thats not really a good "security feature".
can somebody from cisco answer that?

How to recover after "write erase"

I have a 9505, After running the write erase command, I can no longer log into the switch via telnet with the default admin password or the last configured password. Also I no longer get any activity over the serial connection to log in through serial. How can I reset this director back to factory defaults?

Yes I did reset the switch after the write erase. I do not think it reverted back to factory defaults though. I still get a login response when I telnet to the configured IP address, but no passwords seem to work. I have tried admin/admin as per the documentation defaults and the configured password, both reply with login incorrect. I have also tried no password.
I am using the supplied Cisco serial cable which I know works because I was connected serially when I sent the write erase command.
Since the command and system reset I have not seen any activity through the serial connection. I have tried both the top and bottom supervisor and neither show any activity when the switch boots up. I am using a windows laptop using hyperterm with 8/1/N settings as per the documentation.
Is there any other way to set factory defaults? I am out of ideas on how to recover this switch.

Write Erase - will I lose license info?

Hi,
I have a requirement to move 2 x MDS9513 switches from one site to another and add them into an existing fabric.
The configuration will need to be erased once moved in order to re-configure IP addresses, switch name etc.
The plan is to perform a "write erase"
My question is : Will a "write erase" delete any license information held on the switch?
Regards
Rich

Hello,
Please be sure to have backup Licenses before doing a "write erase" on the MDS switch.
Pease see here from Obtaining and Installing Licenses:
http://www.cisco.com/en/US/customer/products/ps5989/products_configuration_guide_chapter09186a0080664c67.html
Tip We recommend backing up your license files immediately after installing them and just before issuing a write erase command.
I hope this helps.
Regards,
Carlos

High CPU Utilization on ASA 5540

I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. Any ideas on how I can find the root cause of the CPU high utilization?

Hi rlortiz,
I ran into this issue as well on an ASA 5540 with only about 150 users. In the case if you are using large modulus operations including large key size certificates and a higher Diffie-Hellman group, it will cause for high processing.
Since the default method of processing these operations is software-based, it will cause higher CPU usage and also slower SSL/IPsec connection establishment.
If this is the scenario for you, use hardware-based processing by using the following configuration:
"crypto engine large-mod-accel"

Write erase on ASA 5540

Similar Messages

Maybe you are looking for