AnyConnect Essentials lincensing on ASA5510 in HA
Hi guys,
Can someone help me with info regarding licensing.
Got 2 pairs of HA ASAs and didn't manage to find the answer - 2(per pair) or 4(for each one) licenses are needed.
The ASAs are in Active/Standby mode.
Just don't want to be in position if one of the ASAs fail the Anyconnect clients to lose functionality.
Also is reboot required after entering the licenses?
Thank you very much in advance.
Regards,
Nikolay
Starting with ASA v8.3 the ASAs in HA don't need the same licenses. So you only need one AnyConnect Essentials per Cluster. But if you are running v8.2 or lower, you need one license per ASA.
For the activation of AnyConnect Essentials, no reboot is required.
Sent from Cisco Technical Support iPad App
Similar Messages
-
ASA5510 Security Plus + Anyconnect Essentials = BASE?
Recently upgraded a 5510 to Anyconnect Essentials and Anyconnect Mobile, the device was Security Plus and is now Base. Is it supposed to work this way? I lost my Gigabit interfaces. Is it possible to have Security Plus + Anyconnect Essentials?
I'm sure this should be OK.
I had a similar problem with an ASA 5505 that had been upgraded to Sec Plus and subsequently Anyconnect Mobile. TAC were able to sort it out very rapidly and issue the correct license file. -
Sorry if this question has been asked, i couldnt find an answer anywhere.
I have an ASA5520 with Anyconnect Essentials enabled, I want to replace this FW with an ASA5540 can I migrate the Anyconnect Essentials license?
ThanksIn general the license of an ASA is tied to the serial number of the ASA. This means that there is not an easy way to migrate a license from one ASA to another. In the case of an RMA there is a way that TAC can move the license.
It might be worth asking whoever is providing the ASA5540 if they can work out anything about the license. In the case of a purchase there might be some possible concession on license provisioning. But in general when you get a new ASA you need to get a new license.
HTH
Rick -
Cisco Anyconnect Essentials License - what does this
Hello Communtiy.
I have successfully installed an ASA with Anyconnect. The Anyconnect client on my laptop works great.
But why should i now buy an Cisco Anyconnect Essentials License, for what exact is that license ?
Anyconnect works great without that license.
But i cant connnect with my IPhone with the Cisco Anyconnect for Iphone app. Should i buy the Anyconnect for Mobile license, and is this license just for one device or for all devices. Because that license is really cheap. Normaly Cisco licenses are expensiv.
Thanks and kind regards patrickIf you don't have any AnyConnect Premium licenses, then you are restricted to two simultanious connections if you don't have the anyConnect Essentials license. And you are right, for i-devices (and Android and ...) you need the AnyConnect Mobile license.
Both AnyConnect Essentials and AnyConnect Mobile are licensed per ASA and not per concurrent user/connection. And AnyConnect Mobile needs an AnyConnect Essential or an AnyConnect Preimium License to be activated.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Strange Behavior for web deployment of Anyconnect essentials
We've got a weird problem that has popped up and we've been unable to figure out what's going on.
We have instructed our user community to start their VPN sessions by connecting to our ASA 5520 with a browser to download (if necessary) and initiate the Anyconnect essentials VPN client. Everything was working fine until a few days ago.
We have had several people report the same problem. They connect with the browser, enter their login information and are greeted with our "authorized use only" message by the ASA. Then, instead of downloading (if necessary) and starting the VPN client software, the web page just goes back to the login prompt without displaying any error message. The client software is never downloaded or started.
We've been able to work around this by installing the client software manually (where necessary) and starting the VPN client from the start menu. However, this isn't our preferred solution because this method won't have them automatically picking up updated versions of the VPN client.
We have seen this behavior before when there was a pending Java update that had not been applied. However, that doesn't seem to be the case this time. Clients have recently updated to IE9, but I have personnally been running the Anyconnect client and launching through IE9 for months.
Any ideas about what's wrong or how to debug this?
Thanks
PatrickHi Patrick,
Ideally, when you have Anyconnect Essentials enabled on the ASA, you cannot get access to the Clientless VPN (Web Portal access to the internal resources) however the Web Launch of the Anyconnect client does work with it.
I see that you have implemented this a different way (workaround) by manually installing the Anyconnect VPN clients on the machines and then trying to connect it to the ASA, which works and this means that configuration on the ASA for allowing the Anyconnect connection is correct. Now it is not allowing you to launch it from the web portal on machines which means the download access has been restricted somewhere on the ASA.
Could you please follow these two steps and let me know if you see something different.
1. Get access to the ASDM and follow this: Configuration>>Remote Access>>Anyconnect>>Edit the tunnel-group on which you connection is landing>>Login setting. Please check if it says go to the clientless portal or launch Anyconnect. It has to be Download Anyconnect automatically.
2. If you are not getting the prompt for the username and password on the webportal then go to Configuration>>Remote Access>>Clientless (not sure if it is under Anyconnect or clientless, please check both) where you get option: shut down portal login on the main page. Please make sure that it is unchecked.
In your case I see that the users are getting prompt for the username and password however when you authenticate yourself you are getting error message: authorized use only then it could be something to do with the DAP Policies (dynamic access policy).
Go to the dynamic access policies and you will get an option named as Anyconnect (please check if the correct option is checked under the same). If multiple dap policies are configured then please check the dap policy which gets pushed when the user logs in and make changes to that specific dap policy.
Please let me know if this help else I would request you to open a TAC request and we will look into this issue. If you find something different then please share here.
Thanks,
Vishnu Sharma -
5505 Anyconnect essentials license clarification please
Have a "base" 5505 with the upgrade to 50 inside hosts.
I just added the ASA-AC-E-5505 25 Anyconnecr Essentials license key to that unit.
The show version now shows Anyconnect Essentials enabled, but the "total VPN Peers" is still at 10.
Do I have the ability to have 25 Anyconnect clients connect to my network? or am I limited to 10?
I have read many threads, but just get more and more confused.
Thanks
DWNewmanHi Dennis,
Just to add to what Naresh said, the other VPN is for IPsec VPN (Site to Site or Remote Access).
After adding the key if you check the show version you would see something like this:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect Essentials : Enabled
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 100 perpetual
Total UC Proxy Sessions : 100 perpetual
YOu can also check the same by show vpn-sessiondb summary
Thanks
Jeet Kumar -
AnyConnect 3.0 with ASA5510 no Internal Access
We have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network, but I am having problems figuring that out and looking for a little guidance.
Thank you in advance.
-NickYou have to create a access list.
e.g access-list NO-NAT extended permit object-group VPN-DHCP-POOL any ( feel free to restrict access here) log
Then create no NAT rule
e.g Nat (interface) 0 access-list NO-NAT
Sent from Cisco Technical Support iPad App -
ASA5510 VPN not working after upgrade from 8.2 to 8.3
Hi,
I have recently upgraded a customer ASA5510 to version 8.3.
After upgrade web access etc is working fine however VPN is down.
The config looks very different after the upgrade plus what looks to be duplicate entries.
I suspect its an access list issue but I'm not sure.
If anyone has any ideas based on the config below it would be greatly appreciated as I'm at a loss....?!
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
passwd FNeDAwBbhVaOtVAu encrypted
names
dns-guard
interface Ethernet0/0
nameif Outside
security-level 0
ip address 217.75.8.203 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj-192.168.1.2-04
host 192.168.1.2
object network obj-192.168.1.7-04
host 192.168.1.7
object network obj-192.168.1.0-02
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0-02
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.2.0-02
subnet 10.1.2.0 255.255.255.0
object network obj-192.168.1.224-02
subnet 192.168.1.224 255.255.255.240
object network obj-192.168.1.9-02
host 192.168.1.9
object network obj-192.168.1.2-05
host 192.168.1.2
object network obj-192.168.1.103-02
host 192.168.1.103
object network obj-192.168.1.7-05
host 192.168.1.7
object network NETWORK_OBJ_10.1.2.0_24
subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network obj-192.168.1.2-02
object-group network obj-192.168.1.7-02
object-group network obj-192.168.1.0-01
object-group network obj-192.168.2.0-01
object-group network obj-10.1.2.0-01
object-group network obj-192.168.1.224-01
object-group network obj-192.168.1.9-01
object-group network obj-192.168.1.2-03
object-group network obj-192.168.1.103-01
object-group network obj-192.168.1.7-03
object-group network obj-192.168.1.2
object-group network obj-192.168.1.7
object-group network obj-192.168.1.0
object-group network obj-192.168.2.0
object-group network obj-10.1.2.0
object-group network obj-192.168.1.224
object-group network obj-192.168.1.9
object-group network obj-192.168.1.2-01
object-group network obj-192.168.1.103
object-group network obj-192.168.1.7-01
object-group network obj_any
object-group network obj-0.0.0.0
object-group network obj_any-01
object-group service MonitcomUDP udp
port-object range 3924 3924
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
access-list Outside_access_in remark Monitcom
access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
access-list Outside_access_in extended permit udp any any eq 4500 inactive
access-list Outside_access_in extended permit udp any any eq isakmp inactive
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list RemoteVPN_splitTunnelAcl standard permit any
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm location 192.168.1.208 255.255.255.252 Inside
asdm location 192.168.1.103 255.255.255.255 Inside
asdm location 192.168.1.6 255.255.255.255 Inside
asdm location 192.168.1.7 255.255.255.255 Inside
asdm location 192.168.1.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02 unidirectional
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02 unidirectional
nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
object network obj-192.168.1.2-04
nat (Outside,Inside) static 217.75.8.204
object network obj-192.168.1.7-04
nat (Outside,Inside) static 217.75.8.206
object network obj-192.168.1.0-02
nat (Inside,Outside) dynamic interface
object network obj-192.168.1.9-02
nat (Inside,Outside) static 217.75.8.201
object network obj-192.168.1.2-05
nat (Inside,Outside) static 217.75.8.204
object network obj-192.168.1.103-02
nat (Inside,Outside) static 217.75.8.205
object network obj-192.168.1.7-05
nat (Inside,Outside) static 217.75.8.206
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DellServerAAA protocol radius
aaa-server DellServerAAA (Inside) host 192.168.1.4
key test
http server enable
http 62.17.29.2 255.255.255.255 Outside
http 82.141.224.155 255.255.255.255 Outside
http 63.218.54.8 255.255.255.252 Outside
http 213.79.44.213 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df Inside
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 89.127.172.29
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer 89.105.114.98
crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity key-id nattingreallymatters
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 82.141.224.155 255.255.255.255 Outside
ssh 62.17.29.2 255.255.255.255 Outside
ssh 213.79.44.213 255.255.255.255 Outside
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
wins-server value 192.168.1.31
dns-server value 192.168.1.31
default-domain value freefoam.ie
username freefoam password JLYaVf7FqRM2LH0e encrypted
username cork password qbK2Hqt1H5ttJzPD encrypted
tunnel-group 193.114.70.130 type ipsec-l2l
tunnel-group 193.114.70.130 ipsec-attributes
pre-shared-key ******
tunnel-group 89.127.172.29 type ipsec-l2l
tunnel-group 89.127.172.29 ipsec-attributes
pre-shared-key ******
tunnel-group 89.105.114.98 type ipsec-l2l
tunnel-group 89.105.114.98 ipsec-attributes
pre-shared-key *****
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPool
authentication-server-group DellServerAAA
default-group-policy RemoteVPN
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0dc16fe893bd4bba6fdf6b7eed93e553Hi,
Many thanks for your reply.
Finally got access to implement your suggestions.
Initially none of the VPN's were up.
After making the change the two VPN's came up.
However only data via the first VPN is possible.
Accessing resources on the 10.1.2.0 network is still not possible.
Attached is the latest config, any input is greatly appreciated;
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
passwd FNeDAwBbhVaOtVAu encrypted
names
dns-guard
interface Ethernet0/0
nameif Outside
security-level 0
ip address 217.75.8.203 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj-192.168.1.2-04
host 192.168.1.2
object network obj-192.168.1.7-04
host 192.168.1.7
object network obj-192.168.1.0-02
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0-02
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.2.0-02
subnet 10.1.2.0 255.255.255.0
object network obj-192.168.1.224-02
subnet 192.168.1.224 255.255.255.240
object network obj-192.168.1.9-02
host 192.168.1.9
object network obj-192.168.1.2-05
host 192.168.1.2
object network obj-192.168.1.103-02
host 192.168.1.103
object network obj-192.168.1.7-05
host 192.168.1.7
object network NETWORK_OBJ_10.1.2.0_24
subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network obj-192.168.1.2-02
object-group network obj-192.168.1.7-02
object-group network obj-192.168.1.0-01
object-group network obj-192.168.2.0-01
object-group network obj-10.1.2.0-01
object-group network obj-192.168.1.224-01
object-group network obj-192.168.1.9-01
object-group network obj-192.168.1.2-03
object-group network obj-192.168.1.103-01
object-group network obj-192.168.1.7-03
object-group network obj-192.168.1.2
object-group network obj-192.168.1.7
object-group network obj-192.168.1.0
object-group network obj-192.168.2.0
object-group network obj-10.1.2.0
object-group network obj-192.168.1.224
object-group network obj-192.168.1.9
object-group network obj-192.168.1.2-01
object-group network obj-192.168.1.103
object-group network obj-192.168.1.7-01
object-group network obj_any
object-group network obj-0.0.0.0
object-group network obj_any-01
object-group service MonitcomUDP udp
port-object range 3924 3924
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
access-list Outside_access_in remark Monitcom
access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
access-list Outside_access_in extended permit udp any any eq 4500 inactive
access-list Outside_access_in extended permit udp any any eq isakmp inactive
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list RemoteVPN_splitTunnelAcl standard permit any
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
access-list global_access extended permit ip any any
access-list Outside_cryptomap_80_3 extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Split-tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm image disk0:/asdm-647.bin
asdm location 192.168.1.208 255.255.255.252 Inside
asdm location 192.168.1.103 255.255.255.255 Inside
asdm location 192.168.1.6 255.255.255.255 Inside
asdm location 192.168.1.7 255.255.255.255 Inside
asdm location 192.168.1.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02
nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
object network obj-192.168.1.2-04
nat (Outside,Inside) static 217.75.8.204
object network obj-192.168.1.7-04
nat (Outside,Inside) static 217.75.8.206
object network obj-192.168.1.0-02
nat (Inside,Outside) dynamic interface
object network obj-192.168.1.9-02
nat (Inside,Outside) static 217.75.8.201
object network obj-192.168.1.2-05
nat (Inside,Outside) static 217.75.8.204
object network obj-192.168.1.103-02
nat (Inside,Outside) static 217.75.8.205
object network obj-192.168.1.7-05
nat (Inside,Outside) static 217.75.8.206
nat (Inside,Outside) after-auto source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DellServerAAA protocol radius
aaa-server DellServerAAA (Inside) host 192.168.1.4
key test
http server enable
http 62.17.29.2 255.255.255.255 Outside
http 82.141.224.155 255.255.255.255 Outside
http 63.218.54.8 255.255.255.252 Outside
http 213.79.44.213 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df Inside
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 89.127.172.29
crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer 89.105.114.98
crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity key-id nattingreallymatters
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 82.141.224.155 255.255.255.255 Outside
ssh 62.17.29.2 255.255.255.255 Outside
ssh 213.79.44.213 255.255.255.255 Outside
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
anyconnect-essentials
svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
wins-server value 192.168.1.31
dns-server value 192.168.1.31
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-tunnel
default-domain value freefoam.ie
username freefoam password JLYaVf7FqRM2LH0e encrypted
username cisco password DfO7NBd5PZ1b0kZ1 encrypted privilege 15
username cork password qbK2Hqt1H5ttJzPD encrypted
tunnel-group 193.114.70.130 type ipsec-l2l
tunnel-group 193.114.70.130 ipsec-attributes
pre-shared-key ************
tunnel-group 89.127.172.29 type ipsec-l2l
tunnel-group 89.127.172.29 ipsec-attributes
pre-shared-key ************
tunnel-group 89.105.114.98 type ipsec-l2l
tunnel-group 89.105.114.98 ipsec-attributes
pre-shared-key ************
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPool
authentication-server-group DellServerAAA
default-group-policy RemoteVPN
tunnel-group RemoteVPN webvpn-attributes
group-alias Anyconnect enable
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key c0nnect10nParameter$
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fae6b7bc25fcf39daffbcdc6b91c9d8e -
ASA5510 sla monitor does not fail back
I've been down this path before and never got a resolution to this issue.
ASA5510 Security Plus
Primary ISP conn is Comcast cable
Secondary ISP conn is fract T1
I duplicated the SLA code from http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
When I pull the conn from primary ISP the default route to the secondary comes up
When I reconnect the primary the default route to the secondary does not go away.
I must either reload the ASA or remove/readd the two default outside routes.
Anyone have this same experience and could lend a hand?
Are there any commands I might have in my config that break SLA?
If so I would have hoped either the Configuration Guide or Command Reference for 8.2 would say so, but I don't see any mentioned.
I'm working remotely with my customer so I can't play with this except on off-hours.
ASA running 8.2(2) so as to use AnyConnect Essentials.
Thx,
PhilPls. read and try the workaround.
CSCtc16148 SLA monitor fails to fail back when ip verify reverse is applied
Symptom:
Route Tracking may fail to fail back to the primary link/route when restored.
Conditions:
SLA monitor must configured along with ip verify reverse path on the tracked interface.
Workaround:
1. Remove ip verify reverse path off of the tracked interface
or
2. add a static route to the SLA target out the primary tracked interface.
[Wrap text] [Edit this enclosure]
Release-note: Added 09/23/2009 20:28:24 by kusankar
[Unwrap text] [Edit this enclosure]
Release-note: Added 09/23/2009 20:28:24 by kusankar
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1.1_interim-by-cl104097&ext=&type=FILE
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-8.3.1.1_interim-by-cl104097: Added 03/23/2010 11:54:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850&ext=&type=FILE
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-8.3.1_fcs_throttle-by-cl103850: Added 03/22/2010 15:48:05 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-bennu-by-cl101314&ext=&type=FILE
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-bennu-by-cl101314: Added 02/18/2010 19:06:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-idfw-by-cl101317&ext=&type=FILE
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-idfw-by-cl101317: Added 02/18/2010 19:09:07 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-logging-ng-by-cl101311&ext=&type=FILE
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-logging-ng-by-cl101311: Added 02/18/2010 19:03:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-broadview-main-by-cl101300&ext=&type=FILE
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-broadview-main-by-cl101300: Added 02/18/2010 18:27:07 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-64bit-by-cl101362&ext=&type=FILE
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-sedona-64bit-by-cl101362: Added 02/19/2010 04:52:24 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-bv64-by-cl101426&ext=&type=FILE
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-sedona-bv64-by-cl101426: Added 02/19/2010 11:42:41 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-sedona-main-by-cl101297&ext=&type=FILE
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-sedona-main-by-cl101297: Added 02/18/2010 18:24:15 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-8.2.2_fcs_throttle-by-cl101307&ext=&type=FILE
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-titan-8.2.2_fcs_throttle-by-cl101307: Added 02/18/2010 18:57:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-bennu-by-cl101294&ext=&type=FILE
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-titan-bennu-by-cl101294: Added 02/18/2010 18:24:08 by perforce
[Uwrap text] [Edit this enclosure]
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=fixed-in-titan-main-by-cl101282&ext=&type=FILE
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
[Wrap Text] [Edit this enclosure]
fixed-in-titan-main-by-cl101282: Added 02/18/2010 16:48:04 by perforce
[Uwrap text] [Edit this enclosure]
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankarCan not view this .log file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=sla-mon-sh-tech&ext=log&type=FILE
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankarCan not view this .log file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
[Wrap Text] [Edit this enclosure]
sla-mon-sh-tech: Added 09/23/2009 20:43:52 by kusankar
[Uwrap text] [Edit this enclosure]
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCtc16148&title=static-analysis-titan-main&ext=&type=FILE
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforceCan not view this . file attachment inline, please click on the following link to view the attachment.
http://
[UnWrap text] [Edit this enclosure]
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
[Wrap Text] [Edit this enclosure]
static-analysis-titan-main: Added 02/18/2010 16:48:07 by perforce
-KS -
Anyconnect/Webvpn different ip
Hi,
We have an ASA5510 with the Anyconnect Essentials license. I'm in the process of setting up Anyconnect and immediately run into a question. We have a /29 subnet setup and AFAIK i must use the outside interface address for Anyconnect. However i already have an https service PAT forward on this address. So, can i setup Anyconnect to listen on eg. the second ip in my public subnet?
Thanks,
Dennes
Sent from Cisco Technical Support iPhone AppYou have to use the outside IP address for the WebVPN and anyconnect VPN. However, if you are using port 443 for another pat you can specify the webvpn to use something like 8443 instead for the webvpn using the same outside IP address for both connections. Here is an example of how to change the webvpn port.
config t
webvpn
enable outside
port 8443
Sent from Cisco Technical Support iPad App -
AnyConnect won't download to client PC
I have an ASA5510 ver 8.2(1)1
I have configured two anyconnect VPNS. I have enabled both clientless and svc mode on both. The clientless works. They can conenct to the webpage and access plugins and access hosts on the internal network.
however the software wont download. and if I install the anyconnect client manually I can't even connect then. Depending on the version fo client I get either "Anyconnect is not enabled" or Can't start secure Desktop.
Any work aorund for this?
Config:
group-policy mypol_vpn_policy internal
group-policy mypol_vpn_policy attributes
dns-server value 10.x.x.x
vpn-filter value mypol_VPN_ACCESS_ACL
vpn-tunnel-protocol svc webvpn
split-tunnel-network-list value mypol_Split_Tunnel
address-pools value mypool_Pool
webvpn
http-proxy disable
svc keep-installer installed
svc ask enable default svc
customization value mypol
tunnel-group mypol_vpn_policy type remote-access
tunnel-group mypol_vpn_policy general-attributes
default-group-policy mypol_vpn_policy
tunnel-group mypol_vpn_policy webvpn-attributes
group-alias mypol enable
group-url https://xxx.com/mypol enable
files in flash:
csd_3.6.3002-k9.pkg
anyconnect-dart-win-2.4.1012-k9.pkg
any ideas please?Unfortunately i tired that, but the ocmmand is nto available:
ASA(config)# webvpn
ASA(config-webvpn)# anyconnect enable
^
ERROR: % Invalid input detected at '^' marker.
ASA(config-webvpn)# ?
WebVPN commands:
anyconnect-essentials Enable/Disable AnyConnect Essentials
apcf Load Aplication Profile Customization Framework (APCF)
profile
auto-signon Configure auto-sign to allow login to certain
applications using the WebVPN session credentials
cache Configure WebVPN cache
certificate-group-map Associate a tunnel-group with a certificate map rule
character-encoding Configures the character encoding for WebVPN portal
pages
csd This specifies whether Cisco Secure Desktop is enabled
and the package file name to be used.
default-idle-timeout This is the default idle timeout in seconds
default-language Default language to use
dtls Configure DTLS for WebVPN
enable Enable WebVPN on the specified interface
error-recovery Contact TAC before using this command
exit Exit from WebVPN configuration mode
file-encoding Configures the file encoding for a file sharing server
help Help for WebVPN commands
http-proxy This is the proxy server to use for HTTP requests
https-proxy This is the proxy server to use for HTTPS requests
internal-password Adds an option to input a different password for
accessing internal servers
java-trustpoint Configure WebVPN java trustpoint
keepout Shows Web page when the login is disabled
memory-size Configure WebVPN memory size. CHECK MEMORY USAGE
BEFORE APPLYING THIS COMMAND. USE ONLY IF ADVISED BY
CISCO
no Remove a WebVPN command or set to its default
onscreen-keyboard Adds WebVPN onscreen keyboard for typing password on
the WebVPN logon page and internal pages requiring
authentication
port WebVPN should listen for connections on the specified
port
port-forward Configure the port-forward list for WebVPN
proxy-bypass Configure proxy bypass
rewrite Configure content rewriting rule
smart-tunnel Configure a list of programs to use smart tunnel
sso-server Configure an SSO Server
svc This specifies whether the SSL VPN Client is enabled
and the package file name to be used.
tunnel-group-list Configure WebVPN group list dropdown in login page -
License with anyconnect on asa 5520
Dear All,
We have a single ASA 5510 with version 7.2 (3) in our network and configured many IPSEC site to site, IPSEC - remote access vpn and webvpn with SSL. Everything is working well.
ASA-5510# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(2)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ASA-5510-1 up 86 days 11 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0027.0d38.034e, irq 9
1: Ext: Ethernet0/1 : address is 0027.0d38.034f, irq 9
2: Ext: Ethernet0/2 : address is 0027.0d38.0350, irq 9
3: Ext: Ethernet0/3 : address is 0027.0d38.0351, irq 9
4: Ext: Management0/0 : address is 0027.0d38.0352, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 25
This platform has an ASA 5510 Security Plus license.
===============================================================================================
As business improves we are now planning to upgrade our ASA 5510 to ASA 5520 ( 02 nos ver 8.2(5). With the new ASA 5520 we would be planning to buy Any connect vpn license as well.
Finally we will need on the ASA 5520 IPSEC site to site vpn, IPSEC - remote access vpn , clientless vpn with SSL & Any connect vpn license. What are the licences should i purchase inorder to have all the above services on the box with version 8.2(5) ?
suppose if i need to have cisco desktop software which is the license i should have along with other services?
Thanks in advanceI am just away from office .. Will provide same tomorrow...
Meanwhile "L-ASA-SSL-50=ASA 5500 SSL VPN 50 Premium User License" this is the licence i have procured from cisco. I would need
both Anyconnect vpn & SSL clientless should be working on the system. Hope i would acheive with the above license.
Below is the output i got when generated the Licence key. please clarrify. thanks in advance
Failover : Enabled
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
AnyConnect Premium Peers : 50
Other VPN Peers : 750
Advanced Endpoint Assessment : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Shared License : Disabled
UC Phone Proxy Sessions : Default
Total UC Proxy Sessions : Default
AnyConnect Essentials : Disabled
Botnet Traffic Filter : Disabled
Intercompany Media Engine : Disabled -
Replacement of primary unit failed! (ASA5510 active/standby)
Hi all,
I have an issue bringing up my RMA'd primary ASA unit.
So what happened so far:
1. primary unit failed
2. secondary took over and is now secondary - active (as per sh fail)
2. requested RMA at Cisco
3. got ASA and checked that Lic (SSL), OS (8.2.2) and ASDM are at the same level as the secondary
4. issued wr erase and reloaded
5. copied the following commands to the new (RMA) primary unit:
failover lan unit primary
failover lan interface Failover Ethernet3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
int eth3
no shut
failover
wr mem
6. installed primary unit into rack
7. plugged-in all cables (network, failover, console and power)
8. fired up the primary unit
9. expected that the unit shows:
Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.
10. but nothing happened on primary unit
So can anyone give me assistance on what is a valid and viable approach in replacing a failed primary unit? Is there a missing step that hinders me to successfully replicate the secondary - active config to the primary - standby unit.
I was looking for help on the net but unfortunately I was not able to find anything related to ASA55xx primary unit replacement with a clear guideline or step by step instructions.
Any comments or suggestions are appreciated, and might help others who are in the same situation.
Thanks,
NicoHi Varun,
Thanks for catching-up this thread.
Here you go:
sh run fail on secondary - active:
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/3
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.x.x.9 255.255.255.248 standby 172.x.x.10
sh fail hist on secondary - active:
asa1# sh fail hist
==========================================================================
From State To State Reason
==========================================================================
23:47:15 CEST Feb 19 2011
Not Detected Negotiation No Error
23:47:19 CEST Feb 19 2011
Negotiation Cold Standby Detected an Active mate
23:47:21 CEST Feb 19 2011
Cold Standby Sync Config Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync Config Sync File System Detected an Active mate
23:47:36 CEST Feb 19 2011
Sync File System Bulk Sync Detected an Active mate
23:47:50 CEST Feb 19 2011
Bulk Sync Standby Ready Detected an Active mate
10:34:09 CEDT Sep 3 2011
Standby Ready Just Active HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Just Active Active Drain HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Drain Active Applying Config HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Applying Config Active Config Applied HELLO not heard from mate
10:34:09 CEDT Sep 3 2011
Active Config Applied Active HELLO not heard from mate
==========================================================================
sh fail on secondary - active
asa1# show fail
Failover On
Failover unit Secondary
Failover LAN Interface: Failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 110 maximum
Version: Ours 8.2(2), Mate 8.2(2)
Last Failover at: 10:34:09 CEDT Sep 3 2011
This host: Secondary - Active
Active time: 441832 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Up Sys)
Interface Outside (x.x.x.14): Normal (Waiting)
Interface Inside (x.x.x.11): Normal (Waiting)
slot 1: empty
Other host: Primary - Failed
Active time: 40497504 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.2(2)) status (Unknown/Unknown)
Interface Outside (x.x.x.15): Unknown
Interface Inside (x.x.x.12): Unknown
slot 1: empty
Stateful Failover Logical Update Statistics
Link : Failover Ethernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 2250212 0 64800624 309
sys cmd 2250212 0 2249932 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 46402635 309
UDP conn 0 0 21248 0
ARP tbl 0 0 15921639 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKE upd 0 0 96977 0
VPN IPSEC upd 0 0 108174 0
VPN CTCP upd 0 0 19 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 17 203259096
Xmit Q: 0 1 2250212
show ver on secondary - active
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
asa1 up 200 days 12 hours
failover cluster up 1 year 108 days
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0022.55cf.7420, irq 9
1: Ext: Ethernet0/1 : address is 0022.55cf.7421, irq 9
2: Ext: Ethernet0/2 : address is 0022.55cf.7422, irq 9
3: Ext: Ethernet0/3 : address is 0022.55cf.7423, irq 9
4: Ext: Management0/0 : address is 0022.55cf.741f, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 10
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: xxx
Running Activation Key:xxxx
Configuration register is 0x1
Configuration last modified by enable_1 at 10:05:32.149 CEDT Fri Jul 15 2011 -
When upgrading failover pairLast week I had to upgrade ASA5510
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is f0f7.55f3.25be, irq 9
1: Ext: Ethernet0/1 : address is f0f7.55f3.25bf, irq 9
2: Ext: Ethernet0/2 : address is f0f7.55f3.25c0, irq 9
3: Ext: Ethernet0/3 : address is f0f7.55f3.25c1, irq 9
4: Ext: Management0/0 : address is f0f7.55f3.25bd, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1619X0C7
Running Permanent Activation Key: 0xe309e24d 0x50896012 0x98b3ad80 0x98445458 0x0615368e
Configuration register is 0x1
Configuration has not been modified since last system restart.
ciscoasa# ac
ciscoasa# activati
ciscoasa# activation-key e309e24d 50896012 98b3ad80 98445458 0615368e
Validating activation key. This may take a few minutes...
The requested key is the SAME as the flash permanent activation-key.
The flash activation key will not be modified.
ciscoasa#
I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base
I think I was wrong option selected in the process of upgrading, how should I do to be successful upgradeHi Desh,
The key which you have used for activation is the same key that is exist in the ASA. So ASA will not have any changes when you give the same key which is already installed. You should have the different key which should be an licensed key for sec plus bundle.
Serial Number: JMX1619X0C7
Running Permanent Activation Key: 0xe309e24d 0x50896012 0x98b3ad80 0x98445458 0x0615368e
Configuration register is 0x1
Configuration has not been modified since last system restart.
ciscoasa# ac
ciscoasa# activati
ciscoasa# activation-key e309e24d 50896012 98b3ad80 98445458 0615368e
Validating activation key. This may take a few minutes...
The requested key is the SAME as the flash permanent activation-key.
The flash activation key will not be modified.
ciscoasa#
Please do rate if the given information helps.
By
Karthik -
Software license of ASA5510 to enable Failover
I have two ASA5510. I want to make failover between the two firewalls. However, when I use the command "show version", the display shows that the Failover is disabled. Anyone can help me?
Here is the output of "show version":
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.Hello Liwei,
Security Plus license is required on both units in order to enable failover,
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
Maybe you are looking for
-
Sync failed to start w/ iTunes 10.7, iPod Touch 3rd gen
Since upgrading to iTunes 10.7 on Windows 7x64, I have had trouble getting my iPod Touch (3rd gen, 5.1.1) to sync. I am getting the message "sync failed to start". This happens with either WiFi or USB connection to the device. I know the iPod WiFi is
-
Upgraded to ios8 on ipod last night and now it won't play any music I didn't purchase via itunes.
Upgraded to ios 8 on my ipod touch last night. Today when I've tried to play songs I've had loaded that were not iTunes purchases, the songs will not play. The screen scrolls through all tracks on the albums quickly and returns to the album screen.
-
Deficit of BA Stck.in qual.insp 6,800.000 CS : 1611 DW0
Hi gurus, We are encountering problems in writing off WM DIFF because we have in the list QI stocks on hold. When we tried to write off one batch (we are batch managed), the error said - you have to clear QI stocks separately with or without inspect
-
My iPhone 5 with 6.1.2 is draining the battery in 4 hours with little use. It has just started. Any suggestions? Any apps that are known to cause a problem? I recently loaded Fantastical and Cobook (since deleted).
-
Move-corresponding in table type Field-Symbols
Hi, I have to use one statement in field-symbol similar to "move-corresponding" in normal internal table.Is it possible to use statement similar to "Move-corresponding in field-symbols". For Eg: Field-symbols <FA_IT> type standard table. data:beg