ASA 5520 VERSION 8.2 UPGRADE TO 9.0
Hello friends,
I am considering to perform an upgrade of my ASA 5520 with versión 8.2 to 9.0, so I will enjoy the benefits of anyconnect for mobile devices. I clearly understand that I must pay special attention to:
NAT Rules.
RAM Memory: 2 GB.
Adding the part numbers to power on the newest versions of anyconnect and for mobile devices
L-ASA-AC-E-5520= ASA-AC-M-5520=
am I missing any other thing? Flash requirement? Or to pay attention to some other configurations?
Any comment or documentation will be appreciated.
Regards!
You can run the latest AnyConnect client - including mobile clients - with those licenses even on an ASA with the current 8.2 code - 8.2(5) as of now. While it's a bit old and lacking some of the newer features, it's a solid and stable release.
That would save you the trouble of migrating your NAT configuration (and other bits) and upgrading memory.
Since the ASA 5500 series (5510, 5520 etc.) is past End of Sales you have a limited future on those platforms. For instance, ASA 9.1(x) is the last set of code releases that will be available for them. (The current software on the 5500-X is 9.3(1).)
Similar Messages
-
ASA 5520 Version 8.2(1) Split tunnel enable Process
Hi,
We have configured a cisco ASA 5520 firewall as a remote VPN. Remote VPN user connected properly but VPN user disconnected form internet. So we need to configure split tunnel. Please help us how to configure split tunnel and require parameters/field. Thanks...Hi,
The setup is usually pretty easy
First you should create a Standard ACL that defines the networks which are found behind the VPN connection from the users perspective. In other words the networks that need to be tunneled.
For example if your LAN networks was 10.0.0.0/24
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
Then you would need to configure some additional things in your VPN client connections "group-policy"
For example
group-policy CLIENT attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
The above would essentially handle the Split Tunnel portion of the configurations. The "split-tunnel-policy" command specifies how the network selection for the VPN is handled. It might aswell be configured to specify Full Tunnel or to simply Exclude some networks. The "split-tunnel-network-list value" command tells the ASA the networks used in the Split Tunnel (the ACL we created)
Hope this helps
- Jouni -
ASA 5520 auto-update polling error
Hi,
the polling service for auto-update on my ASA 5520 is not working properly. Does anyone have ideas which could be the reason for this?
Platform: ASA 5520
Version: 8.4(2)
Config:
auto-update device-id hostname
auto-update poll-at thursday 5:00 randomize 3 3
auto-update server https://*@X.X.X.X/autoupdate/AutoUpdateServlet
Output of sh auto-update:
Server: https://X.X.X.X/autoupdate/AutoUpdateServlet
Poll thursday randomly between 5:00 and 5:03, retry count: 3, retry period: 5 minutes
Timeout: none
Device ID: host name [dontletthemin]
Under normal circumstances i would expect additional lines from the sh auto-update command like:
Next poll in 4.93 minutes
Last poll: 11:36:46 PST Tue Nov 13 2012
But this output does not appear. I've searced the bug-Toolkit but did not found a entry which could explain this behaviour.Hi
Many thanks for the respose.
Sorry I have not made any progress with this as yet: the only thing I have done is us the packet tracer, which passed I am just going to check the route of the packet once it has left the interface as it has got to be that or the URL is wrong.
Regards MJ -
ASA 5520 Upgrade From 8.2 to 9.1
To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni -
ASA 5520 upgrade from 8.4.6 to 9.1.2
Dear All,
I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
Below is the process :
Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an Active/Standby failover configuration:
Download the new software to both units, and specify the new image to load with the boot system command.
Refer to Upgrade a Software Image and ASDM Image using CLI for more information.
Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:
active#failover reload-standby
When the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.
active#no failover active
Note: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.
Reload the former active unit (now the new standby unit) by entering the reload command:
newstandby#reload
When the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:
newstandby#failover active
This completes the process of upgrading an Active/Standby Failover pair.
Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 )
It is mentioned on cisco site that
Major Release
—You can upgrade from the last minor release of the previous version to the next major release. For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.Hi Tushar,
The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
- Prateek Verma -
ASA 5520 Software & Firmware Upgrades
Is there a way to update the firmware / microcode on the ASA or SSM? I am planning on upgrading the ASA version from 7.2(2) to 8.0(4) and was wondering how, if at all, the firmware was ever upgraded too. The output from 'sh module' is below.
ASA# sh module
Mod Card Type Model Serial No.
0 ASA 5520 Adaptive Security Appliance ASA5520-K8 JMX1044K1S9
1 ASA 5500 Series Security Services Module-10 ASA-SSM-10 JAF10370340
Mod MAC Address Range Hw Version Fw Version Sw Version
0 0018.19eb.ba7d to 0018.19eb.ba81 1.1 1.0(11)2 7.2(2)
1 000a.b89c.d12c to 000a.b89c.d12c 1.0 1.0(11)2 6.0(1)E1
Mod SSM Application Name Status SSM Application Version
1 IPS Up 6.0(1)E1
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
1 Up Up
ASA#
Thanks,
TimothyI would not recommend upgrading - search the posts for 8.0(4) - you will find alot of people have had issues.
If there is no specific reason for the upgrade i.e feature enhancments, I suggest you stay on 7.2(2) -
Just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I have copied the files to flash, but when I run "asdm image flash:/asdm521.bin" I get an error that it's not an image file, and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.
Try this,
To upgrade/install the ASDM follow the example procedure,
ASA(config)# copy tftp flash
Address or name of remote host [x.x.x.x]?
Source filename [pix704.bin]? asdm-504.bin
Destination filename [asdm-504.bin]?
Accessing tftp://x.x.x.x/asdm-504.bin...!!!!!!!!!!!!!!!!!!!!!
Writing file flash:/asdm-504.bin...
5958324 bytes copied in 165.460 secs (36111 bytes/sec)
ASA(config)#
ASA(config)# sh flash
Directory of flash:/
7 -rw- 5437440 21:12:42 Nov 24 2005 pix704.bin
11 -rw- 5919340 20:59:06 Nov 24 2005 asdm-504.bin
13 -rw- 7017 14:00:58 Jul 22 2005 admin.cfg
// asdm-504.bin is now copied in the flash. Now we need to set PIX to use
// this image for loading ASDM.
ASA(config)# asdm image flash:/asdm-504.bin
// Last steps involve saving the running configuration to memory as we have
// made changes to boot files and reloading the PIX.
ASA(config)# write memory
Building configuration...
Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
4807 bytes copied in 3.20 secs (1602 bytes/sec)
[OK]
ASA(config)# reload
// Once PIX comes back up, we can verify that upgradation has been successfull
// by using "show version" command.
Refer to the link ASDM Upgrade Procedure
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8
hope this helps.. all the best.. rate replies if found useful..
Raj -
Older version of openssl in cisco asa 5520
Hi,
Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have to check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
Thanks,
SridharSridhar,
W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
Marcin -
Asa 5520 "loosing" code after code has been put in and operating
Sorry to ask this if it has all ready been covered. We have an asa 5520 running 8.3.2(1) code. Three times now I have entered code and rules in our asa and had things working, only to have the code "dissapear" and thus things stop working. We upgraded to 8.3.2(1) back in January of 2011, and have not had this problem until the last month. I was wondering if there is a bug with 8.3.2(1) code that has decided to show itself for whatever reason now. We have also had some other things relating to the VPN that were "working" and at some point just stopped working. We do have a second asa 5520 that is the failover/standby. We also have two 6509 with firewall services modules, one primary and the other standby. Just wondering how to troubleshoot something like this. I have putty logs of me putting the code in and doing a write mem saving the changes, yet on three occations those things stopped working, and I had to put the code in again.
**update** as I was typing this, we realised there was a problem with the two ASA's. For some reason, failover had stopped working, and both ASA's were trying to be the primary and causing issues. After several reboots, we wound up turning failover back on on the second ASA, and things seem to be normal now. No idea what would have caused the failover to break. Not sure how long this had been going on, it may have had to do with my code seeming to dissapear?Here is the output of the show ver. I removed the serial number.
ACH-2nd-EXT-ASA01#sh ver
Cisco Adaptive Security Appliance Software Version 8.3(2)1
Device Manager Version 6.4(7)
Compiled on Wed 04-Aug-10 21:41 by builders
System image file is "disk0:/asa832-1-k8.bin"
Config file at boot was "startup-config"
ACH-2nd-EXT-ASA01 up 4 days 22 hours
failover cluster up 4 days 22 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Ext: GigabitEthernet0/0 : address is 001d.a298.c41c, irq 9
1: Ext: GigabitEthernet0/1 : address is 001d.a298.c41d, irq 9
2: Ext: GigabitEthernet0/2 : address is 001d.a298.c41e, irq 9
3: Ext: GigabitEthernet0/3 : address is 001d.a298.c41f, irq 9
4: Ext: Management0/0 : address is 001d.a298.c420, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 10 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Enabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 20 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Enabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: xxxxxxxxxxx
Running Permanent Activation Key: 0xf730cf7a 0x0449cabf 0xc922e5d4 0xc7bc5cb0 0x851ed6bb
Configuration register is 0x1
Configuration has not been modified since last system restart.
ACH-2nd-EXT-ASA01# -
I have asa 5520 k8 model presently i am running with IOS version 8.0(4) i am upgrading to 8.2(5) is ? any license required from cisco to upgrade to this IOS, and also let me know how many site to site vpn can be configure on this device.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1051K2S5Hi,
There is no license needed for the software upgrade
To my understanding the device should support the mentioned 750 IPsec peers. Totally other thing is how this is in practice. Depends on other things also.
The command "show vpn-sessiondb detail" gives a nice information on the VPN connections and limits also
- Jouni -
Hi All,
we recently installed a activaiton key for the Anyconnect License on our ASA 5520. We have a pair runnning, in Active/Standby mode, on IOS 8.0. The Activation/License was installed on the Primary ASA. Once installed the all failover configuration was removed, and we were left with 2 ASAs running in Active/Active mode. This cause haoc across the network. I would like to go back and recover and reinstall the old activation key. Is this possible?? If so how would I be able to achieve this. Or do I need to ontain a new license key. Ultimately I would like to get back to the stage before instlaling the Anyconnect License, where we had a 2 ASAs running in Active/Standby mode.
Thank you for your help and suggestions.
Cheers
Deena
oput put from sh activation-key detail and sh version
CH-ASA# sh act det
Serial Number: JMX1101K2SU
Permanent Flash Activation Key: 0x370fc559 0x2476a024 0xccc355a4 0xacd81440 0x4110329d
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
Temporary Flash Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This is a time-based license that will expire in 27 day(s).
Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
This is a time-based license that will expire in 27 day(s).
The flash activation key is the SAME as the running key.
CH-ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(5)
Device Manager Version 6.2(5)53
Compiled on Mon 02-Nov-09 21:22 by builders
System image file is "disk0:/asa805-k8.bin"
Config file at boot was "startup-config"
CH-ASA up 18 hours 30 mins
Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0019.0665.6dfc, irq 9
1: Ext: GigabitEthernet0/1 : address is 0019.0665.6dfd, irq 9
2: Ext: GigabitEthernet0/2 : address is 0019.0665.6dfe, irq 9
3: Ext: GigabitEthernet0/3 : address is 0019.0665.6dff, irq 9
4: Ext: Management0/0 : address is 0019.0665.6dfb, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
This is a time-based license that will expire in 27 day(s).
Serial Number: JMX1101K2SU
Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Configuration register is 0x1
Configuration has not been modified since last system restart.
CH-ASA#If you upgrade your ASA software to a bit more recent image first you can share the AnyConnect license (activation key) across both devices. Otherwise you would need to install a separate activation key on the second unit.
Sent from Cisco Technical Support iPad App -
ASA 5520 - LU allocate xlate failed - Failover unit reloads
We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007: LU allocate xlate failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9
Device Manager Version 6.0(2)
Compiled on Mon 01-Feb-10 10:36 by builders
System image file is "disk0:/asa805-9-k8.bin"
Config file at boot was "startup-config"
CP-ASA up 17 days 21 hours
failover cluster up 17 days 22 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0025.45d7.6e62, irq 9
1: Ext: GigabitEthernet0/1 : address is 0025.45d7.6e63, irq 9
2: Ext: GigabitEthernet0/2 : address is 0025.45d7.6e64, irq 9
3: Ext: GigabitEthernet0/3 : address is 0025.45d7.6e65, irq 9
4: Ext: Management0/0 : address is 0025.45d7.6e66, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
I noted a report on errors with verison 7 and a conflict between nat(0) and static commands. I don't show nat(0) being used on these units.
nat (public) 0 access-list NO_NAT
nat (public) 1 10.190.16.64 255.255.255.192
nat (public) 1 172.16.22.0 255.255.255.0
nat (dmz) 0 access-list NO_NAT
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (csacelb) 0 access-list NO_NAT
nat (csacelb) 1 0.0.0.0 0.0.0.0
nat (app) 0 access-list NO_NAT
nat (app) 1 0.0.0.0 0.0.0.0
nat (db) 0 access-list NO_NAT
nat (db) 1 0.0.0.0 0.0.0.0
nat (internal) 0 access-list NO_NAT
nat (internal) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NO_NAT
nat (management) 1 0.0.0.0 0.0.0.0
no crypto isakmp nat-traversal
static (app,dmz) 10.190.15.0 10.190.15.0 netmask 255.255.255.192
static (csacelb,public) 999.999.999.999 10.190.14.70 netmask 255.255.255.255 (The external address was replaced with 999.999.999.999 intentionally for this forum)
static (db,app) 10.190.16.0 10.190.16.0 netmask 255.255.255.192Do you have any solution ? we have the same problem.
Thanks . -
License with anyconnect on asa 5520
Dear All,
We have a single ASA 5510 with version 7.2 (3) in our network and configured many IPSEC site to site, IPSEC - remote access vpn and webvpn with SSL. Everything is working well.
ASA-5510# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(2)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ASA-5510-1 up 86 days 11 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0027.0d38.034e, irq 9
1: Ext: Ethernet0/1 : address is 0027.0d38.034f, irq 9
2: Ext: Ethernet0/2 : address is 0027.0d38.0350, irq 9
3: Ext: Ethernet0/3 : address is 0027.0d38.0351, irq 9
4: Ext: Management0/0 : address is 0027.0d38.0352, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 25
This platform has an ASA 5510 Security Plus license.
===============================================================================================
As business improves we are now planning to upgrade our ASA 5510 to ASA 5520 ( 02 nos ver 8.2(5). With the new ASA 5520 we would be planning to buy Any connect vpn license as well.
Finally we will need on the ASA 5520 IPSEC site to site vpn, IPSEC - remote access vpn , clientless vpn with SSL & Any connect vpn license. What are the licences should i purchase inorder to have all the above services on the box with version 8.2(5) ?
suppose if i need to have cisco desktop software which is the license i should have along with other services?
Thanks in advanceI am just away from office .. Will provide same tomorrow...
Meanwhile "L-ASA-SSL-50=ASA 5500 SSL VPN 50 Premium User License" this is the licence i have procured from cisco. I would need
both Anyconnect vpn & SSL clientless should be working on the system. Hope i would acheive with the above license.
Below is the output i got when generated the Licence key. please clarrify. thanks in advance
Failover : Enabled
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
AnyConnect Premium Peers : 50
Other VPN Peers : 750
Advanced Endpoint Assessment : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Shared License : Disabled
UC Phone Proxy Sessions : Default
Total UC Proxy Sessions : Default
AnyConnect Essentials : Disabled
Botnet Traffic Filter : Disabled
Intercompany Media Engine : Disabled -
ASA 5520 intervlan routing at low speed
I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
ASA Version 8.4(2)
hostname ***
domain-name ***
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
dns-guard
interface GigabitEthernet0/0
nameif DMZ
security-level 50
ip address 10.2.5.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
interface GigabitEthernet0/1.100
vlan 100
nameif Devices
security-level 100
ip address 10.2.0.1 255.255.255.0
interface GigabitEthernet0/1.101
vlan 101
nameif Common
security-level 100
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet0/1.102
vlan 102
nameif Design
security-level 100
ip address 10.2.2.1 255.255.255.0
interface GigabitEthernet0/1.103
vlan 103
nameif Ruhlamat
security-level 90
ip address 10.2.3.1 255.255.255.0
interface GigabitEthernet0/2
no nameif
security-level 100
no ip address
interface GigabitEthernet0/2.10
vlan 10
nameif HOLOGR
security-level 40
ip address 10.1.2.4 255.255.0.0
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address ***
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
no ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WWW
host 10.2.1.6
object network MAIL
host 10.2.5.5
object network TEST
host 10.2.1.85
object-group network DM_INLINE_NETWORK_1
network-object host 10.1.0.88
network-object host 10.1.6.1
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object 10.2.0.0 255.255.255.0
network-object host 10.1.6.4
network-object host 10.1.1.57
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2080
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_6
network-object host 10.1.4.42
network-object host 10.1.4.234
network-object host 10.1.4.175
network-object host 10.1.4.217
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.14
network-object host 10.2.1.91
object-group network DM_INLINE_NETWORK_4
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
object-group service DM_INLINE_TCP_2 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_5
network-object host 10.2.1.14
network-object host 10.2.1.39
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.6
network-object host 10.2.1.85
network-object host 10.2.1.31
network-object host 10.2.1.32
network-object host 10.2.1.40
network-object host 10.2.1.55
network-object host 10.2.1.35
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_3 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_7
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_9
network-object host 10.2.1.4
network-object host 10.2.1.3
object-group network DM_INLINE_NETWORK_2
network-object host 10.1.1.101
network-object host 10.1.6.1
network-object host 10.1.6.4
network-object host 10.1.6.5
network-object host 10.1.0.57
network-object host 10.1.1.57
object-group network DM_INLINE_NETWORK_10
network-object host 10.2.1.4
network-object host 10.2.1.5
network-object host 10.2.1.3
network-object host 10.2.1.2
object-group service DM_INLINE_TCP_4 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_12
network-object host 10.2.0.11
network-object host 10.2.0.14
object-group service DM_INLINE_TCP_5 tcp
port-object eq pop3
port-object eq smtp
object-group network DM_INLINE_NETWORK_13
network-object host 10.2.1.4
network-object host 10.2.1.5
object-group network DM_INLINE_NETWORK_14
network-object host 8.8.4.4
network-object host 8.8.8.8
network-object host 10.1.1.1
object-group network DM_INLINE_NETWORK_15
network-object host 10.2.1.39
network-object host 10.2.1.57
object-group network DM_INLINE_NETWORK_16
network-object host 10.2.1.14
network-object host 10.2.1.6
access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
access-list Common_access_in extended permit icmp any any
access-list Common_access_in extended permit ip host 10.2.1.76 host ***
access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
access-list HOLOGR_access_in extended permit icmp any any log disable
access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
access-list test extended permit tcp any host 10.2.5.1 eq telnet
access-list test extended permit tcp any host 10.2.5.1 eq https
access-list test extended permit tcp host 10.2.5.1 any eq https
access-list test extended permit tcp host 10.2.5.1 any eq telnet
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered critical
logging trap warnings
logging asdm informational
logging from-address ***
logging recipient-address *** level critical
logging host Common 10.2.1.2
logging flash-bufferwrap
logging flash-maximum-allocation 8192
logging permit-hostdown
no logging message 106014
no logging message 313005
no logging message 313001
no logging message 106023
no logging message 305006
no logging message 733101
no logging message 733100
no logging message 304001
logging message 313001 level critical
logging message 106023 level errors
mtu DMZ 1500
mtu inside 1500
mtu Devices 1500
mtu Common 1500
mtu Design 1500
mtu Ruhlamat 1500
mtu HOLOGR 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ
icmp permit any Common
icmp permit any HOLOGR
icmp permit any outside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
object network WWW
nat (Common,outside) static interface service tcp *** ***
object network MAIL
nat (DMZ,outside) static interface service tcp smtp smtp
nat (DMZ,outside) after-auto source dynamic any interface
nat (Common,outside) after-auto source dynamic any interface
nat (Devices,outside) after-auto source dynamic any interface
access-group Common_access_in in interface Common
access-group Design_access_in in interface Design
access-group Ruhlamat_access_in in interface Ruhlamat
access-group HOLOGR_access_in in interface HOLOGR
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 10.2.1.6 255.255.255.255 Common
snmp-server host Common 10.2.1.6 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp DMZ
sysopt noproxyarp inside
sysopt noproxyarp Devices
sysopt noproxyarp Common
sysopt noproxyarp Design
sysopt noproxyarp Ruhlamat
sysopt noproxyarp HOLOGR
sysopt noproxyarp outside
sysopt noproxyarp management
service resetoutside
telnet 10.2.1.0 255.255.255.0 Common
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Common
dhcprelay setroute Common
threat-detection basic-threat
threat-detection scanning-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.1.4 source Common prefer
webvpn
smtp-server 10.2.5.5
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
: endHi Philip,
I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
https://supportforums.cisco.com/docs/DOC-1222
-Mike -
Command to View LDAP Password on Cisco ASA 5520
Hello
I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
Thanks!
MattThankyou Jennifer for the responds.
Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
[454095] sAMAccountName: value = testvendor
[454095] sAMAccountType: value = 805306368
[454095] userPrincipalName: value = [email protected]
[454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
[454095] msNPAllowDialin: value = TRUE
[454095] dSCorePropagationData: value = 20111026081253.0Z
[454095] dSCorePropagationData: value = 20111026080938.0Z
[454095] dSCorePropagationData: value = 16010101000417.0Z
Is their any other settings that i need to do it on AD ?
Kindly advice
Regards
Shiji
Maybe you are looking for
-
DHCP broken after software update 10.6.8
After doing software update for 10.6.8, my Mac Mini Server is no longer accepting an IP address from external DHCP server. Our configuration is supposed to use DHCP to receive its (static) IP address, and has happily done so for quite some time. But
-
i just jupdated to IOs5 on my ipod touch when i go to my unlock screen the camera option is not always there any ideas?
-
Adding attachment to SharePoint Document Library- Is it possible?
I would like to know if it possible to attach a file to a document library items like one would to a List item. I have read some postings on this very issue but most are a couple years old. Would like to know if updated technology has possibly solve
-
I have a database server that supports a number of seperate applications, each application having its own schema and tablespace(s). to refresh the test database from live (or dev from test) we currently use transportable tablespaces to copy the data,
-
I want Adobe to send me $5 every time Illustrator CS3 crashes
I have the super master suite for CS3 - Illustrator (and Photoshop) crash CONSTANTLY. I have dual core machine w/ 3 gigs of RAM. That should be plenty for creating vector art. But no. Illustrator misbehaves constantly. It costs me money to be constan