ASA 5550 IPv6 Compatibility

Similar Messages

• ASA 5550 RESET

  I have an ASA 5550 and the console port suddenly stopped allowing me to console and the management port no longer allows me to conole in. So that there is now question, The network cables and console cables work fine on other ASA's and network devices. I tried to reset the device by pushing the reset button but it doesn't appear to do anything, even after I reboot. Any help would be appreciated.

  Hello Marco,
  At this point it looks more like a hardware failure. Do you see the ASA lights green?
  If you don’t have console access you may need to get a replacement unit via TAC or your reseller.
  Regards,
  Juan Lombana
  Please rate helpful posts.

• ASA 5550 Console (Serial) TACACS

  I have a ASA 5550 running multiple contexts, but having the AAA authentication serial console (TACACS Server Name) LOCAL allows a tacacs challenge on connecting to the console but I am then unable to issue any commands i.e. enable or Show Run - message command autherixation failed
  Has anyone setup console (serial) TACACS and got it working?
  Thanks                  

  Hi Simon,
  The below are the commands which requires with respect to the console access.
  aaa-server TACACS+ protocol tacacs+
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  So you should have both serial console and enable console for you settings. If you have these settings in your firewall. Also please check in the tacacs server end if privelage level is set properly for the same.
  Please do rate if the given information helps.
  By
  Karthik

• ASA 5550 - Two different syslogs servers

  Hi to all.
  In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it? All suggestions will be really appreciated. Thanks.

  Hello,
  While there is a limitation in the syslog server configurations, you could
  use other logging methods to collect specific information. While it is not
  very efficient method, if you are just concerned about login/logout messages
  for security audit purposes, you could use email logging. You can create a
  logging list and then send those messages to your email.
  Example:
  logging list mail message 111008
  logging list mail message 111004
  logging from-address
  You can do similar things by sending specific log events to SNMP server as
  well.
  Hope this helps.
  Regards,
  NT

• ASA 5550 failover configuration

  I have two identical ASA 5550 firewalls that I need to set up for Active/Standby failover so I can then upgrade them with zero downtime.  I am running them in single, routed mode so I would have to configure failover for Active/Standby.  Can I do a cable-based configuration? The documentation states that is only available on the PIX 500 Security Appliance.  Going through the Support Community forums it appears I can.  Who is right?  If I can do cable-based configuration do I have to turn off the secondary ASA to do the inital configuration?  Thanks much.

  Hello James,
  Yes, you can do cable-based (if you mean connect the devices via a cable without a switch.. That will not be a problem)
  Cisco recommends use a switch between the units for troubleshooting purposes but it's not a MUST.
  Configuration wise, same procesure nothing different so just follow the regular process.
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• NAC Appliance IPv6 Compatibility

  I read in the book "Cisco NAC Appliance: Enforcing Host Security with Clean Access" (published 2008) that the Real IP Gateway mode is only IPv4 compatible but that IPv6 compatibility will be provided in a future software update.
  Having searched around, I can't find any reference to the NAC Appliance being IPv6 compatible. Does anyone know what modes (if any) are IPv6 compatible?

  Hi,
  Even though IPv6 has been on the road map, currently it is not supported and there is no ETA for IPv6 support by NAC devices.
  HTH,
  Tiago
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• ASA 5550 V05 Active/passive one stop work

  Hello,
  I have a client, that got 2x ASA 5550 V05 and they were configured to act as active/passive but some months ago they had problems with them, so they remove them from the network.
  Recently, I went there, and saw that one of the firewall (the one that was as passive) is not working, when I connect via console and reboot it I don't even see nothing, the boot starts, but suddenly, nothing shows up.
  The things is that the client wants to get back to use the ASAs, so is there any way to fix that?
  As an alternative we were thinking in acquire another ASA, to configure the two as active/passive again, the ASA that its working is:
  ASA 5550 V05 ; Cisco Adaptive Security Appliance Software Version 7.2(4) ; Device Manager Version 5.2(4) ; 8 Ports GB ( 4+4) ; asa724-k8.bin
  My question is, I need an exactly the same model ASA?
  I was thinking in put one ASA5555-2SSD120-K9. That would work?
  Or should I try anything else? I don't have many skills with ASA specially troubleshooting it.
  Thanks in advance

  Hi Diogo,
  The issue related to failed firewall could be related to a hardware issue, you may get some outputs from console session when the ASA is booting up. Try to boot up the firewall again, if this doesn´t work then you should open a TAC case so they can help you replacing the firewall(the ASA needs to be under an active contract).
  Regarding ASA model and failover, both firewalls must be the same model(hardware).
  See the below requirements for failover to work:
  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77809-pixfailover.html#req
  Regards,
  Harvey.
  Please rate if this is correct answer.

• ASA 5550 Transparent Active/Standby Configuration

                     Hello guys!
       I am in the process of adding a new ASA 5550 as a standby box to an existing ASA 5550 running on transparent mode. Both are on version ASA 8.0(4) and ASDM 6.2(1). I have set the new ASA 5550 to transparent mode. The configurations are the following for the HA:
  Primary ASA:
  interface GigabitEthernet1/3
  description LAN Failover Interface
  media-type sfp
  failover
  failover lan unit primary
  failover lan interface failover GigabitEthernet1/3
  failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
  Secondary ASA:
  interface GigabitEthernet1/3
  description LAN Failover Interface
  failover
  failover lan unit secondary
  failover lan interface failover GigabitEthernet1/3
  failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
  My questions are the following:
  1. The management ip address is different than the ip used for the failover link. Since the firewalls are on transparent mode, does the failover ip needs to be the same as the management ip address?
  2. Does any other additional config is needed for HA to work for basic active/stand-by failover?
  3. Wich is the best method to add the second box without disrupting the active box?
  Thanks in advance guys!

  Hi Nephtali,
  1. The aswer is no, it can be different.
  2. You can optionaly add statefull failover config.
  3. Issue the failover command on the primary device first, and then issue it on the secondary device. After you issue the failover command on the secondary device, the secondary device immediately pulls the configuration from the primary device and sets itself as standby. The primary ASA stays up and passes traffic normally and marks itself as the active device. From that point on, whenever a failure occurs on the active device, the standby device comes up as active.
  Link to a config example:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#Reg
  Regards
  Mariusz

• ASA 5550 High Availability Situation

  We have a couple of 5550's setup as an active/passive HA pair.  Recently one of the firewalls (standby) had a hardware issue and needed to be replaced.  Would it be easier/better to just restore the backup config from the defective appliance or should we just use the HA wizard in ASDM or cli to configure the new standby firewall?
  Thanks,
  PTH

  Just replace the firewall and put in the failover commands then plug in the failover interface on each ASA and you will be good to go. The standby will download the active configuration.

• Site to site VPN between cisco asa 5550 and checkpoint r75

  Hi all ,
  below is cisco asa config for our customer end:
  crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
  What should i configure on checkpoint for first phase and second phase ?
  Regards,
  Suhail

  In checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there.  Phase II default is 28,800 so  you need to edit the parameter and change it to 3600.  the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
  Easy right?

• ASA 5550 - Continuous rebooting loop

  we have a Cisco ASA5550 and stuck into continuous rebooting loop. it show an error :assertion "_vf_mode_init" failed: file "vf_api.c", line 99
  Earlier it has an 4GE SSM module, for some reason we want to utilize 4GE SSM module and we unpluged and after that we face this issue. could some advise in the right direction.
  error message file is attached.
  Much Appricated.

  Seems like the ASA is crashing, it is better to open a case with TAC to decode the crash file, most likely you will need an upgrade, if it is failing to boot, you will need to pull the file from rommon mode.
  Regards,
  Felipe.

• ASA 5550 Log out code?

  I have one of our ASA connection profiles going to a custom home page that does a post:// command.  Is there a way to add code to our custom web intranet web page that when a user clicks the logout link on the intranet page it logs them out of the ASA?

  Not sure if this is what you mean, but try:
  log out
  Note that this is not "officially supported" so e.g. it may break if you upgrade...
  hth
  Herbert

• ASA 5550 Open Connections Increase

  We have seen a dramatic rise in open connections on the ASA in the past couple days. From about 20,000 to close to 40,000 now. My first question is how efficiently monitor these connections. We graph the total number via SNMP, but in this case, I need to narrow down the problematic host(s). Currently, I am issuing a "sh conn", displaying all connections and then copying and pasting to a text file which I then load into a spreadsheet to sort. There has got to be a better way.
  I am also not quite sure what to do about this situation. Using the method above, I can see that there are 15,000+ connections open to our mail servers (which is abnormal), but there is no abnormal usage or open tcp connections on the mail servers themselves. So what are these connections exactly? What should be done to minimize them?
  Here is an example:
  TCP out 86.195.154.184:3633 in 66.245.177.215:25 idle 0:08:36 bytes 15615 flags UfIOB
  TCP out 86.195.154.184:4852 in 66.245.177.215:25 idle 0:38:58 bytes 15852 flags UfIOB
  TCP out 83.20.185.182:5140 in 66.245.177.215:25 idle 0:00:55 bytes 2799 flags UfFRIOB
  TCP out 69.40.127.71:60260 in 66.245.177.215:25 idle 0:00:15 bytes 1135 flags UfIOB
  TCP out 24.132.222.168:62983 in 66.245.177.215:25 idle 0:00:04 bytes 483 flags UfOB
  TCP out 24.132.222.168:63729 in 66.245.177.215:25 idle 0:04:12 bytes 759 flags UfIOB
  I should also mention that approximately 11,000 of these 15,000 connections have the UfIOB flags.

  These are half open connections which may be left after the client closing the connection but it is still active on ASA. It may happen because of TCP timeout value set at very high. If you need the connection timeout value for TCP to be set high for a certain IP flow, then it is recommended to use a policy map.

• ASA 5550 Health Check report..

  hi,
  am a biginner with  Network Security,
  please let me know what are the infromation required to make a Health Check report for ASA and IPS ,
  thanks,
  Anvar

  hi,
  this is link will help us to answer my above question,,i got it today only.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080b8e100.shtml

• Is ASA 5550 firewall supports BGP

  Hi All,
  Please help me out regarding my question.
  Thank you all in advance.
  Regards,
  Sayak

  Hello Sayak,
  The ASA does not support BGP. Border Gateway Protocol. BGP performs interdomain routing in TCP/IP networks. BGP is an Exterior Gateway Protocol, which means that it performs routing between multiple autonomous systems or domains and exchanges routing and access information with other BGP systems.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/glossary.htmlhttp://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/glossary.html
  ASA allows passing of BGP sessions through it but just only that. It’s being discussed that it will be supported in the future but there’s no definite date yet.
           "niLz"
  Nilo Noguera Jr. 
  | Specialist, Virtual Engineering - Partner Helpline Organization 
  together we are the human network