ASA 5585X Clustering

I have two ASA 5585X-SSP20 need to Cluster config. I am little confused about ASA to Core Switch and Server Firm Switch Connectivity. In cluster mode if we config master asa two 10G port as an ether-channel then others cluster member same port config as a same ether-channel.So four port in two asa work in single ether-channel. If this right then my diagram is correct or wrong. Plz help me.

Hi,
yes,technically you could run two SSP20's with all 4 10g ports in the same spanned etherchannel as a "firewall on a stick".
If you look in the cluster configuration guide you'll see that the CCL (Cluster Control Link) needs to be sized the same as the data links so if you don't add any extra modules to your SSP20 firewalls you'll end up with 1x 10g for data and 1x 10g for CCL on each physical firewall.
We currently have this setup in our environment; each SSP20 firewall is connected to a Nexus 7K switch where one 10G port is used for CCL and one 10G port is setup as a trunk for all inbound/outbound traffic to/from the firewall.
Hope this helps!
-Michel

Similar Messages

Mount ASA 5585x on 2-post rack?

Is it possible to mount the ASA 5585x on a 2-post rack?

It is POSSIBLE but not recommended.
It's designed for a 4-post installation, using either the slide or fixed rail kit and mounting to all four posts.That's what's shown in the installation guide.
If it were my ASA at US$100,000+per unit, I'd want it to be securely mounted.

Redundant etherchannels for ASA 5585X

Hi there , We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS). Can I have this configuration for resiliency.
Etherchannel from ASA Primary - Switch 1 & Switch 2
Etherchannel from ASA Standby - Switch 1 & Switch 2
or
Etherchannel from ASA Primary - Switch 1
Etherchannel from ASA Standby - Switch 2
( Failover links between the Firewalls are already configured )
Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
Thanks

The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.

Etherchannel support for ASA 5585X

Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
Thanks
Prabs

Hi,
To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
Quote from Cisco document
Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
Source:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
Here is also a link to the "interface" command for Etherchannel
http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
Hope this helps
- Jouni

ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

Hello Community,
it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
MC src and rcv
(XChariot)
|
-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)
|
MC src and rcv
(XChariot)
Test 1 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341
(Trace "WAN-IF_capture_225.1.2.154_no-frag" and
output "L2FW-not_fragmented"
The traffic passes through the Transparent mode ASA without any problems.
Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.
This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of 3(DstMAC):1(invalid udp).
The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
Any idea?
Thank you in advance for you contribution.

Hello Community,
the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322
Perhaps further test will be made with using lower interim versions.

ASA 5585x IPS Service Contract CON

Dear all
actually i'm looking for the IPS contract support for ASA5585 (SSP IPS), i found two type of this from internet with details below:
CON-SNT-AS82S10K - SMARTNET 8X5XNBD ASA5580-20-10K-K9
CON-SUO1-A8S2P2S9 - IPS SVC, ONSITE NBD ASA 5585-X w/SSP20,,IPS SSP-20,16GE,10K
could please someone tell me about different between this two

Hello,
You can always check with the Cisco Sales representative to get more information. Normally those guys are the ones that can provide you more details in regards of Entitlement informaiton.
Mike

ASA 5585x reload by self

Dear,
I have Cisco ASA 5585 x, its working normally from two years ago, but before two month something strange start happened, its reloaded suddenly, and after week again happened and continue but in different times.
what its the causes of make FW reload by himself ?

A spontaneous firewall reload is most often related to a software bug in my experience. There is usually a crashinfo file generated which can be analyzed by the Cisco TAC.
You need to open a Service Request with the TAC to have them analyze the issue.

C65K ASA module - syn cookie & ASAx clustering (9.x)

Hi,
A couple of questions:
I want to move syn cookie protection from ACE-modules to ASA modules in a data center setup. And I want to set a max embryonic conns per server/IP behind the firewall f.ex 512/server
Acc to the ASA conf.guide 8.5 you can make and apply a service-policy f.ex to the outside interface with the following variables (among others):
- conn-max (0-2000000). I suppose this i an overall 'conns through the box' value ?
- embryonic-conn-max n. Is n the overall embryonic 'conns through the box' value ?
- per-client-embryonic-max If clients are outside-hosts accessing an inside-server, it will not mitigate dDoS syn-attacks very well, will it ?
Apparantly none of the above settings limit embryonic conns per inside server ?
On the other hand the configuration guide says:
When you use TCP SYN cookie protection to protect servers from SYN attacks, you must set the embryonic connection limit lower than the TCP SYN backlog queue on the server that you want to protect. Otherwise, valid clients can nolonger access the server during a SYN attack.
And to something completely different:
In 9 ASA software clustering of 5585-x is an option. Does it apply to the ASA modules as well, (which are based on the 5585-x) ?
Thanks
Regards Jesper Joensen

Iyer
Agree - but you still have a problem with heavy dDoS attacks with thousands of spoofed IPs.
I ended up with this config (going into production very soon) - the embryonic-conn-max 512 is intended to trig syn-cookies during syn-attacks:
class-map EMBRYONIC-CONNS
match any
policy-map EMBRYONIC-CONNS
class EMBRYONIC-CONNS
set connection embryonic-conn-max 512 per-client-embryonic-max 5
service-policy EMBRYONIC-CONNS interface msfc
Thanks
Jesper

Clustering options for FirePOWER SSP-40

What are the option for clustering Firepower SSP-40?
ASA 5585X with 2 node cluster, is it possible to have a single cluster for IPS service also ?
Concers are , how is the IPS module handling the Asymmetric situation...?
Cisco ASA 5585-X with FirePOWER SSP-40..

What Cisco was missing imo was the NG Firewall features that everyone has had for years. I recently upgraded my 5585 SSP60 based firewalls with the SSP-SFR60 modules. So far I'm fairly impressed, the package does what everyone else does, currently still testing a number of items however what I could do with a Palo or something from SonicWall I can now do with my ASAs.
First Accessible from Same GUI: Not on the 5585s, if I open ASDM for the 5585s, there are no configurations that I can see available, essentially under my admin context I see three tabs, one of which is ASA Firepower Status, there is a link I can click on and it takes me to DC URL. I do hear you can configure for the smaller firewalls though. Possibly because I use MC and A/A I might be missing it. Honestly though DC seems to be a very powerful tool so I'm fine with two management systems as they both serve a different purpose, ASA controls ports allowed to pass, and the traffic that passes gets filtered.
Logging and Events: DC has an immense amount of information, urls being visited, ips, responding countries, pretty much everything is here.
Am I satisfied? Yes, items that bothered me was built in URL filtering, file analysis, Geo Location Filtering and numerous other bells and whistles that I noticed $1000 sonicwalls had, the CX platform never caught my eye for some reason, and I'm glad I never bit the bullet, EOL10154, so if I implemented CX I'd be in a situation where I would need to replace it. Sourcefire was a fairly successful company that Cisco bought, and I don't see cisco throwing away 2.7 Billion Dollars so I can see this being around for awhile.
I'm still exploring but so far what everyone else has had for years, I finally have with my ASA and I'm happy. It does work, and it works well.

ASA 5585-X pim-ssm support

Hi
?if there is a way to configure pim-ssm on asa 5585x-ssm20
thanks

Unfortunately PIM-SSM is not supported on any of the ASA platform.

Nexus 6004 EIGRP Relationship between the two switches

Hi All,
I will try to explain this as best as I can. In our current TEST LAB we have a Pair of Cisco ASA5585x running in Active/Passive mode. We use a VRF transit to connect the 10 GB interface to a Pair of Cisco Nexus 6004 (L3) switches running vPC between them. Downstream we also have a pair of Cisco 9372 switches (L2) also running vPC between the two.
As of right now we have EIGRP neighbor relationship formed between the two N6K's and the ASA.
ASA
ciscoasa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.230.9 Te0/8.451 12 01:30:25 1 200 0 52
0 172.16.230.10 Te0/8.451 12 01:30:25 1 200 0 48
The ASA formed relationship with both N6K's
SWITCH1
Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#
SWITCH2
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#
Both Nexus Switches formed EIGRP neighbors using the vPC Peer-Link. There is enough documentation out there that strongly suggest not to use vPC Peer-Links for EIGRP anything.
We do have additional interfaces available on the 6K's that we can use as a cross connect for EIGRP. What we are having trouble understanding how we can force EIGRP traffic over those ports?
Here is a complete Switch config:
Switch1
Nexus6-1# sh run
feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp
vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 1
peer-keepalive destination 10.200.50.2 source 10.200.50.1 vrf peer-keepalive
delay restore 120
interface Vlan1
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100
interface Vlan651
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100
interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link
interface port-channel102
switchport mode trunk
vpc 102
interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet1/6
interface Ethernet1/7
description vPC Peer Link 1.7 to Nexus 9372 PRI
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet1/8
interface Ethernet1/9
interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet2/2
interface Ethernet2/7
description vPC Peer Link 2.1 to Nexus SEC
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet2/8
interface Ethernet8/1
description keep-alive peer-link to ALNSWI02
no switchport
vrf member peer-keepalive
ip address 10.200.50.1/30
interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
interface Ethernet8/3
interface mgmt0
vrf member management
ip address 172.16.52.3/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
passive-interface default
default-information originate
vrf Inside
autonomous-system 100
default-information originate
poap transit
Nexus6-1#
Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#
Nexus6-1# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.2) VRF Inside
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-1# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po99 up 1,451,652,680
vPC status
id Port Status Consistency Reason Active vlans
102 Po102 up success success 1,451,652,6
80
Nexus6-1# sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p
VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c60.4f2d.2ffc
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33219 (priority 32768 sys-id-ext 451)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Desg FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
VLAN0652
Spanning tree enabled protocol rstp
Root ID Priority 33420
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33420 (priority 32768 sys-id-ext 652)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
VLAN0680
Spanning tree enabled protocol rstp
Root ID Priority 33448
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33448 (priority 32768 sys-id-ext 680)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Nexus6-1#
Switch2
Nexus6-2# sh run
!Command: show running-config
!Time: Sat Feb 12 19:02:44 2011
version 7.0(1)N1(1)
hostname Nexus6-2
feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp
vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context P2P_Inside_VRF
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 2
peer-keepalive destination 10.200.50.1 source 10.200.50.2 vrf peer-keepalive
delay restore 120
interface Vlan1
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.10/29
ip router eigrp 100
no ip passive-interface eigrp 100
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.3/22
ip router eigrp 100
interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link
interface port-channel102
switchport mode trunk
vpc 102
interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet1/2
interface Ethernet1/6
interface Ethernet1/7
description vPC Link 1.7 to Nexus 9372 SEC
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet1/8
interface Ethernet1/12
interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet2/2
interface Ethernet2/6
interface Ethernet2/7
description vPC Link 2.1 to Nexus PRI
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet2/8
interface Ethernet2/12
interface Ethernet8/1
description keep-alive peer-link to ALNSWI01
no switchport
vrf member peer-keepalive
ip address 10.200.50.2/30
interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
switchport trunk allowed vlan 1,451,652,680
interface Ethernet8/3
interface Ethernet8/20
interface mgmt0
vrf member management
ip address 172.16.52.4/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
vrf Inside
autonomous-system 100
default-information originate
poap transit
logging logfile messages 6
Nexus6-2#
Nexus6-2#
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#
Nexus6-2# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.3) VRF Inside
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-2#
Nexus6-2#
Nexus6-2# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po99 up 1,451,652,680
vPC status
id Port Status Consistency Reason Active vlans
102 Po102 up success success 1,451,652,6
80
Nexus6-2#
Nexus6-2#
Nexus6-2# sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p
VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c

Jon,
Are you ready for the mass confusion?
when Looking at the ASA EIGRP neighbors output here is what I see.
ASA# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
3   172.16.230.1            Te0/8.450        13 16:45:14 1    200   0   64
2   172.16.230.2            Te0/8.450        11 16:45:14 1    200   0   84
1   172.16.230.10           Te0/8.451        11 16:45:20 1    200   0   178
0   172.16.230.9            Te0/8.451        13 16:45:20 1    200   0   148
For simplicity sake lets just concetrate on Interface TenGigabit0/8.451 which is the SVI on the Nexus switch that is VLAN451
From the Nexus Switch 6004 that is directly connected to the ASA here is what I see
SWI01# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H   Address                 Interface       Hold Uptime SRTT   RTO Q Seq
                                            (sec)         (ms)       Cnt Num
0   172.16.8.3              Vlan680         10   17:04:30 54   324   0   177
1   172.16.230.10           Vlan451         11   16:59:10 819 4914 0   178
2   172.16.230.11           Vlan451         14   16:53:48 24   144   0   20
The Inside VRF that is tied to both SVI's on the Switch vlans 451 and 680 is in EIGRP 100 on the switch
SWI01# sh run int vlan 451
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100
SWI01# sh run int vlan 680
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100
hsrp 1
    authentication text test
    preempt
    priority 250
    ip 172.16.8.1
so you with me so far?
If you are you have noticed that on the ASA neighbors the ASA sees 172.16.230.11 as a neighbor which is the Secondary Nexus SW. That is becauise they all share the same subnet.
172.16.230.8/29
Brakedown:
PRI Nexus 6004 - 172.16.230.9
SEC NEXUS 6004 - 172.16.230.10
PRI ASA 5585x - 172.16.230.11
SEC ASA 5585x - 172.16.230.12
Because the ASA EIGRP network is a /29 it learns the Secondary Nexus via the Primary Nexus.
I am not sure that the link we created between the two Nexus Switches is doing anything but consuming ports right now.
SWI01# sh run int ethernet 8/9
interface Ethernet8/9
description EIGRP PORT to Secondary Nexus
switchport mode trunk
switchport trunk allowed vlan 450-451
SWI02# sh run int ethernet 8/9
interface Ethernet8/9
description EIGRP PORT to Primary Nexus
switchport mode trunk
switchport trunk allowed vlan 450-451
So the SVI's that go up to the ASA for inspection are 450 and 451. The network SVI's are 600 and 680 all of them live on the switch, and 680, and 600 are extended over the peer links down to the 9372's.
I think that we are breaking the golden rule of vPC BUT.. I am not 100% sure. Some of the documents read that we should not be allowing network vlans over peer links, but then how do you extend the vlans down to the leaf switch?
This is giving me nightmares at the moment…
does this make sense?

FWSM move from Active/Standby to Active/active

Hi there,
we have some FWSM installed in 6500 with many contexts in them. They are at the moment configured as Active/Standby and in production. But we have noticed that whenever a backup is run which goes through some of the contexts, the FWSM start counting errors which was already determined to be an oversubscription issue. So, while we wait for the new ASA 5585X to arrive and finally replace them, we want to mitigate the issue by configuring the FWSM as Active/Active and move the contexts for backup traffic to the other box (keeping the production contexts in the other one).
My question is, can this be done without impacting the production traffic? Or as soon as we enable the active/active by the configuration of the groups and assignments of the contexts, the traffic will be impacted and we will produce an outage to the network?
Thanks in advance for your help.
Regards,
Paula

So no answers?
Just one to update why had problem here: we need to to pull changes from Physical StandBy, because of performance reasons we cannot afford to reload every table with full refresh, we only want to get changes. At first I thought that it will be easy just create materialized view log and do basic replication, but in Physical StandBy we cant do it

Active-Active firewall Admin context

Hi all,
My problem statement was:
my box is ASA 5585x, since this model have G0/0 - 0/7 sufficient interface, so i no need to do sub-interface for the context.
My question:
a. is it cumpulsary must have the admin context on A-A deployment?
Somehow i read on http://www.techrepublic.com/blog/networking/understand-the-pros-and-cons-of-using-cisco-asa-multiple-context-mode/1413
it mention that "The Admin Context is not restricted and can be used as any other security context."
Can i just exclude this admin context?
b. Refer to my config snipet, can i just allocate management interface to the admin context, instead of allocate it to any inside/outside interface?
c. Is it a good practice not to use the same interface to do LAN failover and stateful failover? I facing the problem of "ghost image" when i enable the multiple mode and both LAN/stateful failover on same interface.
thanks
Noel
P.S: Config snipet
admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
join-failover-group 1
context public-internet
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/public-intenet.cfg
join-failover-group 2
context secure-voice
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
allocate-interface GigabitEthernet0/4
config-url disk0:/secure-voice.cfg
join-failover-group 1

Hi Varun,
Thanks for reply.
Appearnatly my ASA 5585x box facing "ghost image" on the home screen, where it cannot display the real time traffic at the panel.
My concern come to split my previous LAN/State failover interface to seperate interface then, just hope it can solve the problem.
I am now using ASDM 6.47, according to cisco statement it's been solve on this issue, but it seems still happen on my case.
Any command can let me troubleshoot on this?
Thanks
Noel

Applying ACL globally

I have a question that I hope someone can clarify ... I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACL ..
interface GigabitEthernet0/1
nameif internet-outside
security-level 0
ip address X.X.X.X 255.255.255.0 standby X.X.X.X!
interface GigabitEthernet0/2
nameif internet-dmz
security-level 10
ip address 10.69.201.X 255.255.255.0 standby 10.69.201.X
interface TenGigabitEthernet0/8.129
nameif core-inside
security-level 100
ip address 10.69.129.X 255.255.255.0 standby 10.69.129.X
interface TenGigabitEthernet0/9.130
nameif VLAN130
security-level 50
ip address 10.69.130.X 255.255.255.0 standby 10.69.130.X
interface TenGigabitEthernet0/9.134
nameif VLAN134
security-level 50
ip address 10.69.134.X 255.255.255.0 standby 10.69.134.X
interface TenGigabitEthernet0/9.136
nameif VLAN136
security-level 50
ip address 10.69.136.X 255.255.255.0 standby 10.69.136.X
interface TenGigabitEthernet0/9.140
nameif VLAN140
security-level 50
ip address 10.69.140.X 255.255.255.0 standby 10.69.140.X
ACL
access-list wwy-legacy remark Citrix Communications
access-list wwy-legacy extended permit ip object-group All-Citrix object-group All-Citrix
access-list wwy-legacy remark Check Point Firewall MGMT
access-list wwy-legacy extended permit tcp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-tcp
access-list wwy-legacy extended permit udp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-udp
access-list wwy-legacy remark QUALYS Scanner Access
access-list wwy-legacy extended permit ip object-group qualys-scanners any
access-list wwy-legacy extended permit tcp object-group CN_HQ_NET host 10.69.130.12 eq 8080
access-list wwy-legacy remark ISX-Solorwinds
access-list wwy-legacy extended permit udp host 10.121.137.92 any object-group SNMP-mgmt-udp
access-list wwy-legacy extended permit icmp host 10.121.137.92 any
access-list wwy-legacy extended permit icmp any host 10.121.137.92
access-list wwy-legacy extended permit udp any host 10.121.137.92 object-group SNMP-mgmt-udp
access-list wwy-legacy remark citrix access to QA Leo systems
access-list wwy-legacy extended permit tcp object-group vmww-grp-2 object-group vmww-grp-1 eq www
access-list wwy-legacy remark EDI-Outbound
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 198.65.112.233 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.66 host 198.65.112.233 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 38.96.217.8 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.69 host 38.96.217.8 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 184.106.46.199 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.69 host 184.106.46.199 eq ssh
access-list wwy-legacy remark Security
access-list wwy-legacy extended permit tcp object-group CP-Firewalls object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit udp object-group CP-Firewalls object-group External-ACS object-group security-svc-udp
access-list wwy-legacy extended permit udp object-group Private_Addresses object-group External-ACS object-group security-svc-udp
access-list wwy-legacy extended permit tcp object-group Private_Addresses object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit tcp object-group Private-Addresses object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit udp object-group Private-Addresses object-group External-ACS object-group security-svc-udp
access-list wwy-legacy remark EDI
access-list wwy-legacy extended permit ip object-group Primary_EDI_Servers object-group Primary_EDI_Servers
access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals object-group Primary_EDI_Servers object-group EDI-Common_Inbound_tcp
access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals host 10.69.201.88 object-group EDI-Common_Inbound_tcp
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_tcp
access-list wwy-legacy extended permit udp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_udp
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq ssh
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 10022
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2223
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2224
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq ssh
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 10022
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2223
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2224
access-list outside-acl-01 extended deny ip any any
access-group outside-acl-01 in interface internet-outside

Hi,
Beginning from 8.3(1) you should be able to use a single access-list to control traffic/connection.
It still uses the "access-group" command to "attach" the access-list as a global access-list
command format is:
access-group global
Just out of interest, are you moving to ASA from some other product or why would you want to use one global access-list? Personally I could never think of changing to global access-lists. I guess thats probably due to the fact that I have used the access-lists attached to certain interface and direction for so long.
- Jouni

Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

Environment:
2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
Both ASAs are at version 8.4(5)6
IPSec VPN Client version: 5.0.07.440 (64-bit)
Jabber for Windows v9.7.0 build 18474
Issue:
If I am an IPSec VPN user…
I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

Portu,
Thanks for your quick reply.
Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)
Thanks again.

ASA 5585X Clustering

Similar Messages

Maybe you are looking for