ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

Similar Messages

• ASA 5585X Clustering

  I have two ASA 5585X-SSP20 need to Cluster config. I am little confused about ASA to Core Switch and Server Firm Switch Connectivity. In cluster mode if we config master asa two 10G port as an ether-channel then others cluster member same port config as a same ether-channel.So four port in two asa work in single ether-channel. If this right then my diagram is correct or wrong. Plz  help me.  

  Hi,
  yes,technically you could run two SSP20's with all 4 10g ports in the same spanned etherchannel as a "firewall on a stick". 
  If you look in the cluster configuration guide you'll see that the CCL (Cluster Control Link) needs to be sized the same as the data links so if you don't add any extra modules to your SSP20 firewalls you'll end up with 1x 10g for data and 1x 10g for CCL on each physical firewall.
  We currently have this setup in our environment; each SSP20 firewall is connected to a Nexus 7K switch where one 10G port is used for CCL and one 10G port is setup as a trunk for all inbound/outbound traffic to/from the firewall.
  Hope this helps!
  -Michel

• Mount ASA 5585x on 2-post rack?

  Is it possible to mount the ASA 5585x on a 2-post rack?

  It is POSSIBLE but not recommended.
  It's designed for a 4-post installation, using either the slide or fixed rail kit and mounting to all four posts.That's what's shown in the installation guide.
  If it were my ASA at US$100,000+per unit, I'd want it to be securely mounted.

• Redundant etherchannels for ASA 5585X

  Hi there ,  We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS).  Can I have this configuration for resiliency. 
  Etherchannel from ASA Primary - Switch 1 & Switch 2
  Etherchannel from ASA Standby - Switch 1 & Switch 2
  or
  Etherchannel from ASA Primary - Switch 1
  Etherchannel from ASA Standby - Switch 2
  ( Failover links between the Firewalls are already configured )
  Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
  Thanks

  The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
  I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
  One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.

• ASA supports NAT in bridge mode??

  any one know if an ASA supports NAT in bridge mode? especially the 5580 series x??

  Hi Hans,
  Yes it does, from version 8.0 and higher.
  Unsupported Features
  These features are not supported in transparent mode:
  NAT /PAT
  NAT is performed on the upstream router.
  Note: Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.
  Here is the document:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#visits
  Mike

• Etherchannel support for ASA 5585X

  Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
  Thanks
  Prabs

  Hi,
  To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
  Quote from Cisco document
  Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
  Source:
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
  Here is also a link to the "interface" command for Etherchannel
  http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
  Hope this helps
  - Jouni

• ASA 5505 Site-to-Site VPN dropping at end of lifetime

  I have 4 ASA 5505's with Site-to-Site IPSEC VPN tunnels built between them.  One of the tunnels stays up just fine but the other 2 drop at the end of the SA lifetime for a period of time equal to 10% of the SA lifetime.
  Orignially, I had the the lifetime set to 1 hour and the tunnels would drop for 6 minutes.  I changed the lifetime to 8 hours (480 minutes) and they dropped for 48 minutes.  I've gone over the configurations and the only differences I can find is that the sites where the tunnel drops have the outside interface forwarded to an VOIP server and all ports but SIP blocked.

  Can you post the configs?

• Has Photoshop CS5 Extended added a "Behind" and "Clear" in MODE drop down box?

  Hi Guys,
  I am not sure what just happened with my PS. Was downloading and installing some custom patterns and brushes from the net last night. And when I went to try them out I noticed the drop down box had 2 new added effects ( Behind and Clear ) which I was not able to even access because they were not live. It is the drop down box which has the normal, dissolve, darken, multiply etc. etc. up on the top left hand bar. I was going to upload a picture but I keep getting a message saying this file is forbidden, even after I scaled the image down to the required fields. I was wondering if some one can help. I hope it wasn't a virus from the internet files I downloaded.
  Many thanks, Grace.

  They are brush blend modes.  To use you need to have the brush tool selected.  Open a new layer and paint with any colour.  Chose another colour and make the blend mode Behind.  I bet you know what will happen now? ;-)
  Clear works pretty much the same as the Eraser tool as far as I can tell.  Might need to actually read the manual to get more info on that.

• Why doesn't the Mode drop down tab include 64bit channel option?

  Although I have a the Mac Lion OS installled Photoshop CS 6 does not include a 64 bit channel in the mode menu drop done.

  But I want my 6,277,101,735,870,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 colors!

• Can ASA (8.03) Single Context Mode support limit-resource?

  I have dual ASA with v8.03 and I want to limit resource for SSH, telnet and ASDM sessions.
  By checking Cisoco document, I can manage to test to limit resource with below commands. But it can only perform after enabling multiple context mode.
  class default
    limit-resource All 0
    limit-resource SSH 2
    limit-resource ASDM 2
    limit-resource Telnet 2
  Can anyone help to reply whether we can use "limit-resource" in single context (without enabling multi context mode)? Or any other way to limit resource?

  Hi.
  In single mode, the limit is 5 maximum sessions. it's not possible to change it.
  Regards,
  Fadi.
  Does this answer your question? if yes please mark it answered.

• ASA 5585x IPS Service Contract CON

  Dear all
  actually i'm looking for the IPS contract support for ASA5585 (SSP IPS), i found two type of this from internet with details below:
  CON-SNT-AS82S10K  -  SMARTNET 8X5XNBD ASA5580-20-10K-K9
  CON-SUO1-A8S2P2S9  - IPS SVC, ONSITE NBD ASA 5585-X w/SSP20,,IPS SSP-20,16GE,10K
  could please someone tell me about different between this two

  Hello,
  You can always check with the Cisco Sales representative to get more information. Normally those guys are the ones that can provide you more details in regards of Entitlement informaiton.
  Mike

• ASA 5585x reload by self

  Dear,
  I have Cisco ASA 5585 x, its working normally from two years ago, but before two month something strange start happened, its reloaded suddenly, and after week again happened and continue but in different times.
  what its the causes of make FW reload by himself ?

  A spontaneous firewall reload is most often related to a software bug in my experience. There is usually a crashinfo file generated which can be analyzed by the Cisco TAC.
  You need to open a Service Request with the TAC to have them analyze the issue.

• CSCur57143 - ASA/SFR data plane connection may drop under heavy load

  Does anyone know if 9.2.3 for the ASA fixes this issue?

  Does anyone know if 9.2.3 for the ASA fixes this issue?

• Filtering/Dropping IPv6 on IPv4-only Devices?

  Hi All -
  Got an interesting requirement that (for something seemingly simple) has been remarkably challenging to locate a solution for...
  Having a problem with random IPv6 traffic showing up on the enterprise LAN from time to time and freaking out certain network-connected devices that don't know how to process it (CPU 100%, etc.). So I'm looking for a way to filter/drop that IPv6 traffic at the network edge. I can certainly set the core 6500's not route (or even ignore) IPv6, but that still doesn't stop it from running around WITHIN a VLAN.
  Is there a way that a IPv4-only device can identify IPv6 traffic (by a protocol type code or something along that line) so that it can be filtered/dropped before it even makes it onto the backbone?
  Thanks in advance!
  Mike

  Mike-
  Good question! The first thing I thought of was VACL's, but VACLs w/IPv6 are not supported on the 6000 series switch.
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808122ac.shtml#vacl
  Are the 6500's your access layer? Are they your L3 gateway? Is it possible for you to find the device(s) running IPv6 and correct them?

• ASA 5505 as hw vpn client to PIX501 or ASA5505 w network extension mode

  Hi!
  We have been using a PIX 501 for a couple of years now to access a
  local network with Cisco VPN software client. However we now need
  access from another site with multiple users so I decided to buy two
  ASA 5505 UL bundle to do the job. First i tried to just hook up the
  new ASA at the remote site and connect to the PIX 501 with easy vpn.
  In went fine. I configured the new ASA right from the box with the old
  vpn profile settings and it worked right away. But as we also need the
  remote site to be accessed from the main site (PIX side) i tried to
  enable "network extension mode" but then the tunnel didnt work
  anymore. it connects but no traffic is coming through. I set it back
  to normal mode (only client) and it worked again.
  Is there anything else I need to do to be able to use network
  extension mode than just enabling it in ASDM ?
  The samt thing happens when using two ASA 5505 the same way.
  Software versions are:
  PIX: 6.3
  ASA 5505: 7.2.1 (used to be 7.2.2 but I had to downgrade because of a bug in 7.2.2 - vpnclient fails after reboot)
  I also did try the latest 8.2 with very little success. Seemed a bit buggy.
  Thanks,
  Bjorn

  Hi!
  Thought I could add some info. Our Head unit is 192.168.1.1 and the connecting ASA 5505 is 192.168.10.1. When I try to ping a machine (192.168.1.201) from the remote site I get this in the ASA log:
  With network extension mode
  302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.10.2/512 laddr 192.168.10.2/512
  With only client mode
  302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.1.9/1 laddr 192.168.10.2/512
  It seemes to me (quite the newbie here on ASA) that the unit does not handle the gateway address correctly when using network extension mode. The PC i use to ping from is 192.168.10.2.
  Any ideas from the experts ?
  Regards,
  B