ASA 5585x reload by self
Dear,
I have Cisco ASA 5585 x, its working normally from two years ago, but before two month something strange start happened, its reloaded suddenly, and after week again happened and continue but in different times.
what its the causes of make FW reload by himself ?
A spontaneous firewall reload is most often related to a software bug in my experience. There is usually a crashinfo file generated which can be analyzed by the Cisco TAC.
You need to open a Service Request with the TAC to have them analyze the issue.
Similar Messages
-
Mount ASA 5585x on 2-post rack?
Is it possible to mount the ASA 5585x on a 2-post rack?
It is POSSIBLE but not recommended.
It's designed for a 4-post installation, using either the slide or fixed rail kit and mounting to all four posts.That's what's shown in the installation guide.
If it were my ASA at US$100,000+per unit, I'd want it to be securely mounted. -
Redundant etherchannels for ASA 5585X
Hi there , We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS). Can I have this configuration for resiliency.
Etherchannel from ASA Primary - Switch 1 & Switch 2
Etherchannel from ASA Standby - Switch 1 & Switch 2
or
Etherchannel from ASA Primary - Switch 1
Etherchannel from ASA Standby - Switch 2
( Failover links between the Firewalls are already configured )
Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
ThanksThe delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions. -
Etherchannel support for ASA 5585X
Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
Thanks
PrabsHi,
To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
Quote from Cisco document
Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
Source:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
Here is also a link to the "interface" command for Etherchannel
http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
Hope this helps
- Jouni -
I have two ASA 5585X-SSP20 need to Cluster config. I am little confused about ASA to Core Switch and Server Firm Switch Connectivity. In cluster mode if we config master asa two 10G port as an ether-channel then others cluster member same port config as a same ether-channel.So four port in two asa work in single ether-channel. If this right then my diagram is correct or wrong. Plz help me.
Hi,
yes,technically you could run two SSP20's with all 4 10g ports in the same spanned etherchannel as a "firewall on a stick".
If you look in the cluster configuration guide you'll see that the CCL (Cluster Control Link) needs to be sized the same as the data links so if you don't add any extra modules to your SSP20 firewalls you'll end up with 1x 10g for data and 1x 10g for CCL on each physical firewall.
We currently have this setup in our environment; each SSP20 firewall is connected to a Nexus 7K switch where one 10G port is used for CCL and one 10G port is setup as a trunk for all inbound/outbound traffic to/from the firewall.
Hope this helps!
-Michel -
ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast
Hello Community,
it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
MC src and rcv
(XChariot)
|
-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)
|
MC src and rcv
(XChariot)
Test 1 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341
(Trace "WAN-IF_capture_225.1.2.154_no-frag" and
output "L2FW-not_fragmented"
The traffic passes through the Transparent mode ASA without any problems.
Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.
This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of 3(DstMAC):1(invalid udp).
The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
Any idea?
Thank you in advance for you contribution.Hello Community,
the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322
Perhaps further test will be made with using lower interim versions. -
Every time I open a window in firefox it constantly reload itself and when I finally get it to stop and open another tab and try to go back to the previous tab it reload itself....Please Help
== This happened ==
Every time Firefox opened
== About 4 months agoDo you have that problem when running in the Firefox SafeMode?
[http://support.mozilla.com/en-US/kb/Safe+Mode]
''Don't select anything right now, just use "Continue in SafeMode."''
If not, see this:
[http://support.mozilla.com/en-US/kb/troubleshooting+extensions+and+themes] -
ASA 5585x IPS Service Contract CON
Dear all
actually i'm looking for the IPS contract support for ASA5585 (SSP IPS), i found two type of this from internet with details below:
CON-SNT-AS82S10K - SMARTNET 8X5XNBD ASA5580-20-10K-K9
CON-SUO1-A8S2P2S9 - IPS SVC, ONSITE NBD ASA 5585-X w/SSP20,,IPS SSP-20,16GE,10K
could please someone tell me about different between this twoHello,
You can always check with the Cisco Sales representative to get more information. Normally those guys are the ones that can provide you more details in regards of Entitlement informaiton.
Mike -
ASA 5505 9.1 and NAT issues to single dynamic IP
Good afternoon everybody,
a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP).
As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
<166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
In the same time, the consolle connection shows these two messages :
Asa5505# ERROR: NAT unable to reserve ports.
ERROR: NAT unable to reserve ports.
I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
This is the configuration file, I have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
ASA Version 9.1(5)
hostname Asa5505
domain-name home
enable password XXXXXX encrypted
names
interface Ethernet0/0
description ADSLPPoE
switchport access vlan 2
interface Ethernet0/1
description Internal_LAN
interface Ethernet0/2
description Management_Net
switchport access vlan 3
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Uplink
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
description Wireless-POE
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
description Webcam-POE
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.250 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group AliceADSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif management
security-level 100
ip address 10.5.1.250 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.4
domain-name home
object network Exchange-HTTPS
host 192.168.1.150
object network Exchange-SMTP
host 192.168.1.150
object network Network_Inside
subnet 192.168.1.0 255.255.255.0
object network Network_Management
subnet 10.5.1.0 255.255.255.0
access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https
access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1492
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network Exchange-HTTPS
nat (inside,outside) static interface service tcp https https
object network Exchange-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network Network_Inside
nat (inside,outside) dynamic interface
object network Network_Management
nat (management,outside) dynamic interface
access-group Outside_ACL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 8080
http 10.5.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access management
vpdn group AliceADSL request dialout pppoe
vpdn group AliceADSL localname aliceadsl
vpdn group AliceADSL ppp authentication pap
vpdn username aliceadsl password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.4 192.168.1.150 interface inside
dhcpd wins 192.168.1.4 interface inside
dhcpd enable inside
dhcpd address 10.5.1.30-10.5.1.40 management
dhcpd dns 208.67.222.222 208.67.220.220 interface management
dhcpd enable management
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
port 10443
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXX
: end
no asdm history enable
Thanks in advance for your precious help !
C.Update 29th of June :
Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
Two brief questions :
1) in my NAT statements for PAT, does it change anything if I modify them (for example) from
nat (inside,outside) static interface service tcp https https
to
nat (inside,outside) dynamic interface service tcp https https
? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
Thank you for your precious help and patience !
C. -
IP Phone VPN connection to ASA using Anyconnect
Hello,
I will be configuring my first Anyconnect VPN to allow an IP Phone to connect over the internet. I wanted to know what the best practice is in generating a certificate on the ASA...is self generating ok or get one from a CA? What are the cons of using a self generating certificate? Also, I would appreciate any links to configure Anyconnect and installing/generating certificates.
ThanksThe embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
http://www.cisco.com/en/US/netsol/ns1246/index.html
PS- Jason could have found out details in advance since DiData has partner NDA status.
Please remember to rate helpful responses and identify helpful or correct answers. -
Accessing websites running on non-standard ports or with self-signed ssl certs?
I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
Anyone else noticed this?If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate. -
Hi
?if there is a way to configure pim-ssm on asa 5585x-ssm20
thanksUnfortunately PIM-SSM is not supported on any of the ASA platform.
-
Just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I have copied the files to flash, but when I run "asdm image flash:/asdm521.bin" I get an error that it's not an image file, and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.
Try this,
To upgrade/install the ASDM follow the example procedure,
ASA(config)# copy tftp flash
Address or name of remote host [x.x.x.x]?
Source filename [pix704.bin]? asdm-504.bin
Destination filename [asdm-504.bin]?
Accessing tftp://x.x.x.x/asdm-504.bin...!!!!!!!!!!!!!!!!!!!!!
Writing file flash:/asdm-504.bin...
5958324 bytes copied in 165.460 secs (36111 bytes/sec)
ASA(config)#
ASA(config)# sh flash
Directory of flash:/
7 -rw- 5437440 21:12:42 Nov 24 2005 pix704.bin
11 -rw- 5919340 20:59:06 Nov 24 2005 asdm-504.bin
13 -rw- 7017 14:00:58 Jul 22 2005 admin.cfg
// asdm-504.bin is now copied in the flash. Now we need to set PIX to use
// this image for loading ASDM.
ASA(config)# asdm image flash:/asdm-504.bin
// Last steps involve saving the running configuration to memory as we have
// made changes to boot files and reloading the PIX.
ASA(config)# write memory
Building configuration...
Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
4807 bytes copied in 3.20 secs (1602 bytes/sec)
[OK]
ASA(config)# reload
// Once PIX comes back up, we can verify that upgradation has been successfull
// by using "show version" command.
Refer to the link ASDM Upgrade Procedure
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8
hope this helps.. all the best.. rate replies if found useful..
Raj -
ASA5505 IPSEC only with Self-Signed certs
Hello all,
I have limited Cisco training and have been tasked with a pilot project. We have scavenged the ASA from another department, but I have no access to support. It's running ASA v9.1 and ASDM 7.1 . If all goes well I'll be sent on training and we will be purchasing a nice 5520.
So I've scoured the internet for an easy guide to do as my tittle says, but am having major difficulties. I can find lots of support for SSL VPN with Self-signed or IPSEC VPN with externally signed certs but I can't get ASA self-signed IPSEC IKEv2 only with certificate authentication. Also, to make it even worse, I need to provide the user with the software, profile and certificate by hand. No web-access portal or download.
If you know where I can get good setup guide for this type of use please by all means save me here . If this isn't even possible I'm cool with that, just let me know.
Thanks fo any help you can provide
JayIf the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate. -
Where are certificates used on this ASA (8.4)?
I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.
All configuration has coppied fine except for this part in the config;
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GS2-NT-FIR-01
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate c4999f4f
30820248 308201b1 a0030201 020204c4 999f4f30 0d06092a 864886f7 0d010105
05003036 31163014 06035504 03130d47 53322d4e 542d4649 522d3031 311c301a
.......lots of HEX
quit
So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?
Many thanks,
J.The cert is self-signed, so you can enroll a new one on the second ASA.
Depending on your config it still could be that you are missing relevant parts as many things with VPNs are not in the config any more. Instead they are stored in flash.
To have a complete backup you can use the ASDM where you have a Backup- and restore functionality included.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Maybe you are looking for
-
PL/SQL: Executing a procedure from within another procedure
Hello, I'm a newbie and I need help on how to execute procedures from within another procedure. The procedure that I call from within the procedure have return values that I want to check. I tried: EXECUTE(user_get_forum_info(p_forumid, var_forum_exi
-
Path Selection tool crashes in Photoshop CS6
I want to change my Path Selection tool options but everytime I select the Path Selection tool in the tool bar, Photoshop CS6 crashes. I would like to select the Constrain Path Dragging option which I believe is in the options bar? Any help much appr
-
ITunes match turned off on iPhone4s but still showing a "cloud" icon
I have signed up to iTunes Match and uploaded my entire music collection to the service. I have turned this functionality off in my iPhone 4s so that all music that appears on this device, should be music that is physically stored on the device. Howe
-
How to share Sessions between 2 Weblogic ?
Hello, I've some problems in setting on Weblogic. Suppose there are 2 Weblogic Servers, WebA and WebB. A New Session will be created if user go to the page in WebB from WebA. Is there any methods to share the Session between them ? I turned on the fo
-
I have my MBP hooked up to my LCD tv via VGA port I have found the best resolution is 1024x768 at 60hz however the tv is capable of 1366x768 but in displays it does not give this as an option it gives you alot of options even ones that a beyond the l