ASA 5585x reload by self

Dear,
I have Cisco ASA 5585 x, its working normally from two years ago, but before two month something strange start happened, its reloaded suddenly, and after week again happened and continue but in different times.
what its the causes of make FW reload by himself ?

A spontaneous firewall reload is most often related to a software bug in my experience. There is usually a crashinfo file generated which can be analyzed by the Cisco TAC.
You need to open a Service Request with the TAC to have them analyze the issue.

Similar Messages

  • Mount ASA 5585x on 2-post rack?

    Is it possible to mount the ASA 5585x on a 2-post rack?

    It is POSSIBLE but not recommended.
    It's designed for a 4-post installation, using either the slide or fixed rail kit and mounting to all four posts.That's what's shown in the installation guide.
    If it were my ASA at US$100,000+per unit, I'd want it to be securely mounted.

  • Redundant etherchannels for ASA 5585X

    Hi there ,  We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS).  Can I have this configuration for resiliency. 
    Etherchannel from ASA Primary - Switch 1 & Switch 2
    Etherchannel from ASA Standby - Switch 1 & Switch 2
    or
    Etherchannel from ASA Primary - Switch 1
    Etherchannel from ASA Standby - Switch 2
    ( Failover links between the Firewalls are already configured )
    Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
    Thanks

    The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
    I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
    One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.

  • Etherchannel support for ASA 5585X

    Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
    Thanks
    Prabs

    Hi,
    To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
    Quote from Cisco document
    Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
    Source:
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
    Here is also a link to the "interface" command for Etherchannel
    http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
    Hope this helps
    - Jouni

  • ASA 5585X Clustering

    I have two ASA 5585X-SSP20 need to Cluster config. I am little confused about ASA to Core Switch and Server Firm Switch Connectivity. In cluster mode if we config master asa two 10G port as an ether-channel then others cluster member same port config as a same ether-channel.So four port in two asa work in single ether-channel. If this right then my diagram is correct or wrong. Plz  help me.  

    Hi,
    yes,technically you could run two SSP20's with all 4 10g ports in the same spanned etherchannel as a "firewall on a stick". 
    If you look in the cluster configuration guide you'll see that the CCL (Cluster Control Link) needs to be sized the same as the data links so if you don't add any extra modules to your SSP20 firewalls you'll end up with 1x 10g for data and 1x 10g for CCL on each physical firewall.
    We currently have this setup in our environment; each SSP20 firewall is connected to a Nexus 7K switch where one 10G port is used for CCL and one 10G port is setup as a trunk for all inbound/outbound traffic to/from the firewall.
    Hope this helps!
    -Michel

  • ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

    Hello Community,
    it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
    MC src and rcv
    (XChariot)
    |
    -----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)
    |
    MC src and rcv
    (XChariot)
    Test 1  (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341
    (Trace "WAN-IF_capture_225.1.2.154_no-frag" and
    output "L2FW-not_fragmented"
    The traffic passes through the Transparent mode ASA without any problems.
    Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.
    This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
    Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of  3(DstMAC):1(invalid udp).
    The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
    Any idea?
    Thank you in advance for you contribution.

    Hello Community,
    the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
    http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322
    Perhaps further test will be made with using lower interim versions.

  • Everytime I open the window it keeps on reloading it self over and over again and when it's not doing that and I open another tab and try to go back to the previous tab it reloads itself....Please Help

    Every time I open a window in firefox it constantly reload itself and when I finally get it to stop and open another tab and try to go back to the previous tab it reload itself....Please Help
    == This happened ==
    Every time Firefox opened
    == About 4 months ago

    Do you have that problem when running in the Firefox SafeMode?
    [http://support.mozilla.com/en-US/kb/Safe+Mode]
    ''Don't select anything right now, just use "Continue in SafeMode."''
    If not, see this:
    [http://support.mozilla.com/en-US/kb/troubleshooting+extensions+and+themes]

  • ASA 5585x IPS Service Contract CON

    Dear all
    actually i'm looking for the IPS contract support for ASA5585 (SSP IPS), i found two type of this from internet with details below:
    CON-SNT-AS82S10K  -  SMARTNET 8X5XNBD ASA5580-20-10K-K9
    CON-SUO1-A8S2P2S9  - IPS SVC, ONSITE NBD ASA 5585-X w/SSP20,,IPS SSP-20,16GE,10K
    could please someone tell me about different between this two

    Hello,
    You can always check with the Cisco Sales representative to get more information. Normally those guys are the ones that can provide you more details in regards of Entitlement informaiton.
    Mike

  • ASA 5505 9.1 and NAT issues to single dynamic IP

    Good afternoon everybody, 
    a few days ago I tried setting up my ASA 5505 to allow access from the outside network to an Exchange server (ports HTTPS and SMTP) in my inside LAN.
    Everything seems to be working... until my outside IP address changes (for example due to a router reset or a disconnection caused by the ISP). 
    As soon as the outside address changes the NAT rules are deleted and these 2 lines pop up in the syslog :
    <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/25 to outside:79.6.105.13/25 duration 0:01:17.
    <166>%ASA-6-305012: Teardown static TCP translation from inside:192.168.1.150/443 to outside:79.6.105.13/443 duration 0:01:17.
    In the same time, the consolle connection shows these two messages :
    Asa5505# ERROR: NAT unable to reserve ports.
    ERROR: NAT unable to reserve ports.
    I have moved both Anyconnect VPN essentials and http ports to 10443 and 8080 respectively so port 443 should be free for nat.
    This is the configuration file, I  have marked the lines related to network objects and relative nat statements, I hope it helps to find out where's the problem.
    Obviously the lines in red are the ones disappearing... I'm quite desperate, actually.
    ASA Version 9.1(5) 
    hostname Asa5505
    domain-name home
    enable password XXXXXX encrypted
    names
    interface Ethernet0/0
     description ADSLPPoE
     switchport access vlan 2
    interface Ethernet0/1
     description Internal_LAN
    interface Ethernet0/2
     description Management_Net 
     switchport access vlan 3
    interface Ethernet0/3
     shutdown
    interface Ethernet0/4
     shutdown
    interface Ethernet0/5
     description Uplink
     switchport trunk allowed vlan 1,3
     switchport trunk native vlan 1
     switchport mode trunk
    interface Ethernet0/6
     description Wireless-POE
     switchport trunk allowed vlan 1,3
     switchport trunk native vlan 1
     switchport mode trunk
    interface Ethernet0/7
     description Webcam-POE 
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.250 255.255.255.0 
    interface Vlan2
     nameif outside
     security-level 0
     pppoe client vpdn group AliceADSL
     ip address pppoe setroute 
    interface Vlan3
     no forward interface Vlan1
     nameif management
     security-level 100
     ip address 10.5.1.250 255.255.255.0 
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
     name-server 192.168.1.4
     domain-name home
    object network Exchange-HTTPS
     host 192.168.1.150
    object network Exchange-SMTP
     host 192.168.1.150
    object network Network_Inside
     subnet 192.168.1.0 255.255.255.0
    object network Network_Management
     subnet 10.5.1.0 255.255.255.0
    access-list Outside_ACL extended permit tcp any object Exchange-HTTPS eq https 
    access-list Outside_ACL extended permit tcp any object Exchange-SMTP eq smtp 
    pager lines 24
    logging enable
    logging asdm warnings
    mtu inside 1500
    mtu outside 1492
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    object network Exchange-HTTPS
     nat (inside,outside) static interface service tcp https https 
    object network Exchange-SMTP
     nat (inside,outside) static interface service tcp smtp smtp 
    object network Network_Inside
     nat (inside,outside) dynamic interface
    object network Network_Management
     nat (management,outside) dynamic interface
    access-group Outside_ACL in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable 8080
    http 10.5.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    management-access management
    vpdn group AliceADSL request dialout pppoe
    vpdn group AliceADSL localname aliceadsl
    vpdn group AliceADSL ppp authentication pap
    vpdn username aliceadsl password ***** store-local
    dhcpd address 192.168.1.100-192.168.1.130 inside
    dhcpd dns 192.168.1.4 192.168.1.150 interface inside
    dhcpd wins 192.168.1.4 interface inside
    dhcpd enable inside
    dhcpd address 10.5.1.30-10.5.1.40 management
    dhcpd dns 208.67.222.222 208.67.220.220 interface management
    dhcpd enable management
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     port 10443
     anyconnect-essentials
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect ip-options 
      inspect netbios 
      inspect rsh 
      inspect rtsp 
      inspect skinny  
      inspect esmtp 
      inspect sqlnet 
      inspect sunrpc 
      inspect tftp 
      inspect sip  
      inspect xdmcp 
    service-policy global_policy global
    prompt hostname context 
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:XXXXXXXX
    : end
    no asdm history enable
    Thanks in advance for your precious help !
    C.

    Update 29th of June :
    Tried both suggestions: flashing to 9.22 didn't fix the problem. The only significant change between 9.1(5) and 9.2(2) is that as soon as I reload the configuration after a connection drop both nat rules are restored. In 9.1(5) the nat statements were removed from the runnning configuration when the PPPoE connection was lost, and the config was updated (or maybe saved?), so after a reload those statements were gone and I had to copy-paste them back in conf-t in order to restore them.
    I tried using show xlate both before, during, and after the connection drop. As expected before the disconnection of PPPoE the static PAT rules are there, and the dynamic ones as well. During disconnection, all the xlate table is clean empty and the aforementioned error "Asa5505# ERROR: NAT unable to reserve ports. ERROR: NAT unable to reserve ports." pops up in the terminal. After a few minutes (needed by the DSL modem to perform its reset and bring up the DSL line again) the connection is established once more, but the only rules appearing in xlate are the ones created by the dynamic statements for management and LAN. If i reload the ASA using reload noconfirm every rule is restored and everything works again.
    Two brief questions :
    1) in my NAT statements for PAT, does it change anything if I modify them (for example) from 
    nat (inside,outside) static interface service tcp https https
    to
    nat (inside,outside) dynamic interface service tcp https https 
    ? Since it seems like the dynamic PAT is restored after a connection drop I was asking myself what happens if I change the rules this way.
    2) if there's not any ohter way to fix this, is it possible to schedule a reload of the ASA as soon as the PPPoE connection drops in order to make this problem "self fixing" ? I can't predict how many times a day the line drops and I can't be there 24/7 with my consolle cable connected in order to restore the nat statements ^^
    Thank you for your precious help and patience !
    C.

  • IP Phone VPN connection to ASA using Anyconnect

    Hello,
    I will be configuring my first Anyconnect VPN to allow an IP Phone to connect over the internet.  I wanted to know what the best practice is in generating a certificate on the ASA...is self generating ok or get one from a CA?  What are the cons of using a self generating certificate?  Also, I would appreciate any links to configure Anyconnect and installing/generating certificates.
    Thanks 

    The embargo/NDA is being lifted. The ASA is not involved. Here's the jump page with info:
    http://www.cisco.com/en/US/netsol/ns1246/index.html
    PS- Jason could have found out details in advance since DiData has partner NDA status.
    Please remember to rate helpful responses and identify helpful or correct answers.

  • Accessing websites running on non-standard ports or with self-signed ssl certs?

    I've got some sites running using self-signed ssl's that also run on non-standard ports. Firefox home doesn't seem to open these pages it just sits there with the spinner loading and a blank screen...
    Anyone else noticed this?

    If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
    That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
    If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
    In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
    In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.

  • ASA 5585-X pim-ssm support

    Hi
    ?if there is a way to configure pim-ssm on asa 5585x-ssm20
    thanks

    Unfortunately PIM-SSM is not supported on any of the ASA platform.

  • Upgrading ASA 5520

    Just received a new ASA 5520 and I'm trying to update the ASA s/w to 7.2 and the ASDM to 5.2. I have copied the files to flash, but when I run "asdm image flash:/asdm521.bin" I get an error that it's not an image file, and I don't know where to start with the ASA. Any help would be appreciated. I can't find any info in my documentation.

    Try this,
    To upgrade/install the ASDM follow the example procedure,
    ASA(config)# copy tftp flash
    Address or name of remote host [x.x.x.x]?
    Source filename [pix704.bin]? asdm-504.bin
    Destination filename [asdm-504.bin]?
    Accessing tftp://x.x.x.x/asdm-504.bin...!!!!!!!!!!!!!!!!!!!!!
    Writing file flash:/asdm-504.bin...
    5958324 bytes copied in 165.460 secs (36111 bytes/sec)
    ASA(config)#
    ASA(config)# sh flash
    Directory of flash:/
    7 -rw- 5437440 21:12:42 Nov 24 2005 pix704.bin
    11 -rw- 5919340 20:59:06 Nov 24 2005 asdm-504.bin
    13 -rw- 7017 14:00:58 Jul 22 2005 admin.cfg
    // asdm-504.bin is now copied in the flash. Now we need to set PIX to use
    // this image for loading ASDM.
    ASA(config)# asdm image flash:/asdm-504.bin
    // Last steps involve saving the running configuration to memory as we have
    // made changes to boot files and reloading the PIX.
    ASA(config)# write memory
    Building configuration...
    Cryptochecksum: d4f498de e877e418 2f9effa7 62ca0d6b
    4807 bytes copied in 3.20 secs (1602 bytes/sec)
    [OK]
    ASA(config)# reload
    // Once PIX comes back up, we can verify that upgradation has been successfull
    // by using "show version" command.
    Refer to the link ASDM Upgrade Procedure
    http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml#t8
    hope this helps.. all the best.. rate replies if found useful..
    Raj

  • ASA5505 IPSEC only with Self-Signed certs

    Hello all,
    I have limited Cisco training and have been tasked with a pilot project. We have scavenged the ASA from another department, but I have no access to support. It's running ASA v9.1 and ASDM 7.1 . If all goes well I'll be sent on training and we will be purchasing a nice 5520.
    So I've scoured the internet for an easy guide to do as my tittle says, but am having major difficulties. I can find lots of support for SSL VPN with Self-signed or IPSEC VPN with externally signed certs but I can't get ASA self-signed IPSEC IKEv2 only with certificate authentication. Also, to make it even worse, I need to provide the user with the software, profile and certificate by hand. No web-access portal or download.
    If you know where I can get good setup guide for this type of use please by all means save me here . If this isn't even possible I'm cool with that, just let me know.
    Thanks fo any help you can provide
    Jay

    If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.
    That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.
    If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.
    In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.
    In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.

  • Where are certificates used on this ASA (8.4)?

    I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.
    All configuration has coppied fine except for this part in the config;
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=GS2-NT-FIR-01
    proxy-ldc-issuer
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate c4999f4f
        30820248 308201b1 a0030201 020204c4 999f4f30 0d06092a 864886f7 0d010105
        05003036 31163014 06035504 03130d47 53322d4e 542d4649 522d3031 311c301a
    .......lots of HEX
    quit
    So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?
    Many thanks,
    J.

    The cert is self-signed, so you can enroll a new one on the second ASA.
    Depending on your config it still could be that you are missing relevant parts as many things with VPNs are not in the config any more. Instead they are stored in flash.
    To have a complete backup you can use the ASDM where you have a Backup- and restore functionality included.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

Maybe you are looking for

  • PL/SQL: Executing a procedure from within another procedure

    Hello, I'm a newbie and I need help on how to execute procedures from within another procedure. The procedure that I call from within the procedure have return values that I want to check. I tried: EXECUTE(user_get_forum_info(p_forumid, var_forum_exi

  • Path Selection tool crashes in Photoshop CS6

    I want to change my Path Selection tool options but everytime I select the Path Selection tool in the tool bar, Photoshop CS6 crashes. I would like to select the Constrain Path Dragging option which I believe is in the options bar? Any help much appr

  • ITunes match turned off on iPhone4s but still showing a "cloud" icon

    I have signed up to iTunes Match and uploaded my entire music collection to the service. I have turned this functionality off in my iPhone 4s so that all music that appears on this device, should be music that is physically stored on the device. Howe

  • How to share Sessions between 2 Weblogic ?

    Hello, I've some problems in setting on Weblogic. Suppose there are 2 Weblogic Servers, WebA and WebB. A New Session will be created if user go to the page in WebB from WebA. Is there any methods to share the Session between them ? I turned on the fo

  • Resolution with LCD tv

    I have my MBP hooked up to my LCD tv via VGA port I have found the best resolution is 1024x768 at 60hz however the tv is capable of 1366x768 but in displays it does not give this as an option it gives you alot of options even ones that a beyond the l