ASA Service Module on 6500 montoring console session

Similar Messages

• Migrating from FWSM to ASA Service Module (ASASM)

  I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
  With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
  In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
  Thanks in advance.

  So long as the chassis has enough power to power these modules you are good.
  Upto 4 FWSMs can be installed in a chassis.
  Upto 4 ASA-SM modules can be installed in a chassis.
  FWSM:
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
  • Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
  ASA-SM
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
  Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
  A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
  -Kureli
  Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
  BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA 
  Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

• ASA Service module shut down and on automatically

  hello,
  i have a asa service module which is inserted on 6509 chassis.
  This morning when i came to the office i have noticed my asa service module was restarted at last night but 6509 was up.
  one more thing we dont have failover.only have single asa service module.
  ASA SM version is 8.5
  below is the failover history and details
  ciscoasa up 17 hours 11 mins
  ------------------ show crashinfo ------------------
  No crash file found.
  ------------------ show failover history ------------------
  ==========================================================================
  <--- More --->
  From State                 To State                   Reason
  ==========================================================================
  14:28:40 UTC Apr 7 2013
  Not Detected               Disabled                   No Error
  can any one tell me why this happend.
  thanks in advanced
  Khem

  Hi,
  Would seem to me that it would be best to check this through Cisco TAC to determine the cause.
  It would seem though that no Crashinfo file was generated so thats kinda strange.
  You should be able to confirm if the ASASM is set to save a crashinfo file with the command "show crashinfo save"
  - Jouni

• Does ASA Service Module on 6509-E support Remote Access VPN ?

  I'm having a problem configuring Remote Access VPN (SSL, Anyconnect ect.) on ASA Service Module on 6509-E. Is this even supported  or am i wasting my time trying to make something work which will not work in a first place :) ? Site-to-Site works without any problems.
  Tech Info:
  6509-E running SUP 2T 15.1(2)SY
  ASA Module - WS-SVC-ASA-SM1 running image - asa912-smp-k8 & asdm-712
  Licenses on ASA:
  Encryption-DES - Enabled
  Encryption-3DES-AES  -Enabled
  Thanks in Advance for support.

  Are you running multiple context mode?
  If you are, remote access VPN is not supported in that case:
  "Note Multiple context mode only applies to IKEv2 and IKEv1 site to site and does not apply to AnyConnect, clientless SSL VPN, the legacy Cisco VPN client, the Apple native VPN client, the Microsoft native VPN client, or cTCP for IKEv1 IPsec."
  Reference.

• Service Modules in 6500s, IPS/IDS and Stand-alone options.

  Hi,
  My first post here and it's a question regarding knowledge that I can't seem to find via CCW and through people I know.
  Does the Service Module in the 6500 i.e. WS-SVC-ASASM1B-K9 come with or support an IPS/IDS option?
  Does a stand-alone ASA5500 come with an installed IPS/IDS option.
  Thanks.

  > Does the Service Module in the 6500 i.e. WS-SVC-ASASM1B-K9 come with or support an IPS/IDS option?
  On the Cat6k5 is the IDSM2. Thats a completely outdated module with 500 MBit/s of throuput. For the Datacenter designs Cisco recommends the standalone IPS 4500 instead a module if you need good IPS throughput.
  > Does a stand-alone ASA5500 come with an installed IPS/IDS option.
  The ASA has build-in IPS with a fixed signature-set that is not such rerlevant. The better way of doing IPS on the ASa is to have an optional IPS-module. These modules are didicated hardware on the legacy ASAs (the ones without -X) and pure software-modules on the new ASAs. The 5585 is an exception where IPS is also a dedicated hardware-module.
  Sent from Cisco Technical Support iPad App

• Cisco SSL Services Module (on 6500)

  Hi all,
  A customer has asked me a few questions on an SSL Services Module they have (that we haven't sold and have little experience with). I've been reading the documents, but I have some questions and things to verify...
  As I can understand, they already have services and trustpoints configured on the module, but with certificates created with a previously-existing internal AD-integrated CA. Now, they want to switch their services to run a certificate they've obtained from a legitimate CA.
  1) They are trying to import the new certificate with copy-paste method, through the terminal. As far as I can see, both the server certificate and the CA certificate issuing the server cert. should be in base64 encoded for this to work, right? Or, can we import somehow PKCS or PEM certs thorough the terminal?
  2) They would like to use a wildcard certificate for a few of their servers/services they publish. (Like, instead of getting 3 different certificates for service1.domain.com, service2.domain.com and service3.domain.com, they'd like a certificate for *.domain.com which would work for all of the 3 services.) Is this possible? Should they need to change their configuration? (Now I understand that they have different trustpoints, certificates and service configurations for each of the servers...)
  I'd really like if some good soul with experience could shed a little light on this...
  Or, any leads on documentation (that I may have missed) would also be appreciated.
  Thanks in advance,
  Emre

  Good day Emre-
    For question 1 - You can import PEM base64 certificates via the terminal only, all other types need to be loaded over tftp/sftp/ftp. 
    For question 2 - There is nothing special about how the SSLM handles the Issed To field in a certificate, it doesn't matter if it is specifc or wildcard.  Multi domain certificates are also ok (using a Subject Alternative Name field.)  The only thing I can think of here in terms of a difference is you might have less trustpoints and configuration on you SSLM since you no longer require multiple server certificates.
  Outiside of your direct questions, make sure you upload the root and intermediate(s) into the SSLM.  It has to be able to complete the SSL chain from server to root in order to operate.
  Regards,
  Chris Higgins

• Is the ASA Service Module consider a Next Generation Firewall?

  Thank you!

  The term does not have a standard meaning. However, as Cisco uses it, it refers to a platform capable of running their NGFW services (AVC, WSE and IPS running on a CX module).
  In that usage the answer is no. The ASA SM is not capable of running the CX module and associated software. Reference 1. Reference 2. 

• ASA Service Module with Packeer

  I have a customer about to install an ASASM in a 6800 switch. Their previous setup was an ASA 5520 connected to 4500 core switch with a Blue Coat Packet Shaper sitting between the inside interface of the ASA 5520 and 4500.
  With the ASASM backplane connected to 6800, it seems impossible to direct the inside traffic to a physical port on the switch, then through the packet shaper, and then back into switch.
  I do know that the packet shaper can monitor the traffic from the inside interface using port mirroring, but the customer would loose the ability to actually shape Internet traffic.
  I have a TAC case open, and they currently trying to figure out if this is possible. I am asking here to see if anyone has already attempted a scenario like this.
  Thanks.

  Hi Nick,
  Take a Look here.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.1SY/config_guide/sup2T/virtual_switching_systems.html#wp1053927
  Gereinigt
  Michael
  Sent from Cisco Technical Support iPad App

• Firewall service module vs ASA

  Hi
  Someone told me that the cisco firewall service module of 6500 has poor performances compared to ASA
  What do you recommend as a core firewall (to protect internal servers): ASA or firewall service module ?
  thanks

  Hi,
  We are using 5 FWSMs at the moment but are moving away from them to ASA5585-X models.
  I wouldnt suggest going to FWSMs anymore at this point if you have any plan on having support for new features.
  End Of Life and End of Sale Notice
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/eol_c51-699134.html
  The follower for the FWSM is the ASA Service Module which supports the newer softwares (while the FWSM doesnt). Heres a link to a document about the ASASM
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/data_sheet_c78-672507.html
  Also you could always consider a separate ASA models. Here are links to both the orignal ASA 5500 series and new ASA 5500-X series
  ASA 5500 Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
  ASA 5500-X Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
  I guess the question for you is what are the requirements for the device regarding performance. All of the above documentation should give you a clue about which model might be the best for you.
  - Jouni

• Service-module g2/0 session access fails

  I did not add a vty/telnet password when I initially configured my NME-X-23ES-1G switch in my 3825 router. Now, of course I can not telnet to the switch, but the session access fails as well. How do I recover this?
  Config in 3825:
  interface GigabitEthernet2/0
  ip address 106.40.x.x.255.255.0
  Attempt to access switch module:
  3825_Router2#service-module g2/0 sess
  Trying 106.40.77.254, 2130 ...
  % Connection refused by remote host

  The default configuration for Cisco EtherSwitch service modules allows an end user to recover from a lost password. The password recovery disable feature allows the system administrator to protect access to the switch password by disabling part of this functionality and allowing the user to interrupt the boot process only by agreeing to set the system back to the default configuration. With password recovery disabled, the user can still interrupt the boot process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat) are deleted.
  The following document shows how to recover from a lost or forgotten password.
  http://www.cisco.com/en/US/products/hw/modules/ps2797/products_feature_guide09186a0080415bae.html#wp1776357

• After upgrading ios Cisco Catalyst 6500 Series Supervisor Engine 2T to the latest release the ASA-SM module is not recognized

  after upgrading ios Cisco Catalyst 6500 Series Supervisor Engine 2T to the latest release the ASA-SM module is not recognized it is disabled. the FPD
  is not recognized any more. reverted back to previous ios with no luck

  Duplicate post.
  Being discussed actively in this thread.

• Service Module is failed

  when i show service-module ids-sensor 1/0 status
  i have the following output
  Service Module is Cisco IDS-Sensor1/0
  Service Module supports session via TTY
  Service Module is failed
  Service Module status is not available
  what is the problem and how can i recover it?
  note i make restart for the service module by the command
  service-module ids-snsor 1/0 reset
  but it remain failed
  please help me as soon as possible

  You've powered off and re-seated the card and this was working at one point?  Beyond that, if there is no output from the CUE console (while connected to the module via "service-module service-engine 0/1 session"), then the module is likely defective.

• CUE "Service Module is failed"

                     Dears , i am getting this error on CUE .I reload the router but result is same .what should i do now?? ..
  #service-module service-engine 0/1 status
  Service Module is Cisco Service-Engine0/1
  Service Module supports session via TTY line 258
  Service Module is failed
  Service Module status is not available
  Regards,
  Shib

  You've powered off and re-seated the card and this was working at one point?  Beyond that, if there is no output from the CUE console (while connected to the module via "service-module service-engine 0/1 session"), then the module is likely defective.

• How to configure link between 2921 and SM-D-ES3G-48-P EtherSwitch Service Module

  hi,
  I can't do that like the procedure given by Cisco.
  http://www.cisco.com/en/US/partner/docs/routers/access/interfaces/software/feature/guide/eesm_sw.html#wp1942894
  Cisco Procedure :
  interface gi10/0
  ip address x.x.x.x x.x.x.x
  service-module gigabitethernet 1/0 session
  My result :
  R2921-8CPITR-1(config)#int gi 1/1
  R2921-8CPITR-1(config-if)#ip address 2.2.2.2 255.255.255.192
  % IP addresses may not be configured on L2 links.
  R2921-8CPITR-1(config-if)
  R2921-8CPITR-1(config)#interface gigabitEthernet 1/1.1 ?
  % Unrecognized command
  R2921-8CPITR-1(config)#interface gigabitEthernet 1/1 ?
    <cr>
  R2921-8CPITR-1(config)#
  the session is not possible also ?
  R2921-8CPITR-1#service-module gigabitEthernet 1/1 sess
                                                    ^
  % Invalid input detected at '^' marker.
  R2921-8CPITR-1#
  The routeur said that it's not a L3 port, so how to configure it to allow communication between the 2921 and the card ?
  Is there a bug with that version I'm in 15.1(4)M4 ????
  R2921-8CPITR-1#sh ver
  Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 20-Mar-12 18:57 by prod_rel_team
  ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
  R2921-8CPITR-1 uptime is 19 hours, 21 minutes
  System returned to ROM by power-on
  System restarted at 16:00:45 GAB Fri Sep 14 2012
  System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M4.bin"
  Last reload type: Normal Reload
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco CISCO2921/K9 (revision 1.0) with 479232K/45056K bytes of memory.
  Processor board ID FGL1618119E
  6 Gigabit Ethernet interfaces
  2 terminal lines
  DRAM configuration is 64 bits wide with parity enabled.
  255K bytes of non-volatile configuration memory.
  250880K bytes of ATA System CompactFlash 0 (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO2921/K9          FGL1618119E
  Technology Package License Information for Module:'c2900'
  Technology    Technology-package           Technology-package
                Current       Type           Next reboot
  ipbase        ipbasek9      Permanent      ipbasek9
  security      None          None           None
  uc            None          None           None
  data          None          None           None
  Configuration register is 0x2102
  R2921-8CPITR-1#

  Same issue here.
  I just waited a few minutes and the interface went down and back up, this time it was a L3 interface.
  My guess is that it was booting the switch module IOS, and it detected it until it was fully booted:
  Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
  Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
  Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down
  Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
  Apr 11 05:26:52.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
  Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
  Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
  Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
  Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
  Apr 11 05:27:46.895: %LINK-5-CHANGED: Interface Embedded-Service-Engine0/0, changed state to administratively down
  Apr 11 05:27:46.895: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
  Apr 11 05:27:46.947: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
  Apr 11 05:27:47.031: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
  Apr 11 05:27:47.083: %LINK-5-CHANGED: Interface GigabitEthernet1/0, changed state to administratively down
  Apr 11 05:27:47.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface Embedded-Service-Engine0/0, changed state to down
  Apr 11 05:27:48.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to down
  Apr 11 05:27:49.283: %IP-5-WEBINST_KILL: Terminating DNS process
  Apr 11 05:27:52.499: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to up
  Apr 11 05:27:53.087: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 04-Sep-12 16:50 by prod_rel_team
  Apr 11 05:27:53.255: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
  Apr 11 05:27:53.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to up
  Apr 11 05:28:21.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
  Apr 11 05:29:22.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to down
  Apr 11 05:29:22.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
  Router>en
  Router#sh ip int brief
  Interface                  IP-Address      OK? Method Status                Protocol
  Embedded-Service-Engine0/0 unassigned      YES unset  administratively down down
  GigabitEthernet0/0         unassigned      YES unset  administratively down down
  GigabitEthernet0/1         unassigned      YES unset  administratively down down
  GigabitEthernet0/2         unassigned      YES unset  administratively down down
  GigabitEthernet1/0         unassigned      YES unset  administratively down down
  GigabitEthernet1/1         unassigned      YES unset  up                    down
  Vlan1                      unassigned      YES unset  down                  down
  Router#
  Apr 11 05:29:46.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to upconf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)#int g1/0
  Router(config-if)#ip add 1.1.1.1 255.255.255.0
  Router(config-if)#no shut
  Router(config-if)#
  Apr 11 05:30:09.046: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
  Apr 11 05:30:10.046: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
  Router(config-if)#end

• Service module placement and the L2 adjacency problem

  I'd be very interested to hear others opinions on this. You have a datacenter environment with L2 boundaries at end of row aggregators, then L3 back to the core and edge. You have 6500 service module switches hanging off the core housing ACE and FWSM modules. You want to offer firewalling and load-balancing services to servers around the datacenter.
  What is the current best practice ways of resolving the L2 adjacency requirement that the firewalling and load-balancing services impose? L2TPv3? EoMPLS? Any relevant advice, deployment examples, whitepapers etc would be much appreciated!
  Thanks for any replies,
  George

  George
  You could i suppose look to use L2TPv3 if your switches support it or EoMPLS but to my mind this is actually using a band aid to fix a problem that shouldn't be there.
  We too struggled in our data centres with this setup but remember you only need L2 adjacency if you are running the FWSM in transparent mode or the ACE in bridged mode.
  If you are then the cleanest solutions are either
  1) redesign core connections to L2
  2) deploy 6500 switches in the distribution layer. I say distribution layer because it's not clear from your description what your topology actually is but i'm assuming L2 access to distro and then L3 distro to core and the core switches are the 6500 switches.
  Personally i always use the routed L3 approach where possible for fast failover and no STP and in the campus environment it works really well.
  However L3 from the access-layer to the distro in the data centre is very limiting and you often come across problems such as the one you are facing.
  Now again it does depend on your topology but assuming the issue is your core is L3 connected and you need L2 adjacency with your distro to offer servers i would look to deploy 6500 switches in the distro layer with the service modules in them.
  If i have misunderstood please come back with more details.
  Jon