ASA5540 in multiple-context SNMP/icmp doesn´t work
Hi there,
I need some help in order to understante what´s going on with an asa540 configure in multiple-context mode.
I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA#
JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa
My question is Why I can´t ping or even use snmp ???
If anyone could me help with a tip or a document about it ...
My best regards
Adriano
CISCOASA/CONTEXT# packet-tracer input inside icmp 10.132.0.25 8 0 10.6.72.2
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.6.72.2 255.255.255.255 identity
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in IP_SRV_HSLCACTIP01 255.255.255.255 inside
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 453866627, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 0.0.0.0 using egress ifc identity
adjacency Active
next-hop mac address 0000.0000.0000 hits 22196
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Route information:
route inside 10.132.0.0 255.255.252.0 10.6.72.1 1
route inside IP_SRV_HSLCACTIP01 255.255.255.255 10.6.72.1 1
CISCOASA/CONTEXT# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 200.206.50.233 to network 0.0.0.0
C 200.206.50.232 255.255.255.248 is directly connected, outside
S 10.132.0.0 255.255.252.0 [1/0] via 10.6.72.1, inside
S IP_SRV_HSLCACTIP01 255.255.255.255 [1/0] via 10.6.72.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 200.206.50.233, outside
Regards,
Similar Messages
-
Multiple conditions in Query doesn't work
Hi all,
I've made a query pointing on a Multiprovider wich 's made of two main dimension ( multiple infoproviders ) :
contract and pricing and on the other hand Sales and Revenues.
In my Query, one condition's concerned by a contract & pricing key figures ( Number of pricing condition > 0 ), and another one is about a Minimum Turnover Sales & Revenues key Figures restriction( by a prompt ).
This doesn't match, Some rows are missing, and while a condition is active , the other one can't be..
If any one meet this kind of problem before ?
Thanks and sorry for my bad english..Hi,
I already try to create another key figure wich made like this :
Number of condition * Turnover
and made a condition on this result.
But the main problem is if the contract doesn't have Turnover, it will not shown the rows with condition ..( the condition is on the single value 'number of document ) and if I put anotehr condition with number of condition > 0, it still doesn't work..
thanks for help. -
Multiple rows in infopackage doesn't work
Hi all,
I have an infopackage and on the selection screen I want to enter 3 ranges for material:
for example:
from 1 -> 3000
from 3002 -> 4000
from 4002 -> 9999
when I execute the infopackage, only the materials from the first range are loaded.
when i delete my first interval, the materials from 3002 -> 4000 are loaded...
why doesn't it work?
Ciao
JokeHi,
This may the issue with your datasource.
you may get this issue if the datasource is generic and the selection definition is not proper.
Ramesh -
Page naviagation doesn't work after deploy ADF application to Weblogic
After deploy my ADF application (ear) to Weblogic Server, the page navigation doesn't work. When running the ear on weblogic, I got following warnings:
<2010-11-5 下午05时06分01秒 CST> <Warning> <J2EE> <BEA-160195> <The application version lifecycle event listener oracle.security.jps.wls.listeners.JpsAppVersionLifecycleListener is ignored because the application HwtOrder is not versioned.>
<2010-11-5 下午05时06分38秒 CST> <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is /console/console.portal?_nfpb=true&_pageLabel=AppApplicationOverviewPage&AppApplicationOverviewPortlethandle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DHwtOrder%2CType%3DAppDeployment%22%29.>
<2010-11-5 下午05时07分33秒 CST> <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is /console/console.portal?_nfpb=true&_pageLabel=DiagnosticsViewDomainLogTablePage&DiagnosticsViewDomainLogTablePortlethandle=com.bea.console.handles.LogDispatchHandle%28%22DefaultServer%3BDomainLog%22%29.>
I can run the application correctly in jdeveloper 11g environment. I think there is something wrong with deployment. Can anyone help me?When you target url with .jspx, you are running the page itself, not in the task flow context, so navigation doesn't work.
In the task flow, your page has 'Activity ID' (which is, for example, 'mainPage' for mainPage.jspx) and the navigation is defined for activity IDs, not pages.
Pedja -
Botnet Filter with multiple Context Mode
We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
How should be the Botnet Filter configured in Multiple Context Mode?
Thanks for any response in advance.sh run | grep dns
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
policy-map type inspect dns preset_dns_map
inspect dns preset_dns_map
ping update-manifests.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
ping updates.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
ASA Version 8.4(2)
hostname DE-VM-TER-FW-02
enable password 8Ry2Yj8765U24 encrypted
passwd 2KFQnb6IdI.2KY75 encrypted
names
interface GigabitEthernet0/0.3207
nameif TR_v207
security-level 50
ip address 10.28.6.60 255.255.255.248
interface GigabitEthernet0/0.3208
nameif TR_v208
security-level 70
ip address 10.28.6.68 255.255.255.248
interface GigabitEthernet0/0.3209
nameif TR_v209
security-level 80
ip address 10.28.6.76 255.255.255.248
interface GigabitEthernet0/0.3210
nameif TR_v210
security-level 90
ip address 10.28.6.84 255.255.255.248
interface GigabitEthernet0/1
nameif COLT
security-level 0
ip address 217.111.58.46 255.255.255.240
interface GigabitEthernet0/3
nameif T-COM
security-level 0
ip address 194.25.250.94 255.255.255.240
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
name-server 8.8.8.8
object network COLT_dynamic_NAT
subnet 0.0.0.0 0.0.0.0
object network T-COM_dynamiy_NAT
subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list COLT_access_in extended deny ip any any
access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
access-list T-COM_access_in extended deny ip any any
access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
access-list TR_3208_access_in extended permit ip any any
access-list TR_3208_access_in extended permit icmp any any
access-list TR_v207_access_in extended deny ip any any
access-list TR_v210_access_in extended deny ip any any
access-list TR_v209_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu TR_v208 1500
mtu T-COM 1500
mtu COLT 1500
mtu TR_v207 1500
mtu TR_v210 1500
mtu TR_v209 1500
ip verify reverse-path interface T-COM
ip verify reverse-path interface COLT
ipv6 access-list TR_v207_access_ipv6_in deny ip any any
ipv6 access-list TR_v208_access_ipv6_in deny ip any any
ipv6 access-list TR_v209_access_ipv6_in deny ip any any
ipv6 access-list TR_v210_access_ipv6_in deny ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network COLT_dynamic_NAT
nat (any,COLT) dynamic interface
object network T-COM_dynamiy_NAT
nat (any,T-COM) dynamic interface
access-group TR_3208_access_in in interface TR_v208
access-group TR_v208_access_ipv6_in in interface TR_v208
access-group T-COM_access_in in interface T-COM
access-group COLT_access_in in interface COLT
access-group TR_v207_access_in in interface TR_v207
access-group TR_v207_access_ipv6_in in interface TR_v207
access-group TR_v210_access_in in interface TR_v210
access-group TR_v210_access_ipv6_in in interface TR_v210
access-group TR_v209_access_in in interface TR_v209
access-group TR_v209_access_ipv6_in in interface TR_v209
route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
dynamic-filter use-database
dynamic-filter enable interface T-COM
dynamic-filter enable interface COLT
dynamic-filter drop blacklist interface T-COM
dynamic-filter drop blacklist interface COLT
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map dynamic-filter-snoop
service-policy global_policy global
Cryptochecksum:7bbe975fb39e189e99d8878787a0037
: end
System Context
dynamic-filter updater-client enable
Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured -
I checked the box that says "warn me when closing multiple tabs" but it doesn't warn me at all
I checked the box under Option > Tabs that says "Warn me when closing multiple tabs" but whenever I would accidentally close firefox with multiple tabs open, it doesn't warn me at all! It would just close everything. I have tried to check and uncheck it a lot of times but it still not working.
You can reset the warn prefs on the about:config page via the right-click context menu.
browser.tabs.warnOnClose , see http://kb.mozillazine.org/About%3Aconfig_entries
browser.warnOnQuit , see http://kb.mozillazine.org/browser.warnOnQuit
browser.warnOnRestart , see http://kb.mozillazine.org/browser.warnOnRestart
In Firefox 3 you do not get the 'Save & Quit' pop-up dialog if you choose Tools > Options > General > Startup: "When Firefox Starts": "Show my windows and tabs from last time".<br />
If that option is selected then your pages will already be reopened the next time.<br />
To get that pop-up dialog you have to select one of the other choices (Show my home page, Show a blank page). -
Print to pdf often doesn't work with multiple pages?
When I try to print to pdf, it often doesn't work right.
I can select, for example, multiple Excel worksheets to print. It looks fine with 4 pages in Preview, but when I select save as .pdf, it only prints 2 of the 4 pages, and it prints those in 2 separate documents rather than a single .pdf document with multiple pages.
Is there a way to do this? Is this an Apple error or Microsoft error? Since it looks fine in Preview, my guess it is an Apple error?
MarkIt sounds like this is the problem with the way Apple handles multiple orientations in a pdf document. You can use Acrobat to print the files - it handles multiple orientations correctly. There was a previous thread on this:
http://discussions.apple.com/message.jspa?messageID=1983431#1983431 -
The privacy option in 5.0 doesn't work.
When exiting Firefox with multiple tabs open, no notification is given...
How can I go back to Firefox 4?
I had the google toolbar when I had firefox 4... I upgraded to 5.0 and it still works... My friend tried to load it and it doesn't work.''The privacy option in 5.0 doesn't work.''
Do you mean that Privacy options can't be accessed in the Options dialog, or Private Browsing doesn't work??
Could you test with a new profile to see whether the update might have caused a settings problem, or you have an incompatible add-on?
First, I recommend backing up your Firefox settings in case something goes wrong. See [https://support.mozilla.com/en-US/kb/Backing+up+your+information Backing up your information]. (You can copy your entire Firefox profile folder somewhere outside of the Mozilla folder.)
Next, close Firefox and fire up the Profile Manager to create a new profile: [https://support.mozilla.com/kb/Managing+profiles Managing profiles].
If that work, you can migrate your bookmarks, saved passwords, and other key settings to the new profile, see: [https://support.mozilla.com/en-US/kb/Recovering+important+data+from+an+old+profile Recovering important data from an old profile].
Hope this helps. -
my 80gb IPod doesn't boot up this morning. Worked great last nite. The apple logo keeps coming up for a few seconds then you hear it "wind down" and got blank. Tried reseting multiple time - doesn't work. Ideas?
my 80gb IPod doesn't boot up this morning. Worked great last nite. The apple logo keeps coming up for a few seconds then you hear it "wind down" and got blank. Tried reseting multiple time - doesn't work. Ideas?
-
The Game Center used to work with my Apple ID before I updated to iOS 7.4, I used to play multiple player with EA Real Racing 3 game but it doesn't work at all and every time I tried to go to the Game Center it's just blank, even to the settings nothing!
Try:
- Reset the iOS device. Nothing will be lost
Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
least ten seconds, until the Apple logo appears.
- Go to Settings>Game Center and sign out and sign back in
- Reset all settings
Go to Settings > General > Reset and tap Reset All Settings.
All your preferences and settings are reset. Information (such as contacts and calendars) and media (such as songs and videos) aren’t affected.
- Restore from backup. See:
iOS: How to back up
- Restore to factory settings/new iOS device. -
Remote Access VPN Support in Multiple Context Mode (9.1(2))?
Hi Guys,
I am currently running two Cisco ASA5520 (ASA Version: 9.1(2)) firewalls in Active/Standby failover and was contemplating the option of migrating my remote access VPN to these firewalls. However seeing that the new IOS now support mixed multiple context mode and dynamic routing. Is it safe to ask whether or not Remote Access VPN is now support in this IOS upgrade?
Multiple Context Mode New Features:
Site-to-Site VPN in multiple context mode | Site-to-site VPN tunnels are now supported in multiple context mode.
New resource type for site-to-site VPN tunnels | New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
Dynamic routing in Security Contexts | EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
New resource type for routing table entries | A new resource class, routes, was created to set the maximum number of routing table entries in each context. We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation. We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
Mixed firewall mode support in multiple context mode | You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode. We modified the following command: firewall transparent. You cannot set the firewall mode in ASDM; you must use the command-line interface. Also available in Version 8.5(1).
Regards,
LeonHey Leon,
According to the ASA 9.1 Configuration Guide, Remote Access VPN is not yet supported with version 9.1(2). Only Site-to-Site VPN support in multiple context was introduced with release ASA 9.0(x). This was mentioned in the 9.0(x) release notes.
Regards,
Dennis -
Problem using multiple contexts in same thread
Hello,
I am having problem using multiple contexts in the same thread. Here is the scenario:
front-end is calling a ejb1 with a user1 and password. Ejb1 is then calling ejb2
using user2 and password. I am getting security exception when calling ejb2 with
the message user1 is not authorized. Looking at the documentation, context 2 should
be pushed on stack on top of context 1 and context 2 should then be used until
context.close() is called. It looks like this is not the case in this scenario?
Regards,
Jeba BhaskaranI have the GTX670. So pretty much the same.
When I go to Edit>Preferences>Playback I see:
When I select the monitor I am not currently using for Premiere Pro, the Program Monitor shows up full size at 1920X1080 in that monitor.
While that may not help you, at least you know a similar card can do the job and you know that it should work.. What happens if you drop down to two monitors? Will it work then?
Also, have you performed the hack that allows Premiere Pro to use the card since that card is not in the file? I have no idea if that is relevant at all, by the way. It is just an attempt at getting our systems to work the same way. -
Explain about transparent mode, single mode, multiple context mode
You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.
Great question. Hope the below helps:
Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
Hope this helps. Let me know if you have anymore questions!
-Mike
http://cs-mars.blogspot.com -
Support IPSec VPN Client in ASA Multiple Context Mode
I've looked at under "Cisco ASA Series CLI Configuration Guide, 9.0" on "Configuring Multiple Context Mode", it says
"IPsec sessions—5 sessions. (The maximum per context.) ". Does it mean in ASA Multiple Contest Mode support IPSec VPN Client? I just want to confirm it because I can't seem find any doc that clearly spell it out. I'll appreciate anyone who can clarify it.
Thank Jason.
( Please direct me to the right group if I'm not for the first time I post it in the Cisco support forum)This is from the v9.3 config-guide:
Unsupported Features
Multiple context mode does not support the following features:
Remote access VPN. (Site-to-site VPN is supported.) -
SSLVPN/webvpn in multiple context mode?
We already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls? Or am I missing something?If you set up a pair of single-context ASAs for VPN termination, configure a group policy per customer and use the 'Restrict access to VLAN' feature, you could separate customers' traffic and still just use one FW pair for all customers. This pair would connect to the same switch infrastructure as your multi-context edge firewall and thus allow a consolidated solution.
Sent from Cisco Technical Support iPad App
Maybe you are looking for
-
How to disable external display (s-video adapter)
My problem is this: I have the new iMac in my office and I have my widescreen TV (CRT non-HDTV) on the other side of the wall in the living room. I recently purchased the Apple video adapter so I could run a s-video cable through the wall to my TV. I
-
Function Module for open Purchase Order & Sales Order?
Hi, commonly I read the data from tables and calculate the open quantity for sales order and purchase order, but I want to know, are there any standard function modules for getting the list of open "purchase order" and "sales order" respectively? Tha
-
How do I move iPhoto photos to new iPhone?
I have photos from my 3GS in iPhoto. Can I move some of the photos to my new 4S?
-
ITunes Radio features missing from one computer to the other..
I upgraded my home iMac to iTunes 11.1 and when I click on a radio station, I have a scroll bar to choose from top hits to finding more music. I upgraded my work computer the next day, and that feature is not there. On my home iMac, I have the a star
-
How do I increase the leading in a multi-line text box?
Is this possible? I did find this one posting from a few years ago where someone was asking a similar question: http://forums.adobe.com/thread/286972 Was this feature ever added? If not - how can I make the code work posted in reply to that post? Ju