Business Continuity features available in ASA-5585-x

Hi,
in Data Center environment using only one ASA-5585-x, what kind of business continuity features, a single 5585-x offers or can be configured to keep the business running, in case the firewall got failed.
Thanks
Mike

Hi,
I am not sure if I understood the question completely.
I am not really sure how any configuration on the device can help you if the actual device fails completely.
With regards to the hardware I think only the high end model with SSP-60 comes by default with 2 PSUs while others come with 1 PSUs though you can install a second PSU to the units and in this way provide some redundancy in the event of power failure though that naturally depends on other factors than the ASA alone.
To my understanding it is also possible to set up the single ASA 5585-X unit with dual SSPs. I have not had to set up such an environment so I am not sure how it exactly works. I am not sure how they handle together. I can't seem to find the document I was once reading about this. But I would imagine that this could provide redudancy to the firewall setup.
Then there is also Clustering ASAs (not same as Failover pair) units but again this naturally requires additional hardware and is something I have not setup up myself.
Then there is naturally configuring 2 identical ASA 5585-X units in Failover pair (Active/Standby or Active/Active) to provide redudancy in case of hardware failure.
We have some less critical environments set up with single ASA5585-X units and we naturally dont guarantee the same availability for those services as with setup where we have 2x ASA5585-X units in Failover. We do have replacement units for these and can naturally get replacements otherwise also.
- Jouni

Similar Messages

  • How many default virtual context counts with ASA 5585 Series

    Hi All:
    I prepare replace FWSM to ASA 5585 Series,but I confuse the default virtual context counts on ASA 5585.
    I used 3 virtual contexts on my old FWSM(1 admin context with 2 contexts).According the ASA configuration guide below.
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188797
    It state the ASA 5585 have default 2 contexts,Does it state the ASA 5585 just have 2 contexts or  1 admin context plus "2" context (3 contexts available)
    thks fot your reply

    Hi,
    To my understanding the ASA with the most default lisence lets you use 2 Security Contexts to your own purposes. Admin context will always be there on the ASA when running in multiple context mode. Its created when you change your ASA from its default mode (single) to "mode multiple".
    In my original post the latter part was just to mention that to my understanding if you use 2 ASAs (almost any model) in failover with a software 8.3 and above the ASA will combine their lisences regarding some values. For example connecting 2 ASAs in Failover which have limit of 2 Security Contexts, they will get combined and the failover will have 4 Security Context limit.
    Atleast that is what I see with the "show version" command and this is also what we have been told by a Cisco employee. Ive also been told that if I for example (running 8.3+ OS) buy a 5 Security Context license for the other unit, It will combine the others base license (2 SC) to the others units new license (5 SC) resulting in the combined Security Context limit of 7.
    This is what Cisco documentation mentions about Active/Standby  and Active/Active Failover Licensing at version 8.3 and above:
    Or you have two ASA 5540 adaptive security  appliances, one with 20 contexts and the other with 10 contexts; the  combined license allows 30 contexts. For Active/Active failover, for example, one unit  can use 18 contexts and the other unit can use 12 contexts, for a total  of 30; the combined usage cannot exceed the failover cluster license.
    I've have had 2 ASA5585-X ASAs combined in A/A Failover running 8.4(2) and they have atleast showed that they have the combined Security Context limit of 4 Security Contexts
    Heres a partial output of the "show version" command on the ASAs in question when they were just out of the box combined in Failover with no other configurations other than running in multiple context mode and management configuration in admin context.
    Licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 2              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 2              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 2              perpetualTotal UC Proxy Sessions           : 2              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetualFailover cluster licensed features for this platform:Maximum Physical Interfaces       : Unlimited      perpetualMaximum VLANs                     : 1024           perpetualInside Hosts                      : Unlimited      perpetualFailover                          : Active/Active  perpetualVPN-DES                           : Enabled        perpetualVPN-3DES-AES                      : Enabled        perpetualSecurity Contexts                 : 4              perpetualGTP/GPRS                          : Disabled       perpetualAnyConnect Premium Peers          : 4              perpetualAnyConnect Essentials             : Disabled       perpetualOther VPN Peers                   : 10000          perpetualTotal VPN Peers                   : 10000          perpetualShared License                    : Disabled       perpetualAnyConnect for Mobile             : Disabled       perpetualAnyConnect for Cisco VPN Phone    : Disabled       perpetualAdvanced Endpoint Assessment      : Disabled       perpetualUC Phone Proxy Sessions           : 4              perpetualTotal UC Proxy Sessions           : 4              perpetualBotnet Traffic Filter             : Disabled       perpetualIntercompany Media Engine         : Disabled       perpetual10GE I/O                          : Disabled       perpetual
    Though I still suggest confirming all these things from the people/company that youre acquiring the ASA(s) from so you get what youre asking for. Or someone from Cisco could confirm this on these forums.

  • Advance features available in sql server 2008 R2 compared with SQL 2008 SP2

    Hi,
    Can some one brief me the advance features available in sql server 2008 R2 compared with SQL Server 2008 SP2.
    I am planning to upgrade my existing sql server 2008 SP2 to sql server 2008 R2, before that i need the advantages to proceed , if the advantages are not suite to my requirements then i will drop out this option.
    Please give me the detailed reply for my analysis
    hemadri

    Hi Hemadribabu,
    There are some new features in SQL Server 2008 Service Pack 2(SP2), including SQL Server utility, Data-tier Application (DAC), Reporting Services in SharePoint Integrated mode and partitioning improvement. Features are supported by the different editions
    of SQL Server 2008 R2. For example, the Report Builder 3.0, PowerPivot for excel are available on the SQL Server Datacenter and SQL Server 2008 R2 Parallel Data Warehouse, they can assist you creating business intelligence documents. Here are the Top
     new features in SQL Server 2008 R2, including 
    Report Builder 3.0, SQL Server 2008 R2 Datacenter, SQL Server 2008 R2 Parallel Data Warehouse, 
    StreamInsight, Master Data Services and so on.
    For more information about SQL Server 2008R2 and SQL Server 2008 SP2, you can review the following articles.
    http://msdn.microsoft.com/en-us/library/cc645993(v=sql.105).ASPX
    https://social.technet.microsoft.com/wiki/contents/articles/1486.microsoft-sql-server-2008-sp2-release-notes.aspx
    Regards,
    Sofiya Li
    Sofiya Li
    TechNet Community Support

  • New Power BI features available for preview

    Today we are previewing new features for Power BI, our self-service business intelligence solution designed for everyone. Power BI reduces the barriers to deploying a business intelligence environment to share and collaborate on data and analytics from anywhere.
    Try what's coming next for Power BI
    We are introducing a number of new Power BI features available for preview including dashboards, new visualizations, support for popular software-as-a-service applications, a native iPad app and live “hybrid” connectivity to on-premise SQL Server Analysis
    Services tabular models.
    These preview features are available for customers with a United States address. We’ll incrementally add new country support as we extend the preview globally in the coming months. Existing customers will find a preview option in their current Power BI sites.
    For those not currently using Power BI, you can sign up for a Power BI preview which includes the new features
    here.
    Read more about the preview at our blog post:
    http://blogs.msdn.com/b/powerbi/archive/2014/12/18/new-power-bi-features-available-for-preview.aspx

    Hi,
    When will the upload function for dashboards created with the power BI Designer be available in Austria? It says there is no support for my region yet.
    BR

  • Business continuity 11i and dataguard

    Hi,
    Is there a white paper/best practice for business continuity on 11i with single 10g instance and Dataguard solution? i've tried looking and cannot find and thing.
    thanks
    M.

    Hi,
    Please refer to:
    Note: 403347.1 - MAA Roadmap for the E-Business Suite
    Note: 464167.1 - Is Logical Standby Feature Supported For Oracle Applications Release 11i
    Comparing Oracle Data Guard vs. Active Data Guard for EBS Environments
    http://blogs.oracle.com/stevenChan/2008/10/comparing_oracle_data_guard_vs_active_data_guard_f.html
    Regards,
    Hussein

  • Enhancement and new features available in AFS 6.0 in reference to AFS 5.0?

    Hi Experts,
    Please can you explain what are the Enhancement and new features available in AFS 6.0 in reference to AFS 5.0

    Hi Mithun,
    Following are the details you needed.
    Enhancement and new features available in AFS 6.0 wrt AFS 5.0
    AFS Interface
    AFS GTS Master Data Integration - IS-AFS-INT-GTS (New)
    As of SAP AFS 6.0, you can integrate the SAP Global Trade Services 7.1 (SAP GTS 7.1) master data to the AFS data.
    AFS Retail Integration (Change)
    As of SAP AFS 6.0, the integration of Apparel and Footwear Solution (AFS) with Retail has been
    Enhanced by the following functions:
    u2022     One SAP Retail Logical system is mapped to multiple Customers in SAP AFS system, which ensures that each Customer can be mapped to a different purchase organization.
    u2022     You can maintain the retail merchandise category in the AFS material master for each retail logical system.
    u2022     The variant numbers created in the retail for the article (material in AFS) have the number with the category and grid combination. A new BADI method is used to allow the user to change the variant numbering as required.
    u2022     The material type of the generic article created is the same as the AFS material. A new BADI method is used to set the material type of the article as required.
    Quality Management (IS-AFS-QM)
    Enabling QM for Goods Receipt (GR) Process for AFS (New)
    As of SAP AFS 6.0, you can activate the inspection type at material level and control the inspection lot creation at stock keeping unit (SKU) level during the goods receipt process.
    Additionally, during posting of quality inspection stocks, you can directly post stock of one SKU to unrestricted stock of another SKU.
    Basic Data (IS-AFS-BD)
    Commodity Codes at the SKU Level (New)
    As of SAP AFS 6.0, you can maintain commodity codes at the SKU level in the material master. A new relevancy Global Trade Services (GTS) is allotted to the characteristics attached to the grid and categories. If this new relevancy is set then the commodity codes can be assigned at the SKU level. You can also assign commodity codes of different countries other than the country in which the plant is located.
    The AFS material master IDoc and BAPI have been enhanced to handle commodity codes at the SKU level.
    Material Master Enhancements (New)
    As of SAP AFS 6.0, the following enhancements have been made in the material master:
    u2022     You can maintain commodity codes at the stock keeping unit (SKU) level.
    u2022     You can maintain the retail data merchandise category and characteristic profile at the material master level. This is used to create article in retail.
    u2022     You can maintain quality management (QM) inspection type at SKU level.
    u2022     You can enable Seasons for inventory management (IM).
    Materials Management (IS-AFS-MM)
    Seasonality Roundoff - Inventory Management-(New)
    As of SAP AFS 6.0, season functionality is extended to Inventory Management (IM). This enables you to gain an overview of material movements during each season. You can maintain stocks for different seasons separately. To enable this functionality, you have to activate the Season Active in IM indicator for a material in the material master. This indicator can be set only for materials created in AFS 6.0. If the season is maintained for an SKU in the material master, you can obtain season information for the SKUs in batches, in material movement documents and in stock tables.
    Also, as of AFS 6.0, you cannot set the Season Fixed indicator for new materials. However, for old materials (materials created in AFS 5.0 with Season Fixed indicator) the behavior remains the same.
    Stock Selection Available in Transaction MIGO (New)
    As of SAP AFS 6.0, the goods movement transaction MIGO has been enhanced with Stock Selection for AFS materials. Goods movement here implies only goods issued/transfer postings without document reference.
    Consumption of PIRs by TPO, MTO and PTO (New)
    As of SAP AFS 6.0, the Consume PIR Customizing indicator at sales and distribution (SD) item category level enables special orders like TPO (third-party order), MTO (make-to order) and PTO (purchase-to order) to consume normal planned independent requirements (PIRs).
    IS-AFS-MM-PUR Purchasing
    Purchasing BAPIs (Change)
    The interface of the purchase order (PO) BAPIs mentioned below have been enhanced with optional parameters to handle the AFS data.
    Purchase order BAPIs
    u2022      AFSPurchaseOrder.GetDetail1 (BAPI_PO_GETDETAIL1)
    u2022     AFSPurchaseOrder.Change (BAPI_PO_CHANGE)
    u2022     AFSPurchaseOrder.CreateFromData1 (BAPI_PO_CREATE1)
    Purchase Requisition BAPIs
    u2022     PurchaseRequisition.CreateFromData (BAPI_REQUISITION_CREATE)
    u2022     PurchaseRequisition.Change (BAPI_REQUISITION_CHANGE)
    u2022     PurchaseRequisition.Delete (BAPI_REQUISITION_DELETE)
    Contract BAPIs
    u2022     PurchasingContract.Change (BAPI_CONTRACT_CHANGE)
    u2022     PurchasingContract.Create (BAPI_CONTRACT_CREATE)
    u2022     PurchasingContract.GetDetail (BAPI_CONTRACT_GETDETAIL)
    Production planning and control IS-AFS- PP
      Manufacturing (IS-AFS-PP-MAN)
    BAPI for Bill of Material (BOM) Maintenance (New)
    As of SAP AFS 6.0, you use this BAPI (AFSMaterialBOM.AFSMatBomMaintain) to maintain a material BOM. You can also use this BAPI for the following functionalities:
    u2022     Creating a standard or AFS BOM
    u2022     Changing a standard or AFS BOM
    u2022     Updating a quantity distribution profile for AFS BOM components
    u2022     Maintaining SKU deviation quantities or zero quantities (if relevant) for AFS BOM components
    u2022     Maintaining categories (if relevant) for AFS BOM components
    Transaction for Grouping PO using Combined Order Number (New)
    BAPIs for AFS Planned Orders - Create, Change and Get Details (Change)
    BAPI for Production Orders - Create, Change and Get Details (Change)
    Production Planning (IS-AFS-PP-PPL)
    Consumption of PIRs by TPO, MTO and PTO (New)
    As of SAP AFS 6.0, the Consume PIR Customizing indicator at sales and distribution (SD) item category level enables special orders like TPO (third-party order), MTO (make-to order) and PTO (purchase-to order) to consume normal planned independent requirements (PIRs).
    Sales and Distribution (IS-AFS-SD)
    BADI for Contract Selection (New)
    As of SAP AFS 6.0, you can use this BADI to filter contracts for display when a sales order is created without giving reference to the contract, and when there are open contracts for the material. This functionality is also available for the sales order created by IDocs.
    BAPI for AFS Material Availability (New)
    you can use this BAPI method MaterialAFS.AFSAvailabilityCheck (/AFS/BAPI_MAT_AVAILABILITY) to determine the available quantity for an AFS material in a certain plant according to ATP (available-to-promise) logic.
    Consumption of PIRs by TPO, MTO and PTO (New)
    As of SAP AFS 6.0, the Consume PIR Customizing indicator at sales and distribution (SD) item category level enables special orders like TPO (third-party order), MTO (make-to order) and PTO(purchase-to order) to consume normal planned independent requirements (PIRs).
    Display of Allocated Quantities (New)
    As of SAP AFS 6.0, you can find the allocated quantity information of the contract in the Contract Reference Overview screen.
    BAdIs in Mass Document Change MDC (New)
    The following NEW Business Add-Ins (BAdIs) are provided:
    u2022     BAdI for adding custom selection fields in MDC (/AFS/MDC_SELECT_CUSTOM_FIELDS) -You use this BAdI to implement your business process-specific logic in selecting data in mass Document Change transaction (/AFS/MDC).
    u2022     BAdI for adding custom change fields in MDC (/AFS/MDC_CHANGE_CUSTOM_FIELDS) -You use this BAdI for implementing your business process-specific logic in changing custom fields data in transaction /AFS/MDC.
    u2022     BAdI for adding custom fields to the Adjust Update tab in MDC (/AFS/MDC_ADJ_UPD_CUSTOM_FIELDS) you use this BAdI to implement custom processes that are specific to your business scenario.
    Condition Table Display (Change)
    As of SAP AFS 6.0, in transaction J3A9 it is possible to display condition tables for value-added service(VAS) and multi-store order (MSO) condition types beyond the existing limit of 19 condition tables. The Conditions Info display in transactions J3A4 and J3AN can be viewed in an ALV list.
    AFS Sales and Distribution (SD) IDOCS
    As of SAP AFS 6.0, the function modules J_4A_IDOC_INPUT_ORDERS and J_4A_IDOC_INPUT_ORDCHG are not supported. The standard function module IDOC_INPUT_ORDERS are used instead J_4A_IDOC_INPUT_ORDERS and standard function module IDOC_INPUT_ORDCHG are used instead of J_4A_IDOC_INPUT_ORDCHG. There is no change in the IDOC type /AFS/ORDERS05 which is presently used to create/change sales orders. Accordingly, you must use inbound process code ORDE for message type ORDERS and inbound process code ORDC for message type ORDCHG.
    Supporting the Change of Single Characteristic (New)
    As of SAP AFS 6.0, you can use transaction /AFS/MDC, to select sales documents by specifying a single characteristic name and value range in the same ways as you select sales documents by specifying grid value.
    Partial Quantity Reductions in Sales Order (New)
    As of SAP AFS 6.0, you can find the quantity changes done for a schedule line from the sales order screen itself without navigating to the change logs. This is possible only when you reduce the quantity of a schedule line.
    Allocation Run (IS-AFS-ARUN)
    Seasonality Roundoff - Allocation Run (New)
    As of SAP AFS 6.0, season functionality is available in the allocation run (ARun) to ensure the season information is considered while creating assignments, and to cause deallocation as per the settings in the deallocation rule on change in season information in the future receipts, sales order or while performing goods receipt (GR). This functionality is available only with online ARun.
    BAPI for Individual Allocation and/or Deallocation
    As of SAP AFS 6.0, you can use the BAPI /AFS/BAPI_INDIVIDUAL_ARUN to handle allocation/deallocation of specified sales order quantities for single or multiple orders. This enables you to make:
    u2022     New allocations
    u2022     Allocations from a particular storage location/batch number
    u2022     Allocations for a quantity less than equal to the requirement quantity
    u2022     Deallocations for a quantity less than equal to the requirement quantity
    u2022     A total deallocation
    Hope it helps.
    Regards,
    Anirban Roy

  • Why can't I use the continuity feature on ipad 2?

    I personally think continuity feature should be available to each and everyone of apple products that are iOS 8.1 compatible.

    http://www.apple.com/feedback/
    Tell Apple. However given that there were parts of iOS7 that the iPad 2 couldn't get, I don't find it surprising that it doesn't get all of iOS8.

  • Business Continuity of Databases....

    I would welcome some Oracle DBA assistance to scope a piece of audit work for tender around business continuity of an oracle database/environment (managed and supported by a 3rd party provider). We have had several “security” audits/assessments of this oracle database, and its environment, i.e. the infrastructure on which the database is installed/operated, and the front end web application. But I just think that’s only half the coverage requiredwhen it comes down to risk, there’s still operational issues namely we call this “business continuity” practices and controls.
    Can anyone help provide a scope of the things to include in a business continuity type audit of an Oracle Database/DBA provider? Even if its just top level bullet points that I can research further it will help. If you have ever done one before - do you have a scope of the work, if you have ever had such an assessment/audit done of your own busienss continuity practices for oracle environments you manage and support, what was included in the review?

    It doesn't make a lot of sense to talk about business continuity at a database level - it needs to be addressed at a service level. Database failure is only one of many things that could affect the availability of the service.
    But in general you need to think about the following
    - What constitutes loss of service? I.e what is the trigger point for invoking your business continuity plans? You may have several levels of this, Full outage, loss of functionality, loss of access based on geographic area/user group/access channel, each with different plans
    - Who makes the decision to invoke the plan/bits of the plan i.e escalation routes?
    - Coming up with a plan for the various scenarios, Not just technical (That is often the easy bit) - things like
    - Communication - how do you let the team invoking the plan, and the users know? Bear in mind the problem may be with networks etc. Does everyone have access to the plan, even if computer systems are down?
    - Training
    - Physical considerations. Do you need a new server room? Somewhere to work?
    - Financial. What will the financial impact be? Can you get funds to pay for staff, kit, accomodation etc if necessary?
    - Testing. The plans need to be tested. Can be a hard sell to management to really take your systems out, but it's often the only way. And this time you know you can easily turn things back on!
    - Afterwards. Do you need to do any processing after the event? For example for one of my systems in the case of losing an area node, the plan is to revert to paper recording, and contact other offices for any urgent lookups etc. This requires backfilling the data onto the system once it is back available. You need to plan the amount of resource necessary for this.
    You can come up with hundreds of different scenarios if you get carried away. You will never be able to plan for them all, so pick the most likely. It should be a continuously evolving process anyway. For example we had to add policies around bird flu (Both for a genuine pandemic, and more likely scenario that offices are shut down) a year or 2 ago.
    Carl

  • TS4006 "Is the Find my Mac feature available for an OSX 10.7.4 MacBook?"

    Is the Find My Mac feature available for an OSX 10.7.4 MacBook?

    Here's the troubleshooting section you referred me to, and the response;
    The date on your device is incorrect. This can be set in Settings > General > Date & Time.
    I have verified the time and date
    Your device is not up to date. It needs to have iOS 5 or later.
    It's a MacBook using OSX 10.7.4
    Your iCloud account is not configured on your device. Enter your iCloud account information in Settings > Mail, Contacts, Calendars.
    When I try to do this, I get into the loop that I will try to describe more completely below:
    1. In System Preferences, I select iCloud, where I have only one option - "Move to iCloud" I click on that sole option.
    2. I'm taken to www.me.com/find page, where I Log In using my Apple ID and then I see a very large statement, "To use Find My iPhone, go to iCloud.com." - with only one button available - "Open iCloud.com" - I click on that sole option.
    3. I'm asked to enter my user name and password again, which I do
    4. The page that occurs next is a secure iCloud site - https//:www.icloud.com/#find
    5. My iPhone and iMac are listed under "My Devices," but not the MacBook.
    I can see no opportunity to enable "Find my Mac" the MacBook, because Preferences/iCloud leads me back into the loop described above.
    You have multiple iCloud accounts entered on your iPhone, iPad, or iPod touch. Only one account can have Find My iPhone turned on at a given time. Log in to Find My iPhone with your other iCloud accounts until your device is listed.
    I have viewed my Apple ID account and can find no sign of multiple iCloud accounts.
    You have already initiated a wipe of the iPhone, iPad, or iPod touch. The device will not appear on the page until it is reconfigured with your iCloud account information.
    I have not "wiped: the MacBook, and don't see how this could be the problem.
    There is scheduled maintenance or another issue affecting Find My iPhone. Check iCloud Support to see if this is the case.
    iCloud support indicates that the system is operating fully.
    Your device has lost network connectivity. If you have access to your device and it appears to have an active Internet connection, enable and then disable Airplane mode. If you continue to have issues, turn the device off and back on.
    It's a MacBook with a good WiFi connection to a known system. There is no Airplane mode on the MacBook.
    Find My Mac can only locate your Mac if it is connected to an internet via a known Wi-Fi network. If your Mac is connected to the internet only by an ethernet cable, Find My Mac will not be able to locate your Mac.
    Again, it is connected to a known WiFi system - my house. It's the same system that my iMac is connected to, and the iMac appears as a listed Device in iCloud "Find My Phone"
    To be sure, I ran Disk First Aid and restarted my MacBook, and also ran Repair Disk Permissions twice.
    Same symptoms have not been resolved.

  • Visio stencil for ASA 5585-X?

    Hello,
    Can anybody help pointing me to where I can get a visio stencil for a asa-5585-x.
    I really appreciate it.
    Thanks,
    John

    Hi John,
    The official Cisco Visio stencils can be found here:
    http://www.cisco.com/en/US/partner/products/hw/prod_cat_visios.html
    I don't see the 5585 there yet, but once it's available that set should be updated.
    -Mike

  • ASA 5585-X TACACS+/RADIUS Server

    All,
    Can the ASA 5585-X's act as a AAA TACACS+ and/or RADIUS server for network infrastructure devices?
    I've used Cisco Secure ACS for TACACS and RADIUS AAA..
    My client has ordered a bunch of them.   They don't have an AAA solution and were just told they will need to implement AAA on network infrastructure devices.
    Thanks for any information.
    Stephanie

    Adding to Jan's correct answer.
    The current Cisco RADIUS offerings are either the ACS product (RADIUS and TACACS+) or Identity Services Engine (ISE - RADIUS only). Both are offered in both appliance and VM formats.
    Beside NPS on Windows server, there are also open source projects of both RADIUS and TACACS servers available.

  • Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem

    Hi,
    We have a firewall service environment where logging is handled with UDP at the moment.
    Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
    You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
    The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
    "%ASA-3-201008: Disallowing new connections."
    Here start my questions:
    - New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
    - I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
    - Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
    - After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
    - As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
    At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
    Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
    It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
    Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
    - Jouni

    Hi,
    I FINALLY had the time to look at this issue as I was testing something else in our lab too.
    In short, here is what I did:
    I configured the TCP logging in the same way as in the original post
    I configured the TCP logging giving the commands in different order
    Did some other tests related to the proble
    Device used: ASA 5585-X
    Software: 8.4(2)
    Original Device and software : ASA 5585-X running 8.4(1)9
    Heres the above scenarions and what actually happened
    Original situation
    Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
    I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
    The firewall immediatly starts blocking all connections going through it.
    I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
    After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
    After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
    After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
    In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
    After this the connections work like usual. (UDP logging in the saved configuration)
    Giving the configurations in different order
    After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
    First I add the command "logging permit-hostdown" command
    Then I add the command "logging host tcp/1470"
    After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
    Removing the "logging permit-hostdown" command
    After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
    Configuring wrong TCP port to "logging host" command
    I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
    Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
    Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
    So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
    There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
    There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
    - Jouni

  • What is the current status for Kerberos Constrained delegation feature on the ASA platform?

    What is the current status for Kerberos Constrained delegation feature on the ASA platform?

    Hi Oscar,
    This is not available yet in the current software. Now, we cannot give any official information on this forum about software that has not been released yet, but if you really want to know I would suggest that you contact your local Cisco sales office to confirm with your account team which new features will be in the upcoming ASA 8.4 software release.
    hth
    Herbert

  • I use QVC online a lot. When hovering over a catagory headings at the top of the page, a drop down menu shows a list of subcategories. Is this feature available in Firefox 4 & 5? If so, how do I turn it on?

    I use QVC online a lot. When hovering over a category heading in IE9 a drop down menu appears with detailed subheadings for that category. Is this feature available in Firefox versions 4 and 5? Is this something that can be turned on in Firefox 4 & 5? If so, how do I turn this feature on?

    Hey Dave,
    How did you get on with this?
    Have you tried CSS position:fixed?  I have been playign around with it on my own project  (and in fact are just about to post a related question)  and can confirm that it works with a plain old DIV.
    SVG I can't be sure though..
    Certainly give it a try.
    Cheers

  • ASA 5585 port-channels

    I want to create a port-channel with 2 10Gbs interfaces on 2 ASA 5585 firewalls, and set them up in a failover pair.
    In order to do this, do I simply put two 10Gbs interfaces into a channel and then configure the IP addressing and failover address on the logical port-channel interface? (aka interface po1).
    Any limitations with this?

    Yes, that is exactly what you do..
    Create portchannel on switch and ASA
    Trunk the vlan on switch side
    Create logical interfaces on ASA

Maybe you are looking for

  • Conversion from Binary to decimal - Need help

    Hi guys, I am new here and learnt some very basic Java before. I have a program that is in C++(to convert a binary number to decimal) that I found in the internet that interest me a lot. I am thinking whether this can be re-write in Java. I have trie

  • Web template print

    Hello , When i execute a web template , the exceptions defined in the report shows the colour display in the screen, but when i print the page it does not show me the red colour or green colour which is defined in the exception. can some one help  me

  • Problem with bookstore1 example in J2EE 5 tutorial

    Hi everyone. I'm pretty experienced with J2EE but new to the 1.5 version. I'm using the Sun One Server 9.1 and the ant tools. This is referring to the samples in the J2EE 1.5 tutorial. I set my build.properties file and tried to build bookstore1 usin

  • Working with NWDS...and property files

    Hi all.  I am trying to execute some of the examples in the Development & Extension Guide Tutorial and I have a question.  I am using NWDS and have built a new B2B application and deployed it, I am trying to add a new field and have made some modific

  • BPEL and BPEL extensionS

    I went through BPEL specification in which BPEL extensions for executables and business protocols are also described. Can anybody tell me how BPEL extension are different from BPEL. I am getting preliminary expression that BPEL extensions lack someth