Cisco ASA 5500x with FirePower logging & syslog Format/reference
Hello everyone,
Can anyone explain how Cisco ASA 5500x Firepower logging works?
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/white_paper_c11-532091.html
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sbaSIEM_deployG.pdf
I referred above links and found syslog for botnet filtering.
ASA-4-338002: Dynamic filter permitted black listed TCP traffic from inside: 10.1.1.45/6798 (209.165.201.1/7890) to outside: 209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com
It is cisco asa 5500 log. is it same for Firepower? If yes, is Firepower generate syslog for all events like this?
Please refer me syslog reference guide for Cisco ASA 5500x Firepower if exist.
Thanks & Regards
Revathi
Firepower logging is to a Firesight management center (FMC) via https. It does not use SDEE.
Just like the old IPS, syslog messages are only about the module status, not about actual IPS events.
Similar Messages
-
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
Correlating Cisco ASA-SSM-IPS Events/Logs
I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine. Thank you.
Hi Chris,
Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs? -
Creating a 20MB bandwidth using two cisco asa 5515x with a hub (10/100/1000)
hi all,
I would like to simulate a bandwidth of 20MB for my DR project testing on my two cisco asa 5515x and with a cisco hub (10/100/1000). I was thinking to make two connections on my "outside" vlan with both speed of 10 and etherchannel it and do it again on the other asa.
Do you think it will simulate 20MB bandwidth? Or any other suggestion? Please add any comment, thanks to all.Hi Nicholas,
You have the HSRP running between your core devices. You can have your core A - ASA1 & Core-B - ASA2.
In your core switch you need to have a sepearate VLAN to connect the uplink to the firewall and asusual in asa you can have the primary and standby address configured and in core also you can have the vlan with hsrp ip configured.
But make sure that in your firewall you should mention the static routes for each subnets pointing to the core device hsrp.
The other scenario is you have make you ASA a standalone firewalls and in one firewall you need to have route to core a as primary and core b as secondary and in the other firewall vice versa. So that your traffic will get load balanced.
Please do rate if the given information helps.
By
Karthik -
Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?
I am having the hardest time getting a definitive answer to this; basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate users and assign them a group policy based on certain AD group memberships.
The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below... I have tried enclosing the entire string in quotes, etc. - nothing seems to work. Basically, the string is not matched, and the users are assigned a non-matching default policy. Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.
Can some one please advise?
CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCALWe can troubleshoot this issue. Please provide me the following outputs:
show run aaa-server
show run ldap
Turn on "debug ldap 255" and reproduce the issue. Paste the output here.
Regards,
Jatin Katyal
*Do rate helpful posts* -
Cisco ASA 8.4 Command logging in ACS
Hello,
I have set up command authorisation on a ASA 8.4 firewall, and everything seems to work fine.
The only problem is that the commands executed on the device such as ssh or asdm access does not show up in the TACACS+ Administration log on de ACS 4.2 server.
While on switches and routers the commands executed does show up in the log.
I googled the web, but did not find any similar item for this issue.
Please help....You need to look at the latency between the initial connection after the pause and the beginning of when data is returned to the client. I will virtually guarantee the application is timing the user out before restarting the session.
Sent from Cisco Technical Support iPad App -
Cisco asa 5585 syslog options for ips?
We have CISCO ASA 5585 with a separate module for IPS, I want to know what are the options for configuring syslog? Its nearly impossible to find ; and there are some forums on the internet which says that cisco ips stores logs in native / proprietary format and cannot be exported.
Please elaborate
Thanks.Some sensor-related events generate syslog messages. Those will be forwarded according to the parent ASA syslog settings.
Detailed IPS events (signature triggers actions etc.) are stored locally and must be retrieved using the SDEE protocol (tcp-based). That requires use of a management system like Cisco Security Manager (CSM), IPS Manager Express (IME) etc. There is a good document here that explains SDEE in more detail. -
Error Routing protocol - EIGRP between Cisco ASA with Switch 4506
Dear Cisco Team,
I have problem when I configed EIGRP between cisco ASA 5510 with core switch 4506. This is below error
*Nov 4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov 4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
quang huy2004: *Nov 4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov 4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
the tech Spec
ASA, IOS : 8.0.2
4506, License IP Base; OS: Unisal 15 M.2
I checked between ASA with Router ok; but between ASA with 4506 error
Can you help me ?Hello,
This logs means that the hold time expired so the hello packets are not being received, usually means multicast packets are missed-224.0.0.10)
I would recommend you to try another cable because this ussualy is a phisical or congestion issue.
Can you try that and let us know the result, also if that does not help can you send us the following outputs:
-Show ip EIGPR neighbors
-Debug EIGRP packet hello
Regards,
Julio -
Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices
Hello
I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
So I am stuck...
What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
I was hoping Azure's VPN solution would be very flexible.
ThanksHello RTF_Admin,
1. Which is the Series of CISCO ASA device you are using?
Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
Step-By-Step: Create a Site-to-Site VPN between your network and Azure
http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
You can refer to this article for Cisco ASA templates for Static routing:
http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
I hope that this information is helpful
Thanks,
Syed Irfan Hussain -
Cisco ASA 5505 doesn't forware incoming connection to LAN
Hello everybody.
I just got a Cisco asa 5505 with the next OS and ASDM info
ASA 5505 OS 8.4(3) ASDM 6.47
I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
Problem 1
I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
Problem 2.
I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
Facts:
SMTP.
Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
PORT 6001 (outside)
this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
I will appreciate any help.
Thanks a lot..
CONFIGURATION.
: Saved
ASA Version 8.4(3)
hostname saturn1
domain-name mydominio.com
enable password SOMEPASS encrypted
passwd SOMEPASS encrypted
names
name 192.168.250.11 CAPITOLA-LAN
name 192.168.250.15 OBIi110-LAN
name 192.168.250.21 DRP1260-LAN
name 192.168.250.22 HPOJ8500-LAN
name 192.168.250.30 AP-W77-NG-LAN
name 192.168.250.97 AJ-DTOP-PC-LAN
name 192.168.250.96 SWEETHEART-PC-LAN
name 192.168.250.94 KIDS-PC-LAN
name XX.YY.ZZ.250 EXTERNALIP
name XX.YY.ZZ.251 EXTERNALIP2
name XX.YY.ZZ.1 GTWAY
dns-guard
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.250.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address EXTERNALIP 255.255.255.0
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name mydominio.com
object network CAPITOLA-LAN
host 192.168.250.11
object network EXTERNALIP
host XX.YY.ZZ.250
description Created during name migration
object network CAPITOLA-PUBLIC
host XX.YY.ZZ.251
object network capitola-int
host 192.168.250.11
object network capitola-int-vnc
host 192.168.250.11
object network aj-dtop-int-vnc
host 192.168.250.97
object network sweetheart-int-vnc
host 192.168.250.96
object network kids-int-vnc
host 192.168.250.94
object network VPNNetwork
subnet 10.10.20.0 255.255.255.0
object network InsideNetwork
subnet 192.168.250.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network capitola-int-smtp
host 192.168.250.11
object-group service capitola-int-smtp-service tcp
port-object eq smtp
object-group service capitola-int-services tcp
port-object eq smtp
port-object eq https
port-object eq www
port-object eq 444
object-group service capitola-int-vnc-service tcp
port-object eq 6001
object-group service aj-dtop-int-vnc-service tcp
port-object eq 6002
object-group service sweetheart-int-vnc-service tcp
port-object eq 6003
object-group service kids-int-vnc-service tcp
port-object eq 6004
access-list incoming extended permit icmp any any
access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any object VPNNetwork
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
object network capitola-int
nat (any,any) static XX.YY.ZZ.251
object network capitola-int-vnc
nat (inside,outside) static interface service tcp 5900 6001
object network aj-dtop-int-vnc
nat (inside,outside) static interface service tcp 5900 6002
object network sweetheart-int-vnc
nat (inside,outside) static interface service tcp 5900 6003
object network kids-int-vnc
nat (inside,outside) static interface service tcp 5900 6004
object network obj_any
nat (inside,outside) dynamic interface
object network capitola-int-smtp
nat (any,outside) static interface service tcp smtp smtp
access-group incoming in interface outside
route outside 0.0.0.0 0.0.0.0 GTWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 2
http server session-timeout 1
http 192.168.1.0 255.255.255.0 inside
http CAPITOLA-LAN 255.255.255.255 inside
http AJ-DTOP-PC-LAN 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh CAPITOLA-LAN 255.255.255.255 inside
ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
ssh timeout 15
console timeout 0
vpn-addr-assign local reuse-delay 2
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password SOMEPASS encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
: end
asdm image disk0:/asdm-647.bin
no asdm history enableJose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
P2P blocking on ASA 5525 with Software Version 8.6(1)2
Hello,
We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
We have DMZ setup & also inline IPS module.
Thanks in advance.
Regards,
Sandeshc Chavan.Hi Chavan ,
You can try to block this by port.
The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port).
The config is
Access-list BLOCK-P2P-TRAFFIC deny tcp any any range 6881 6889 log
And applies to the desire interface with the "Access-group command"
For example:
Access-group BLOCK-P2P-TRAFFIC outbound interface DMZ
However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
Also you can execute from the cmd on windows the command netstat -a and check the port Bit torrent is using .
Hope this helps. -
VPN Site to Site Cisco ASA-5505-BUN-50 to RV-042
Hello guys , anyone has an example for connect by VPN Site to Site a Cisco ASA-5505 with RV-042 , i need establish a link for connect my UC560 with CUE on Cisco Router 2800 for VoIP Site to Site calls.
ThanksOn ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
Existing configuration
object network email
host 172.16.0.0
description 255.255.0.0
Correct configuration
object network email
subnet 172.16.0.0 255.255.0.0 -
Hi Team,
Does the show conn count includes both tcp + udp + embryonic connections.
Because when i do a calculation in excel from the output of show conn, i got the below output.
It was extracted from the command "show local-host | include host|count/limit"
(A):
Total Sum of TCP embryonic count to host = 331
(B):
Total Sum of TCP flow count/limit = 102938
(C):
Total Sum of UDP flow count/limit = 3512505
firewall#show conn count
1912284 in use, 2000002 most used
Please let me know how this is caluclated. If show conn count = A+B+C, then i am suspecting that old connection entries are not getting flushed out from the connection table in cisco asa 5580 with version 8.3.2.
Really im in need of help...Hi Kimberly,
My question was, the count of show conn & show local-host does not match... More over, as the show conn was showing that the max limit of 2 million will be reaching very soon... So, i would like to troubleshoot the output of show local-host | include host|count/limit, where in i could see that one of the webserver has lots of tcp connection (lets say 35000, then the other two servers are consuming udp connections 7lacs,5lacs & 3 lacs, as given below...
local host: ,
TCP flow count/limit = 35857/unlimited
TCP embryonic count to host = 25
UDP flow count/limit = 0/unlimited
local host: ,
TCP flow count/limit = 306/unlimited
TCP embryonic count to host = 8
UDP flow count/limit = 736807/unlimited
local host: ,
TCP flow count/limit = 246/unlimited
TCP embryonic count to host = 2
UDP flow count/limit = 582010/unlimited
local host: ,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
UDP flow count/limit = 308412/unlimited
can you pls let me know any other commands can be executed to know if any huge embryonic/virus attacks/too many broad casts...... Once i clear the local-host, the connections get reduced from a huge value to low value. i reallly do not know if these are geniue traffic or fake ? or do not know if the connection table is not flushing out old entries.. please help -
Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth
Hello all,
I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
We opened a TAC case with Cisco, and this is their response:
The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either. -
High receive discards on Sub-Interfaces in Cisco ASA.
Hello Everyone,
Over the past few weeks Solarwinds is reporting high receive discards on two of our subinterfaces created on Cisco ASA. No errors are observed on other subinterfaces. I checked the trunk port interface on the switch for any errors but found none. These errors are visible only under subinterface. What could be the issue?
RegardsI have the same problem too.
I have Cisco ASA 5515 with the next version:
Cisco Adaptive Security Appliance Software Version 9.1(4)
My interface configuration is the next:
PortChannel5 made with Interface GigabitEthernet 0/2 + Interface GigabitEthernet 0/3
Subinterfaces in PortChannel5
Nagios Graphs shows:
- many input discards in virtual subinterfaces
- many output discards in interface Gi0/2 and Gi0/3
- PortChannel5 output discards is the sum of discards in interface Gi0/2 and Gi0/3
if I run the snmpwalk command against the ASA the following results were obtained:
Interface description
[user@FIREWALL01 ~]$ snmpwalk -v 2c -c XXXXXXX 10.255.16.1 | grep ifDescr
IF-MIB::ifDescr.2 = STRING: Adaptive Security Appliance 'asa_mgmt_plane' interface
IF-MIB::ifDescr.3 = STRING: Adaptive Security Appliance 'Internet' interface
IF-MIB::ifDescr.4 = STRING: Adaptive Security Appliance 'LAN_MPLS' interface
IF-MIB::ifDescr.5 = STRING: Adaptive Security Appliance 'GigabitEthernet0/2' interface
IF-MIB::ifDescr.6 = STRING: Adaptive Security Appliance 'GigabitEthernet0/3' interface
IF-MIB::ifDescr.7 = STRING: Adaptive Security Appliance 'stateifha' interface
IF-MIB::ifDescr.8 = STRING: Adaptive Security Appliance 'statelink' interface
IF-MIB::ifDescr.9 = STRING: Adaptive Security Appliance 'Internal-Data0/1' interface
IF-MIB::ifDescr.10 = STRING: Adaptive Security Appliance 'cplane' interface
IF-MIB::ifDescr.11 = STRING: Adaptive Security Appliance 'mgmt_plane_int_tap' interface
IF-MIB::ifDescr.12 = STRING: Adaptive Security Appliance 'management' interface
IF-MIB::ifDescr.13 = STRING: Adaptive Security Appliance 'Virtual254' interface
IF-MIB::ifDescr.14 = STRING: Adaptive Security Appliance 'Port-channel5' interface
IF-MIB::ifDescr.15 = STRING: Adaptive Security Appliance 'VLAN_USGLB_OOB' interface
IF-MIB::ifDescr.16 = STRING: Adaptive Security Appliance 'VLAN_USGLBHSTHYP_MGNT' interface
IF-MIB::ifDescr.17 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_OM' interface
IF-MIB::ifDescr.18 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNTOM' interface
IF-MIB::ifDescr.19 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNT' interface
IF-MIB::ifDescr.20 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVF' interface
IF-MIB::ifDescr.21 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVB' interface
IF-MIB::ifDescr.22 = STRING: Adaptive Security Appliance 'VLAN_USGLB_DMZ' interface
Input discards
[user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxx 10.255.16.1 | grep ifInDiscards
IF-MIB::ifInDiscards.2 = Counter32: 0
IF-MIB::ifInDiscards.3 = Counter32: 0
IF-MIB::ifInDiscards.4 = Counter32: 0
IF-MIB::ifInDiscards.5 = Counter32: 0
IF-MIB::ifInDiscards.6 = Counter32: 0
IF-MIB::ifInDiscards.7 = Counter32: 0
IF-MIB::ifInDiscards.8 = Counter32: 0
IF-MIB::ifInDiscards.9 = Counter32: 0
IF-MIB::ifInDiscards.10 = Counter32: 0
IF-MIB::ifInDiscards.11 = Counter32: 0
IF-MIB::ifInDiscards.12 = Counter32: 0
IF-MIB::ifInDiscards.13 = Counter32: 0
IF-MIB::ifInDiscards.14 = Counter32: 0
IF-MIB::ifInDiscards.15 = Counter32: 12481926
IF-MIB::ifInDiscards.16 = Counter32: 9927941
IF-MIB::ifInDiscards.17 = Counter32: 134120211
IF-MIB::ifInDiscards.18 = Counter32: 124695686
IF-MIB::ifInDiscards.19 = Counter32: 27081148
IF-MIB::ifInDiscards.20 = Counter32: 2941537222
IF-MIB::ifInDiscards.21 = Counter32: 32714719
IF-MIB::ifInDiscards.22 = Counter32: 4008856
Output discards
[user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxxxx 10.255.16.1 | grep ifOutDiscards
IF-MIB::ifOutDiscards.2 = Counter32: 0
IF-MIB::ifOutDiscards.3 = Counter32: 0
IF-MIB::ifOutDiscards.4 = Counter32: 0
IF-MIB::ifOutDiscards.5 = Counter32: 3635696
IF-MIB::ifOutDiscards.6 = Counter32: 119099
IF-MIB::ifOutDiscards.7 = Counter32: 0
IF-MIB::ifOutDiscards.8 = Counter32: 0
IF-MIB::ifOutDiscards.9 = Counter32: 0
IF-MIB::ifOutDiscards.10 = Counter32: 0
IF-MIB::ifOutDiscards.11 = Counter32: 0
IF-MIB::ifOutDiscards.12 = Counter32: 0
IF-MIB::ifOutDiscards.13 = Counter32: 0
IF-MIB::ifOutDiscards.14 = Counter32: 3754795
IF-MIB::ifOutDiscards.15 = Counter32: 0
IF-MIB::ifOutDiscards.16 = Counter32: 0
IF-MIB::ifOutDiscards.17 = Counter32: 0
IF-MIB::ifOutDiscards.18 = Counter32: 0
IF-MIB::ifOutDiscards.19 = Counter32: 0
IF-MIB::ifOutDiscards.20 = Counter32: 0
IF-MIB::ifOutDiscards.21 = Counter32: 0
IF-MIB::ifOutDiscards.22 = Counter32: 0
Output discards may be normals, but I don't understand input discards in virtual subinterfaces of PortChannel5
By the other hand, show interface command in subinterfaces don't show error or discards packets
FIREWALL01/pri/act# sh interface VLAN_USGLBVRM_SRVB detail
Interface Port-channel5.1020 "VLAN_USGLBVRM_SRVB", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
VLAN identifier 1020
Description: VLAN_USGLBVRM_SRVB
MAC address 6073.5c69.0917, MTU 1500
IP address 10.255.19.65, subnet mask 255.255.255.192
Traffic Statistics for "VLAN_USGLBVRM_SRVB":
42067433644 packets input, 45125599467459 bytes
28153119062 packets output, 8866514693262 bytes
32715765 packets dropped
Control Point Interface States:
Interface number is 21
Interface config status is active
Interface state is active
Control Point Vlan1020 States:
Interface vlan config status is active
Interface vlan state is UP
FIREWALL01/pri/act# sh interface VLAN_USGLBVRM_SRVF detail
Interface Port-channel5.1019 "VLAN_USGLBVRM_SRVF", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
VLAN identifier 1019
Description: VLAN_USGLBVRM_SRVF
MAC address 6073.5c69.0917, MTU 1500
IP address 10.255.19.1, subnet mask 255.255.255.192
Traffic Statistics for "VLAN_USGLBVRM_SRVF":
30475814698 packets input, 14615432248013 bytes
27472348465 packets output, 20872697455933 bytes
2941588838 packets dropped
Control Point Interface States:
Interface number is 20
Interface config status is active
Interface state is active
Control Point Vlan1019 States:
Interface vlan config status is active
Interface vlan state is UP
FIREWALL01/pri/act#
Can anyone explain why so many input errors appear in the subinterfaces?
Thanks in advance!
Maybe you are looking for
-
Communication between multiple remote flash instances
I am relatively new to Flash development, but need to create a simple application that will essentially function as a remote slideshow broadcast service. One presenter will see the show (full screen) and will be able to proceed to the next slide, all
-
DAC Task are queued but not running
Hi Everybody, Currently we are running the ETL for only Financials and there are 394 tasks in total out of which 285 have been completed successfully. At times some of the tasks would just get stuck on particular action. For e.g The analyze task afte
-
How to prevent iTunes from updating iPad to iOS 7?
Greetings, When I connected my iPad to my computer to backup with iTunes, it updated to iOS 7 without asking me. I did not want update for various reasons, one being concern that it would rum slower which it does. It is laggy. It there a setting some
-
Hi Once I've found an application which allowed me to quickly create a single web page with photos and thumbnails, almost at a click of mouse button. Can't find such app. Anyone seen such? Thank you
-
How to make personalaization at responsibility level
Hi All, I Apologized, I have posted same thread in other place also so plz ignore that post. I have number of responsibilities for internet procurement responsibility like internet procurement - 1200 , internet procurement - 1300 , internet procurem