Cisco ASA 5500x with FirePower logging & syslog Format/reference

Similar Messages

• Cisco asa 5505 with Router 881w Configuration Help

  Hello all,
  I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
  Thanks in advance.
  here are the show runs:
  Cisco ASA 5505 show run:
  ASA Version 8.3(1)
  names
  interface Vlan1
   no nameif
   no security-level
   no ip address
  interface Vlan5
   mac-address xxxx.xxxx.xxxx
   nameif OUTSIDE
   security-level 0
   ip address dhcp setroute
  interface Vlan10
   nameif INSIDE
   security-level 100
   ip address 192.168.5.1 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 5
  interface Ethernet0/1
   switchport access vlan 10
  interface Ethernet0/2
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  object network INTERNAL_LAN
   subnet 192.168.5.0 255.255.255.0
  object network PRIVATE_LAN_192
   subnet 192.168.15.0 255.255.255.224
   description PRIVATE_LAN_192
  access-list INSIDE_access_in extended permit ip any any
  access-list INSIDE_access_in extended deny ip any any
  access-list OUTSIDE_access_in extended permit ip any any
  access-list OUTSIDE_access_in extended deny ip any any
  pager lines 24
  logging enable
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  ip verify reverse-path interface OUTSIDE
  ip verify reverse-path interface INSIDE
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network INTERNAL_LAN
   nat (INSIDE,OUTSIDE) dynamic interface
  object network PRIVATE_LAN_192
   nat (INSIDE,OUTSIDE) dynamic interface
  access-group OUTSIDE_access_in in interface OUTSIDE
  access-group INSIDE_access_in in interface INSIDE
  route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  dhcpd dns 8.8.8.8 75.75.76.76
  dhcpd address 192.168.5.10-192.168.5.100 INSIDE
  dhcpd enable INSIDE
  Router 881w show run:
  Current configuration : 4912 bytes
  version 12.4
  no ip source-route
  ip dhcp excluded-address 192.168.15.1 192.168.15.10
  ip dhcp pool PRIVATE_LAN
     network 192.168.15.0 255.255.255.224
  interface FastEthernet0
   switchport trunk allowed vlan 1,15,1002-1005
   switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
   ip address 192.168.5.2 255.255.255.0
   duplex auto
   speed auto
  interface wlan-ap0
   description Service module interface to manage the embedded AP
   no ip address
   arp timeout 0
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
  interface Vlan1
   no ip address
  interface Vlan15
   ip address 192.168.15.1 255.255.255.224
  no ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  no ip http server
  ip http authentication local
  ip http secure-server

  The cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above  configuration. My problem is just vlan 15.

• Correlating Cisco ASA-SSM-IPS Events/Logs

  I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

  Hi Chris,
  Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

• Creating a 20MB bandwidth using two cisco asa 5515x with a hub (10/100/1000)

  hi all,
  I would like to simulate a bandwidth of 20MB for my DR project testing on my two cisco asa 5515x and with a cisco hub (10/100/1000).  I was thinking to make two connections on my "outside" vlan with both speed of 10 and etherchannel it and do it again on the other asa.
  Do you think it will simulate 20MB bandwidth?  Or any other suggestion?  Please add any comment, thanks to all.

  Hi Nicholas,
  You have the HSRP running between your core devices. You can have your core A - ASA1 & Core-B - ASA2.
  In your core switch you need to have a sepearate VLAN to connect the uplink to the firewall and asusual in asa you can have the primary and standby address configured and in core also you can have the vlan with hsrp ip configured.
  But make sure that in your firewall you should mention the static routes for each subnets pointing to the core device hsrp.
  The other scenario is you have make you ASA a standalone firewalls and in one firewall you need to have route to core a as primary and core b as secondary and in the other firewall vice versa. So that your traffic will get load balanced.
  Please do rate if the given information helps.
  By
  Karthik

• Can Cisco ASA work with spaces in LDAP DN string to authenticate and assign group policies?

  I am having the hardest time getting a definitive answer to this;  basically, I have a Cisco ASA firewall that is using AD via LDAP to authenticate  users and assign them a group policy based on certain AD group memberships.
  The problem I think I have is that due to how our AD forest is structured, I have spaces in the DN string, as shown below...  I have tried enclosing the entire string in quotes, etc.  - nothing seems to work.  Basically, the string is not matched, and the users are assigned a non-matching default policy.  Cisco TAC thinks it is due to the spaces (highlighted) but I am not sure sure.
  Can some one please advise?
  CN=VPN_SSL_SPLIT,OU=Grps - ACS,OU=Res - Groups,OU=BU - Vesna.Resources,DC=DOM1,DC=US,DC=LOCAL

  We can troubleshoot this issue. Please provide me the following outputs:
  show run aaa-server
  show run ldap
  Turn on "debug ldap 255" and reproduce the issue. Paste the output here.
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Cisco ASA 8.4 Command logging in ACS

  Hello,
  I have set up command authorisation on a ASA 8.4 firewall, and everything seems to work fine.
  The only problem is that the commands executed on the device such as ssh or asdm access does not show up in the TACACS+ Administration log on de ACS 4.2 server.
  While on switches and routers the commands executed does show up in the log.
  I googled the web, but did not find any similar item for this issue.
  Please help....

  You need to look at the latency between the initial connection after the pause and the beginning of when data is returned to the client. I will virtually guarantee the application is timing the user out before restarting the session.
  Sent from Cisco Technical Support iPad App

• Cisco asa 5585 syslog options for ips?

  We have CISCO ASA 5585 with a separate module for IPS, I want to know what are the options for configuring syslog? Its nearly impossible to find ; and there are some forums on the internet which says that cisco ips stores logs in native / proprietary format and cannot be exported.
  Please elaborate
  Thanks.

  Some sensor-related events generate syslog messages. Those will be forwarded according to the parent ASA syslog settings.
  Detailed IPS events (signature triggers actions etc.) are stored locally and must be retrieved using the SDEE protocol (tcp-based). That requires use of a management system like Cisco Security Manager (CSM), IPS Manager Express (IME) etc. There is a good document here that explains SDEE in more detail.

• Error Routing protocol - EIGRP between Cisco ASA with Switch 4506

  Dear Cisco Team,
  I have problem when I configed EIGRP between cisco ASA 5510 with core switch 4506. This is below error
  *Nov  4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
  *Nov  4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
  *Nov  4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
  *Nov  4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
  *Nov  4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
  *Nov  4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
  quang huy2004: *Nov  4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
  *Nov  4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
  *Nov  4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
  *Nov  4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
  *Nov  4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
  *Nov  4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
  the tech Spec
  ASA,  IOS : 8.0.2
  4506, License IP Base; OS: Unisal 15 M.2
  I checked between ASA with Router ok; but between ASA with 4506 error
  Can you help me ?

  Hello,
  This logs means that the hold time expired so the hello packets are not being received, usually means multicast packets are missed-224.0.0.10)
  I would recommend you to try another cable because this ussualy is a phisical or congestion issue.
  Can you try that and let us know the result, also if that does not help can you send us the following outputs:
  -Show ip EIGPR neighbors
  -Debug EIGRP packet hello
  Regards,
  Julio

• Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

  Hello
  I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
  The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
  So I am stuck...
  What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
  I was hoping Azure's VPN solution would be very flexible.
  Thanks

  Hello RTF_Admin,
  1. Which is the Series of CISCO ASA device you are using?
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
  I hope that this information is helpful
  Thanks,
  Syed Irfan Hussain

• Cisco ASA 5505 doesn't forware incoming connection to LAN

  Hello everybody.
  I just got a Cisco asa 5505 with the next OS and ASDM info
  ASA 5505 OS 8.4(3) ASDM 6.47
  I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
  Problem 1
  I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
  Problem 2.
  I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
  Facts:
  SMTP.
  Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
  PORT 6001 (outside)
  this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
  Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
  I will appreciate any help.
  Thanks a lot..
  CONFIGURATION.
  : Saved
  ASA Version 8.4(3)
  hostname saturn1
  domain-name mydominio.com
  enable password SOMEPASS encrypted
  passwd SOMEPASS encrypted
  names
  name 192.168.250.11 CAPITOLA-LAN
  name 192.168.250.15 OBIi110-LAN
  name 192.168.250.21 DRP1260-LAN
  name 192.168.250.22 HPOJ8500-LAN
  name 192.168.250.30 AP-W77-NG-LAN
  name 192.168.250.97 AJ-DTOP-PC-LAN
  name 192.168.250.96 SWEETHEART-PC-LAN
  name 192.168.250.94 KIDS-PC-LAN
  name XX.YY.ZZ.250 EXTERNALIP
  name XX.YY.ZZ.251 EXTERNALIP2
  name XX.YY.ZZ.1 GTWAY
  dns-guard
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.250.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address EXTERNALIP 255.255.255.0
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name mydominio.com
  object network CAPITOLA-LAN
  host 192.168.250.11
  object network EXTERNALIP
  host XX.YY.ZZ.250
  description Created during name migration
  object network CAPITOLA-PUBLIC
  host XX.YY.ZZ.251
  object network capitola-int
  host 192.168.250.11
  object network capitola-int-vnc
  host 192.168.250.11
  object network aj-dtop-int-vnc
  host 192.168.250.97
  object network sweetheart-int-vnc
  host 192.168.250.96
  object network kids-int-vnc
  host 192.168.250.94
  object network VPNNetwork
  subnet 10.10.20.0 255.255.255.0
  object network InsideNetwork
  subnet 192.168.250.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network capitola-int-smtp
  host 192.168.250.11
  object-group service capitola-int-smtp-service tcp
  port-object eq smtp
  object-group service capitola-int-services tcp
  port-object eq smtp
  port-object eq https
  port-object eq www
  port-object eq 444
  object-group service capitola-int-vnc-service tcp
  port-object eq 6001
  object-group service aj-dtop-int-vnc-service tcp
  port-object eq 6002
  object-group service sweetheart-int-vnc-service tcp
  port-object eq 6003
  object-group service kids-int-vnc-service tcp
  port-object eq 6004
  access-list incoming extended permit icmp any any
  access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
  access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
  access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
  access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
  access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
  access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
  access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any object VPNNetwork
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
  object network capitola-int
  nat (any,any) static XX.YY.ZZ.251
  object network capitola-int-vnc
  nat (inside,outside) static interface service tcp 5900 6001
  object network aj-dtop-int-vnc
  nat (inside,outside) static interface service tcp 5900 6002
  object network sweetheart-int-vnc
  nat (inside,outside) static interface service tcp 5900 6003
  object network kids-int-vnc
  nat (inside,outside) static interface service tcp 5900 6004
  object network obj_any
  nat (inside,outside) dynamic interface
  object network capitola-int-smtp
  nat (any,outside) static interface service tcp smtp smtp
  access-group incoming in interface outside
  route outside 0.0.0.0 0.0.0.0 GTWAY 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http server idle-timeout 2
  http server session-timeout 1
  http 192.168.1.0 255.255.255.0 inside
  http CAPITOLA-LAN 255.255.255.255 inside
  http AJ-DTOP-PC-LAN 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh CAPITOLA-LAN 255.255.255.255 inside
  ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
  ssh timeout 15
  console timeout 0
  vpn-addr-assign local reuse-delay 2
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password SOMEPASS encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect pptp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
  : end
  asdm image disk0:/asdm-647.bin
  no asdm history enable

  Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
  access list rule:
  access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
  nat rule:
  nat (inside,outside) source static server interface service voip-range voip-range
  - 'server' is a network object *
  - 'voip-range' is a service group range
  I'd assume you can do something similar here in combination with my earlier comment:
  access-list incoming extended permit tcp any any eq 5900
  Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

• P2P blocking on ASA 5525 with Software Version 8.6(1)2

  Hello,
  We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
  Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
  We have DMZ setup & also inline IPS module.
  Thanks in advance.
  Regards,
  Sandeshc Chavan.

  Hi Chavan , 
  You can try to block this by port. 
  The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). 
  The config is
  Access-list BLOCK-P2P-TRAFFIC deny tcp any any range  6881 6889 log 
  And applies to the desire interface with the "Access-group command"
  For example:
  Access-group  BLOCK-P2P-TRAFFIC outbound interface DMZ
  However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
  Also you can execute  from the cmd on windows  the command  netstat -a and check the port Bit torrent is using .
  Hope this helps.

• VPN Site to Site Cisco ASA-5505-BUN-50 to RV-042

                     Hello guys , anyone has an example for connect by VPN Site to Site a Cisco ASA-5505 with RV-042 , i need establish a link for connect my UC560 with CUE on Cisco Router 2800 for VoIP Site to Site calls.
  Thanks

  On ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
  Existing configuration
  object network email
  host 172.16.0.0
  description 255.255.0.0
  Correct configuration
  object network email
  subnet 172.16.0.0 255.255.0.0

• Show conn in cisco asa

  Hi Team,
  Does the show conn count includes both tcp + udp + embryonic connections.
  Because when i do a calculation in excel from the output of show conn, i got the below output.
  It was extracted from the command "show local-host | include host|count/limit"
  (A):
     Total Sum of TCP embryonic count to host = 331
  (B):
       Total Sum of TCP flow count/limit = 102938
  (C):
       Total Sum of UDP flow count/limit = 3512505
  firewall#show conn count
  1912284 in use, 2000002 most used
  Please let me know how this is caluclated. If show conn count = A+B+C, then i am suspecting that old connection entries are not getting flushed out from the connection table in cisco asa 5580 with version 8.3.2.
  Really im in need of help...

  Hi Kimberly,
  My question was, the count of show conn & show local-host does not match... More over, as the show conn was showing that the max limit of 2 million will be reaching very soon... So, i would like to troubleshoot the output of show local-host | include host|count/limit, where in i could see that one of the webserver has lots of tcp connection (lets say 35000, then the other two servers are consuming udp connections 7lacs,5lacs & 3 lacs, as given below...
  local host: ,
      TCP flow count/limit = 35857/unlimited
      TCP embryonic count to host = 25
      UDP flow count/limit = 0/unlimited
  local host: ,
      TCP flow count/limit = 306/unlimited
      TCP embryonic count to host = 8
      UDP flow count/limit = 736807/unlimited
  local host: ,
      TCP flow count/limit = 246/unlimited
      TCP embryonic count to host = 2
      UDP flow count/limit = 582010/unlimited
  local host: ,
      TCP flow count/limit = 1/unlimited
      TCP embryonic count to host = 0
      UDP flow count/limit = 308412/unlimited
  can you pls let me know any other commands can be executed to know if any huge embryonic/virus attacks/too many broad casts...... Once i clear the local-host, the connections get reduced from a huge value to low value. i reallly do not know if these are geniue traffic or fake ? or do not know if the connection table is not flushing out old entries.. please help

• Trying to use DS 6.2 w/ Cisco ASA 5540 for VPN Auth

  Hello all,
  I'm trying to connect our Cisco ASA 5540 with LDAP authentication to our DSEE 6.2 directory. The authentication is failing and this line in the debug output from the firewall is really getting to me: "No results returned for iPlanet global password policy".
  Their authentication process is two-steps.. It binds with a service account, searches on the "naming attribute" (in our case uid), grabs the DN of the user, and unbinds. With step 2, it binds to the directory with the DN it found when searching, and the password the user supplied. If the second bind is successful, then the firewall lets them on the VPN.
  When the firewall binds with the service account, it successfully finds the user's DN and disconnects, so I know my ACI is working correctly there. It just seems to fail when trying to re-bind with the user's DN...
  We opened a TAC case with Cisco, and this is their response:
  The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.
  I refuse to let a poorly written application or appliance bind as cn=Directory Administrator!
  I tried putting an ACI on the default password policy located at cn=Password Policy,cn=config , but that doesn't seem to make any difference to the ASA.. My best guess is that it's looking somewhere else for the password policy... did it used to be located elsewhere in iPlanet? Has anyone made this work before with a Cisco ASA?

  My network admin and I ended up solving this problem by sheer dumb luck. In the ASA config, you tell it what kind of LDAP server it's connecting to. In one set of docs, it had the available options as microsoft, sun, or generic. In another set of docs, we found that openldap was also an acceptable option.
  I'm guessing the ASA is thinking the "sun" option is connecting to the old Netscape Directory Server. Changing the "server type" to openldap made it work immediately. It also does not look like it's trying to look at the LDAP server's password policy now either.

• High receive discards on Sub-Interfaces in Cisco ASA.

  Hello Everyone,
  Over the past few weeks Solarwinds is reporting high receive discards on two of our subinterfaces created on Cisco ASA. No errors are observed on other subinterfaces. I checked the trunk port interface on the switch for any errors but found none. These errors are visible only under subinterface. What could be the issue?
  Regards

  I have the same problem too.
  I have Cisco ASA 5515  with the next version:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  My interface configuration is the next:
  PortChannel5 made with    Interface GigabitEthernet 0/2 + Interface GigabitEthernet 0/3
  Subinterfaces in PortChannel5
  Nagios Graphs shows:
  - many input discards in virtual subinterfaces
  - many output discards in interface Gi0/2 and Gi0/3
  - PortChannel5 output discards is the sum of discards in interface Gi0/2 and Gi0/3
  if I run the snmpwalk command against the ASA the following results were obtained:
  Interface description
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c XXXXXXX 10.255.16.1 | grep ifDescr
  IF-MIB::ifDescr.2 = STRING: Adaptive Security Appliance 'asa_mgmt_plane' interface
  IF-MIB::ifDescr.3 = STRING: Adaptive Security Appliance 'Internet' interface
  IF-MIB::ifDescr.4 = STRING: Adaptive Security Appliance 'LAN_MPLS' interface
  IF-MIB::ifDescr.5 = STRING: Adaptive Security Appliance 'GigabitEthernet0/2' interface
  IF-MIB::ifDescr.6 = STRING: Adaptive Security Appliance 'GigabitEthernet0/3' interface
  IF-MIB::ifDescr.7 = STRING: Adaptive Security Appliance 'stateifha' interface
  IF-MIB::ifDescr.8 = STRING: Adaptive Security Appliance 'statelink' interface
  IF-MIB::ifDescr.9 = STRING: Adaptive Security Appliance 'Internal-Data0/1' interface
  IF-MIB::ifDescr.10 = STRING: Adaptive Security Appliance 'cplane' interface
  IF-MIB::ifDescr.11 = STRING: Adaptive Security Appliance 'mgmt_plane_int_tap' interface
  IF-MIB::ifDescr.12 = STRING: Adaptive Security Appliance 'management' interface
  IF-MIB::ifDescr.13 = STRING: Adaptive Security Appliance 'Virtual254' interface
  IF-MIB::ifDescr.14 = STRING: Adaptive Security Appliance 'Port-channel5' interface
  IF-MIB::ifDescr.15 = STRING: Adaptive Security Appliance 'VLAN_USGLB_OOB' interface
  IF-MIB::ifDescr.16 = STRING: Adaptive Security Appliance 'VLAN_USGLBHSTHYP_MGNT' interface
  IF-MIB::ifDescr.17 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_OM' interface
  IF-MIB::ifDescr.18 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNTOM' interface
  IF-MIB::ifDescr.19 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNT' interface
  IF-MIB::ifDescr.20 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVF' interface
  IF-MIB::ifDescr.21 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVB' interface
  IF-MIB::ifDescr.22 = STRING: Adaptive Security Appliance 'VLAN_USGLB_DMZ' interface
  Input discards
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxx 10.255.16.1 | grep ifInDiscards
  IF-MIB::ifInDiscards.2 = Counter32: 0
  IF-MIB::ifInDiscards.3 = Counter32: 0
  IF-MIB::ifInDiscards.4 = Counter32: 0
  IF-MIB::ifInDiscards.5 = Counter32: 0
  IF-MIB::ifInDiscards.6 = Counter32: 0
  IF-MIB::ifInDiscards.7 = Counter32: 0
  IF-MIB::ifInDiscards.8 = Counter32: 0
  IF-MIB::ifInDiscards.9 = Counter32: 0
  IF-MIB::ifInDiscards.10 = Counter32: 0
  IF-MIB::ifInDiscards.11 = Counter32: 0
  IF-MIB::ifInDiscards.12 = Counter32: 0
  IF-MIB::ifInDiscards.13 = Counter32: 0
  IF-MIB::ifInDiscards.14 = Counter32: 0
  IF-MIB::ifInDiscards.15 = Counter32: 12481926
  IF-MIB::ifInDiscards.16 = Counter32: 9927941
  IF-MIB::ifInDiscards.17 = Counter32: 134120211
  IF-MIB::ifInDiscards.18 = Counter32: 124695686
  IF-MIB::ifInDiscards.19 = Counter32: 27081148
  IF-MIB::ifInDiscards.20 = Counter32: 2941537222
  IF-MIB::ifInDiscards.21 = Counter32: 32714719
  IF-MIB::ifInDiscards.22 = Counter32: 4008856
  Output discards
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxxxx 10.255.16.1 | grep ifOutDiscards
  IF-MIB::ifOutDiscards.2 = Counter32: 0
  IF-MIB::ifOutDiscards.3 = Counter32: 0
  IF-MIB::ifOutDiscards.4 = Counter32: 0
  IF-MIB::ifOutDiscards.5 = Counter32: 3635696
  IF-MIB::ifOutDiscards.6 = Counter32: 119099
  IF-MIB::ifOutDiscards.7 = Counter32: 0
  IF-MIB::ifOutDiscards.8 = Counter32: 0
  IF-MIB::ifOutDiscards.9 = Counter32: 0
  IF-MIB::ifOutDiscards.10 = Counter32: 0
  IF-MIB::ifOutDiscards.11 = Counter32: 0
  IF-MIB::ifOutDiscards.12 = Counter32: 0
  IF-MIB::ifOutDiscards.13 = Counter32: 0
  IF-MIB::ifOutDiscards.14 = Counter32: 3754795
  IF-MIB::ifOutDiscards.15 = Counter32: 0
  IF-MIB::ifOutDiscards.16 = Counter32: 0
  IF-MIB::ifOutDiscards.17 = Counter32: 0
  IF-MIB::ifOutDiscards.18 = Counter32: 0
  IF-MIB::ifOutDiscards.19 = Counter32: 0
  IF-MIB::ifOutDiscards.20 = Counter32: 0
  IF-MIB::ifOutDiscards.21 = Counter32: 0
  IF-MIB::ifOutDiscards.22 = Counter32: 0
  Output discards may be normals, but I don't understand input discards in virtual subinterfaces of PortChannel5
  By the other hand, show interface command in subinterfaces don't show error or discards packets
  FIREWALL01/pri/act#    sh interface VLAN_USGLBVRM_SRVB detail 
  Interface Port-channel5.1020 "VLAN_USGLBVRM_SRVB", is up, line protocol is up
    Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
          VLAN identifier 1020
          Description: VLAN_USGLBVRM_SRVB
          MAC address 6073.5c69.0917, MTU 1500
          IP address 10.255.19.65, subnet mask 255.255.255.192
    Traffic Statistics for "VLAN_USGLBVRM_SRVB":
          42067433644 packets input, 45125599467459 bytes
          28153119062 packets output, 8866514693262 bytes
          32715765 packets dropped
    Control Point Interface States:
          Interface number is 21
          Interface config status is active
          Interface state is active
    Control Point Vlan1020 States:
          Interface vlan config status is active
          Interface vlan state is UP
  FIREWALL01/pri/act#    sh interface VLAN_USGLBVRM_SRVF detail 
  Interface Port-channel5.1019 "VLAN_USGLBVRM_SRVF", is up, line protocol is up
    Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
          VLAN identifier 1019
          Description: VLAN_USGLBVRM_SRVF
          MAC address 6073.5c69.0917, MTU 1500
          IP address 10.255.19.1, subnet mask 255.255.255.192
    Traffic Statistics for "VLAN_USGLBVRM_SRVF":
          30475814698 packets input, 14615432248013 bytes
          27472348465 packets output, 20872697455933 bytes
          2941588838 packets dropped
    Control Point Interface States:
          Interface number is 20
          Interface config status is active
          Interface state is active
    Control Point Vlan1019 States:
          Interface vlan config status is active
          Interface vlan state is UP
  FIREWALL01/pri/act#
  Can anyone explain why so many input errors appear in the subinterfaces?
  Thanks in advance!