Cisco ASA 5520 ASDM Not loading

Similar Messages

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

  Hi,
  i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
  I have installed 50 Site-to-Site VPN tunnels, and they work fine.
  but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
  it happens when there is no TRAFIC on, i suspect.
  in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
  this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
  in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
  i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
  Any idea?
  Thanks,
  Daniel

  What is the lifetime value configured for in your crypto policies?
  For example:
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400

• Cisco ASA 5520 Failover with DMZ

  I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.
  Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...
  PRIMARY ASA
  Primary-ASA# sh run failover
  failover
  failover lan unit primary
  failover lan interface stateful1 GigabitEthernet0/3
  failover key *****
  failover link stateful1 GigabitEthernet0/3
  failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
  Primary-ASA# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 160 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 20:39:23 CDT Sep 3 2013
  This host: Primary - Active
  Active time: 69648 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
       Interface outside (184.61.38.254): Normal
       Interface inside (192.168.218.252): Normal
       Interface dmz (192.168.215.254): Normal (Waiting)
       Interface management (192.168.1.1): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Other host: Secondary - Standby Ready
  Active time: 2119 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.253): Normal
  Interface inside (192.168.218.253): Normal
  Interface dmz (192.168.215.252): Normal (Waiting)
  Interface management (192.168.1.2): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
  IPS, 6.0(3)E1, Up
  Primary-ASA# sh run interface
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
  ospf cost 10
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
  ospf cost 10
  interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
  ospf cost 10
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  ospf cost 10
  management-only
  STANDBY ASA
  Standby-ASA# sh run failover
  failover
  failover lan unit secondary
  failover lan interface stateful1 GigabitEthernet0/3
  failover key *****
  failover link stateful1 GigabitEthernet0/3
  failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
  Standby-ASA# sh failover
  Failover On
  Failover unit Secondary
  Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 160 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 20:39:23 CDT Sep 3 2013
  This host: Secondary - Standby Ready
  Active time: 2119 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.253): Normal
  Interface inside (192.168.218.253): Normal
  Interface dmz (192.168.215.252): Normal (Waiting)
  Interface management (192.168.1.2): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Other host: Primary - Active
  Active time: 70110 (sec)
        slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.254): Normal
  Interface inside (192.168.218.252): Normal
  Interface dmz (192.168.215.254): Normal (Waiting)
  Interface management (192.168.1.1): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Standby-ASA# sh run interface
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
  ospf cost 10
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
  ospf cost 10
  interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
  ospf cost 10
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  ospf cost 10
  management-only
  Does anyone see something I might be missing? I am at a loss...

  I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.

• Older version of openssl in cisco asa 5520

  Hi,
  Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have  to  check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
  Thanks,
  Sridhar

  Sridhar,
  W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
  You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
  In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
  Marcin

• Cisco ASA 5520 traffic between interfaces

  Hello,
  I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
  ciscoasa# ping esx_management 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  ciscoasa# ping home_network 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Thank you in advance.

  Hi,
  Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
  I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
  packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
  I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
  I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
  Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
  Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
  Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
  Static Identity NAT
  static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  OR
  NAT0
  access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
  nat (home_network) 0 access-list HOMENETWORK-NAT0
  Hope this helps
  - Jouni

• Cisco ASA 5520 Traffic monitoring

  Hello ,
  We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
  Thanks a lot

  Hi,
  I dont think the ASA alone can give you a really clear picture of the real time situation.
  It however should be able to give you some clue and simple statistics on the ASDM Firewall Dashboard
  My ASDM version is 7.1 but it should be there in your version also.

• HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

  Hi all!
  we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
  We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
  Best regards for all,

  You cannot make a 5520 establish failover with the mate being a 5525-X.
  1. The configuration guide (here) states:
  The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

• Command to View LDAP Password on Cisco ASA 5520

  Hello
  I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
  Thanks!
  Matt

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Cisco ASA 5520 Crashinfo

  I have cisco asa 5520 firewall in production sudenly yetserday firewall was reboted and crashinfo file was genetrated(check with command show crashinfo)
  But unable to undersatand the terms
  I want to know below thing regarding crashinfo
  1) In asa where crashinfo file stores and file name(please share commnad for checking)
  2) How to copy file from device to machine
  3) How to read that file(any tool any software)

  The crashinfo file ("show crashinfo") is plain text and along with the memory register contents there is a whole long list of other information - running-configuration, interface status and counters, etc. So you can look at it in any text editor or even on the ASA console itself.
  As far as learning from it directly, there is plenty to learn and use without knowing the most detailed possible level of debug information.
  If you want to see some of the tools that are available (and may include some of the crashinfo data), I'd recommend to you a Cisco Live presentation like BRKSEC-3020. You can download that and any other Cisco Live presentations here with a free registration.

• Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

  I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
  home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

  Hi,
  Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
  Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

• Cisco ASA 5520s in Cluster Outside interface stops sending traffic

  Hi,
  We are running a Pair of ASA 5520s in active/standby mode.  In the last couple days the active device will just stop communicating on the outside interface.  Because the rest of the interfaces are still up,  it will not fail over, so we have to fail it manually.  The secondary unit works and passes traffic correctly.  We then reboot the Primary. 
  Then after some undetermined time,  it happens again and we have to manually fail it the other way,  reboot the affected ASA and wait for it to happen again.
  We have a case with TAC but they have not been able to figure this one out.  Has anyone else seen this behavior?
  This is the version info:
  Cisco Adaptive Security Appliance Software Version 8.4(7)
  Device Manager Version 7.3(1)100
  Thanks

  Hi,
  There are various possibilities on the ASA device which might be causing this issue:-
  1) Block depletion
  2) Memory depletion
  Other things might be related to the external ISP as well.
  Can we collect some outputs from the ASA device at the time when the issue is seen on the ASA device.
  If you can share the output , i can have a look at it otherwise you can open a TAC case.
  Thanks and Regards,
  Vibhor Amrodia

• ASA 5520 - ASDM logging: disable rules logging

  Hello all,
  I'm encountering what I think is an issue on logging system on FW ASA 5520 - Asa Version 8.4(2), ASDM version 6.4(5). When I disabled the logging inside a rule from ASDM, or from console with the "log disable" option inside ACL, If I check in ASDM logging real time window I continue to see all the entry related to disabled rules. This is a correct behaviour about ASA logging ? How I can "hide" the entry related to disabled rules (this is what I need for troubleshooting purposes) ?
  Thanks in advance for every reply.
  Regards.

  Hi Paolo,
  Well, if it is just for an specific rule, the log keyword at the end of the ACL should not be there, but if you dont want to see the log at all you can use the command no logging message command.
  Mike

• What is the Cisco ASA 5520's VPN ustility like?

  Hi, I have a Cisco 3015 VPN concentrator, the Web admin tool is really good. We are getting a 2 Cisco 5520 soon in failover mode and I wondered if I should move my site-to-sites to the ASA 5520 and if so how good it the tool for the ASA VPN's as I not seen it yet?

  The VPN capabilities of the ASA are very similar to that of the concentrators. Much of the management interface will have the same look and feel on both appliances. Migrating your L2L VPNs is a matter of preference and will depend on your topology. For me, I prefer to terminate my L2L VPNs into a DMZ and use the ASA to permit/deny traffic into my LAN.

• Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

  Hello,
  I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  ip address outside xxx.xxx.xxx.94 255.255.255.224
  ip address inside 192.168.1.1 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0 0 0
  outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

  Hey Craig,
  Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
  On 8.4 for interface defining use below mentioned example :
  int eth0/0
  ip add x.x.x.x y.y.y.y
  nameif outside
  no shut
  int eth0/1
  ip add x.x.x.x y.y.y.y
  nameif inside
  no shut
  nat (inside) 1 192.168.1.0 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
  If you're still not able to reach.Paste your entire config and version that you are using on ASA.