Cisco Pix Syslog - details of traffic flow

Hi
We are logging to a syslog server on level informational. I see a byte count logged with each connection and I'm trying to understand what it means.
Is it the sum of in+out traffic for the connection? Or is it only one direction? Is there a way to determine bytes counts for both directions (like netflow)?
We are using version 6.3, but are in a position to upgrade if that will help meet our above requirements.
Thanks

Go through this Cisco PIX Firewall System Log Messages, Version 6.3. It will clear your doubts.
http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/63syslog.html

Similar Messages

Cisco asa traffic flow

Hi,
Can somebody give the packet/traffic flow paths from a higher security interface to lower & viceversa..
For eg: session > acl > xlate > etc...
Are these checking different in both of the above scenarios ?

Hi Felipe,
But i do see find difference while reading the below URL.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml
I would like to know how is the traffic flow from outside to inside and inside to outside.
Hope you go it...
regards
rajesh

ASA 5505, how to configure DMZ to Inside traffic flows

Dear.
We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
We really need all these interfaces.
The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
I will allow only one single port has access from DMZ to the inside, is that possible? And how?
Thanks for the feedback.
Regards.
Peter.

What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.
So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
router up 100 days 1 hour
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0    : address is a44c.11bb.5492, irq 11
1: Ext: Ethernet0/0         : address is a44c.11bb.548a, irq 255
2: Ext: Ethernet0/1         : address is a44c.11bb.548b, irq 255
3: Ext: Ethernet0/2         : address is a44c.11bb.548c, irq 255
4: Ext: Ethernet0/3         : address is a44c.11bb.548d, irq 255
5: Ext: Ethernet0/4         : address is a44c.11bb.548e, irq 255
6: Ext: Ethernet0/5         : address is a44c.11bb.548f, irq 255
7: Ext: Ethernet0/6         : address is a44c.11bb.5490, irq 255
8: Ext: Ethernet0/7         : address is a44c.11bb.5491, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
This platform has a Base license.
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013

Cisco PIX 515E multiple ISP support in a VPN scenario

Iam currently running a cisco 7.2 ios in a Cisco PIX 515E appliance. I have terminated two ISP links in the two ports, and I also have a inside network (LAN). I want to establish 2 Site-Site VPN tunnels using each one of these ISP links respectively (Site 1 in ISP link 1 && Site 2 in ISP link 2).
Is this possible to achieve??

Hello,
This should work. Route the remote endpoint for site 1 out link 1 (using a static route) and for site 2 out link 2 (using a static route) and that should do it.
Return traffic should work, assuming both ISPs aren't advertising the networks your interfaces are on via BGP (ie, you don't want return traffic from site one coming down the link to site 2 because that ISP is advertising that AS as well.)
--Jason

Linksys WRT600N vs CISCO PIX 506E.... Firewall / Routing Performance

Hi:
I am new to the forum and was hoping to tap into some of your expertise. I have a Linksys WRT600N version 1.1 and I recently acquired a CISCO PIX 506E firewall. My question is what should I use as a firewall? Both have SPI etc. Should I:
a) Use the 506E as a firewall and use the 600 as a wireless access point, or
b) Use the 600 as a firewall and wireless access point.
Do both routers have the same firewall routing performance? I want to use the storage feautre on the 600N, but if I do that and use it as a wireless access point the 600 can't get the proper time from the Internet, so my time for newly created folders and files shows they are 10 years old.
Anyway, just thought I would post and find out what some of the experts thought and maybe someone from Linksys or CISCO. I know the 506E is discontinued and was manufactured around 2001 and the 600N is a new model.
(Edited subject to keep threads from stretching. Thanks!)
Message Edited by JOHNDOE_06 on 05-06-2008 10:41 AM

The PIX is a real firewall. The WRT has a firewall which mostly protects the router itself. People prefer to buy a "SPI firewall router" instead of a simple "router" even though the router firewall does nothing or little to protect the LAN. The only firewall configurations on the WRTs you can usually do is on the Access Restrictions tab. But that's usually all. The LAN itself is not protected by the firewall. You would notice this if you had a public IP subnet and ran it through the WRT: the LAN would be fully exposed to the internet. Some routers have a few functions like protection against denial of service attacks or similar. But even then this often filters only the traffic targeted at the router and not the LAN.
The common protection of your LAN you have on the WRT is because you use private IP addresses inside your LAN and the router does NAT. However, NAT is not a security mechanism but a mechanism to solve the problem that you can only have a single public IP address but want to use multiple computers, which is why you have to use private IP addresses. Current NAT implementations usually drop unsolicited incoming traffic because they don't know to which IP address in the LAN to send it to. But the notion of NAT is to deliver and to allow connectivity. This has nothing to do with security or a firewall.
Thus, if you want to use a real firewall use the PIX. On the PIX you can configure the traffic which is allowed to enter the LAN and which not. It is far superior in this respect to the WRT. However, as it is a older model, I cannot tell how fast the PIX is. You should be able to find the old data sheets of the PIX somewhere on the cisco website. They should mention the possible throughput. I guess it won't be an issue.
To me another point for the PIX are the VPN capabilities which allow you to securely access your LAN while you are on the road.
Of course, you must know how to configure the PIX correctly. It is a complex device and can be configured pretty much for anything you like. This means of course if you do it wrong you may end up with little or no security.
BTW, there are no people from linksys in this forums except the moderators (which may be from lithium). To hear from Linksys you have to contact Linksys support.

Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1

Hi,
we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Any help would be greatly appriciated.
Thanks in advance
Samir

Hi,
Here is the output.
*** Device Details for ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
RUNNING
CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
But when I do mangement station to Device it gives me following results:
Interface Found: 10.192.18.10
Status: UP
Test Results
UDP     Failed
      sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
TCP     Failed
      sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
HTTP     Failed
      sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
TFTP     Failed
      sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
SNMPRv2c(Read)     Okay
     sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
SNMPWv2c(Write)     Failed
      sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
SSHv2     Failed
TELNET     Okay
Waiting for your reply.
Samir

Cisco Prime syslog server

Where are syslogs stored, if I point my devices to Cisco Prime acting as my syslog server? I am running 2.0
thanks, Jerry

Hi ,
As of now , this feature is not available , I mean PI will not work as syslog server.
Syslog messages received by PI from managed devices are found under Monitor > Alarms and Events > Syslogs
as you are using PI 2.2 , you will be able to see all device syslog messages (0-7 severity)
That display will show you up to 200,000 messages at a time.
Check the below link for other related details proved by Marvin :
https://supportforums.cisco.com/discussion/12486126/cisco-prime-syslog-functionality#sthash.Wbj2a3lj.dpuf
Thanks-
Afroz
***Ratings Encourages Contributors ****

ACE - Inter-context traffic flow.

Experts ,
Could you please guide me for a traffic-flow mentioned below ?
Connection flow:
client IP 192.168.240.220 == VLAN721=[VIP 10.106.108.137] ===VLAN 537[Server 10.106.24.133]<=={User context test1}
[Server 10.106.24.133]=== VLAN 739==[VIP 10.106.112.59] =====VLAN343 [Server 10.106.3.8] <= {User Context test2}
There are two context test1 & test2 on the same ACE box resides in a CAT6k .. Just curious to know how to redirect the server (10.106.24.133) context test1   to VIP (10.106.112.59) context test 2 which are not in a shared vlan ..
context test 1
rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
inservice
rserver host SITMA21
ip address 10.106.24.133
probe PING
inservice
rserver host SITMA22
ip address 10.106.24.138
probe PING
inservice
serverfarm host L17SVWOASIS03_FARM
description oasis-sso-stg2 server farm
failaction purge
probe TCP-80
rserver SITMA21 80
    inservice
rserver SITMA22 80
serverfarm redirect OASIS-SSO-STG2_OOS_REDIRECT_FARM
rserver OASIS-SSO-STG2_OOS_REDIRECT
    inservice
sticky ip-netmask 255.255.255.255 address both L17SVWOASIS03_STICKY
serverfarm L17SVWOASIS03_FARM backup OASIS-SSO-STG2_OOS_REDIRECT_FARM
timeout 10
replicate sticky
Need to know , when the redirection will takes place here .... i feel that only if the serverfarm (L17SVWOASIS03_FARM ) goes down , then the redirect server comes into picture as per the configs attached..
If that is the case then
rserver redirect OASIS-SSO-STG2_OOS_REDIRECT
webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag
inservice
The highligted URL should be the VIP of the context test2 i.e 10.106.112.59 is it right ? in this the case how send this request to the VIP , since both are in different vlan ? is it should be done with PBR (policy based routing) via CAT6k ? could anyone please share the configs?
Or this can done with a default route to the VIP on the contexts?

Configs
=====
CSS - Context 1
============
probe tcp qaahmapp1-ssl-475_PROBE
port 475
interval 5
passdetect interval 5
connection term forced
rserver host HS_PROD.sanovia_447-ssl-a
ip address 10.99.0.13
inservice
rserver host HS_PROD.sanovia_447-ssl-b
ip address 10.99.0.14
inservice
serverfarm host sanovia.qaahm.ssl
probe qaahmapp1-ssl-475_PROBE
rserver HS_PROD.sanovia_447-ssl-a 475
    conn-limit max 4000000 min 4000000
    inservice
rserver HS_PROD.sanovia_447-ssl-b 475
    conn-limit max 4000000 min 4000000
    inservice
parameter-map type http cisco_avs_parametermap
case-insensitive
persistence-rebalance
parsing non-strict
action-list type optimization http cisco_avs_bandwidth_and_latency
delta
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward-object
action-list type optimization http cisco_avs_obj_latency
flashforward-object
class-map type http loadbalance match-all cisco_avs_bandwidth_and_latency
2 match http url .*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
class-map match-all sanovia.qaahm.ssl_CLASS
2 match virtual-address 10.99.1.76 tcp eq https
policy-map type loadbalance first-match sanovia.qaahm.ssl_CLASS-l7slb
class class-default
    serverfarm sanovia.qaahm.ssl
    insert-http x-forward header-value "%is"
policy-map type optimization http first-match sanovia.qaahm.ssl_CLASS-l7opt
class cisco_avs_obj_latency
    action cisco_avs_obj_latency
class cisco_avs_img_latency
    action cisco_avs_img_latency
class cisco_avs_bandwidth_and_latency
    action cisco_avs_bandwidth_and_latency
policy-map multi-match POLICY
class sanovia.qaahm.ssl_CLASS
    loadbalance vip inservice
    loadbalance policy sanovia.qaahm.ssl_CLASS-l7slb
    optimize http policy sanovia.qaahm.ssl_CLASS-l7opt
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 20
    appl-parameter http advanced-options cisco_avs_parametermap
interface vlan 20
ip address 10.99.1.240 255.255.255.0
alias 10.99.1.241 255.255.255.0
nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.99.1.1
========================================================================================
SCA - Context 2
============
crypto chaingroup GoDaddy
cert cisco-sample-cert
probe tcp AHM_QA-PROBE
port 8080
interval 5
passdetect interval 5
connection term forced
rserver host AHM_QA
ip address 10.99.1.76
conn-limit max 4000000 min 4000000
inservice
serverfarm host AHM_QA
rserver AHM_QA 8080
    conn-limit max 4000000 min 4000000
    probe AHM_QA-PROBE
    inservice
parameter-map type ssl sanovia-ssl-parms
description This is where you tweak your SSL parms, cert, etc.
cipher RSA_WITH_RC4_128_MD5 priority 4
cipher RSA_WITH_RC4_128_SHA priority 5
cipher RSA_WITH_DES_CBC_SHA priority 3
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 6
cipher RSA_WITH_AES_128_CBC_SHA priority 7
cipher RSA_WITH_AES_256_CBC_SHA priority 8
ssl-proxy service sanovia-ssl-proxy
key cisco-sample-key
cert cisco-sample-cert
chaingroup GoDaddy
ssl advanced-options sanovia-ssl-parms
class-map match-any AHM_QA-CLASS
2 match virtual-address 10.99.0.13 tcp eq 475
3 match virtual-address 10.99.0.14 tcp eq 475
policy-map type loadbalance first-match AHM_QA-CLASS-l7slb
class class-default
    serverfarm AHM_QA
policy-map multi-match POLICY
class AHM_QA-CLASS
    loadbalance vip inservice
    loadbalance policy AHM_QA-CLASS-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 10
    ssl-proxy server sanovia-ssl-proxy
interface vlan 10
ip address 10.99.0.17 255.255.255.0
peer ip address 10.99.0.11 255.255.255.0
nat-pool 1 10.99.0.13 10.99.0.13 netmask 255.255.255.255 pat
service-policy input POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.99.0.1
========================================================================================
CSS - Context 1 ( another VIP)
=======================
rserver host qaahmapp1-8080
ip address 10.99.1.217
conn-limit max 4000000 min 4000000
inservice
serverfarm host sanovia.qaahm.postssl
rserver qaahmapp1-8080 8080
    conn-limit max 4000000 min 4000000
    inservice
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
sticky http-cookie ACE_Cookie qanovia.qaahm.postssl-STICKY
cookie insert
serverfarm sanovia.qaahm.postssl
timeout 45
replicate sticky
class-map match-all sanovia.qaahm.postssl_CLASS
2 match virtual-address 10.99.1.76 tcp eq 8080
policy-map type loadbalance first-match sanovia.qaahm.postssl_CLASS-l7slb
class class-default
    sticky-serverfarm qanovia.qaahm.postssl-STICKY
policy-map multi-match POLICY
class sanovia.qaahm.postssl_CLASS
    loadbalance vip inservice
    loadbalance policy sanovia.qaahm.postssl_CLASS-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 20
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 20
ip address 10.99.1.240 255.255.255.0
alias 10.99.1.241 255.255.255.0
nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat
nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat
no shutdown
=============================================================================
I have configured two vlans in CAT6k i.e vlan 10 & vlan 20 with the following ip's as mentioned in the route of ACE
10.99.0.1 & 10.99.1.1
Also configured only the final rserver 10.99.1.217 under vlan 20 .... this made all the vip and rserver up .. but still couldnt get the required page... there is small confusion in the first context as the vip is shown as https , but i dont see any cert and key in the customer config , so i made it as http for my test... but the second context vip is https , where i have added the certs n key as requied....
Let me know if i am missing anything here.... Many thanks in advance...
thanks
Martin

Amazon S3 Backup with Cisco PIX 501 Router - slowww

We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!

Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS

IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

Dear Mr.
The same problem has occured with me.

Trying to understand traffic Flow in a LWAPP wireless configuration.

I'm trying to understand at a high level how wireless traffic flow in the new LWAPP configuration. Based on what I can tell all wireless traffic must flow through the controllers prior to getting onto the LAN.
So lets say I have a LWAPP Access Point off an access switch in a remote closet and my controller is off my core switches. I want to communicate from my wireless PC to a wired PC on this same access switch. The traffic flows from the AP down to the core switch, through the Controller and back up to the access switch to the wired PC.
Is that correct?
If this is true my main concern is supporting APs from a central controller across a low speed WAN. Looks like I would not want to do that...

You're right in your assumption. Data traffic travels from the client to the AP. The AP then encapsulates this data using LWAPP and forwards it to the Controller. The WLC then de-encapsulates (?) it, processes the traffic as necessary and then drops it onto the wired LAN.
So, in your scenario, the wireless client would send data to the AP. This would be encapsulated between the AP and the controller and then sent back again unencapsulated to the wired client.
Regarding using this system over a low speed WAN, there are two ways of doing this.
The first is to use a local WLC at the remote site (e.g. a WLC2006 or the new WLC network module for 2800/3800 ISR routers).
The second is to use AP1030s which are 'Remote Edge Access Points'. These aren't quite as lightweight as the rest of the 1000 Series in that they will bridge local traffic and only encapsulate traffic heading 'off site'. They will also continue to operate if connection back to the WLC is lost (the first WLAN configured on the WLC remains up on the REAP whilst connection to the WLC is lost).
I believe that the recommendation for these is a minimum of 2Mbps WAN connection.

Cisco devices that support Multicast traffic?

Folks,
I am looking for list of Cisco devices that support Multicast traffic. Does anyone know how to get this information?
Thanks,
Nagesh

Cisco Feature Navigator

Cisco 871W eZVPN is unable to connect Cisco PIX vpn server

crypto ipsec client ezvpn TEST
connect auto
group Cisco key cisco123
mode client
peer 172.1.1.1
xauth userid mode interfactive
interface FastEthernet4
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
ip nat outside
crypto ipsec client ezvpn TEST
Internet Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 100 out
ip nat inside
crypto ipsec client ezvpn TEST inside
ip route 0.0.0.0. 0.0.0.0 192.168.1.254
ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
route-map EzVPN1 permit 1
match ip address 103
These are the following commands I applied in my Router, It is able to connect but unable to access any other servers. The same user name & password I tried with the VPN dialer it works on my Laptop. Anything I am missing on the router configuration. The VPN server is Cisco PIX 515E.
Cisco IOS on 871W is 12.3(8)Y12

1) Isn't your default route supposed to be pointing towards the external interface?
ip route 0.0.0.0. 0.0.0.0 192.168.1.254 ?
2) Can you change the 'mode client' to 'mode network-extension'. Also the PIX will need 'nem enable'.
Have a look at the following (I'm assuming you already have as your config seems to be similar):
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
For old 6.x code on PIX, have a look at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml
Regards
Farrukh

Dual wan failover config: failback does not always work as expected for existing LAN traffic flows

I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

Cisco PIX to Cisco ASA Migration Tool

Hello,
I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
Thanks in Advance
Francisco Almeida

As a registered user, go to the download page for Pix Software here.
Navigate on the menu tree to "Version 1.0" and you should see the software available to download:

Cisco Pix Syslog - details of traffic flow

Similar Messages

Maybe you are looking for