CSCtu32204 - ASA 5580 : traceback in thread DATAPATH-3-1230

Similar Messages

• DfltCustomization File is missing in Cisco ASA 5580

  I wanted to perform the customization of the SSL WebVPN page. But When I tried to create a new Customization object is is not happening as the
  DfltCustomization object is not available.
  We are having so many webvpn configuration and objects that i cant issue "revert webvpn all" command.
  Can I able to import the File from any location or anyone can provide me the default customization object file so the I can export it into the ASA and create new custmixed object accordingly.
  Or what other steps I can take to have customization happening in my Cisco ASA 5580. 8.2 (5) and ASDM 6.4.
  With Regards,
  Faizul

  Hi Faizul,
  I am including the DfltCustomization file, which has been exported from an active ASA.
  Please try to upload it and let me know.
  Portu.
  Please rate any posts you find helpful.

• ASA 5580-20 Security Contexts

  Hi,
     How many Contexts can a Cisco ASA 5580-20 provide. I have seen that ir is upto 250. Can someone confirm that.
  Please do tell me about the licensing part for the same. How many of then come as default with the box and what is the license conditions/specifications for additional contexts. Is it one extra license for every context.
  Rgds
  Rajesh

  Hi Rajesh,
  Please refer to this URl Link:-
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/license/license82.html
  Security Contexts
  2
  Optional licenses:
  5
  10
  20
  50
  Let me know if this answers your query.
  Thanks and Regards,
  Vibhor

• ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?

  Hello,
  I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
  My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
  According to the Configuration guide 8.4
  Use the following failover interface speed guidelines for the ASAs:
  • Cisco ASA 5510
  – Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
  to the CPU speed limitation.
  • Cisco ASA 5520/5540/5550
  – Stateful link speed should match the fastest data link.
  • Cisco ASA 5580/5585
  – Use only non-management 1 Gigabit ports for the stateful link because management ports have
  lower performance and cannot meet the performance requirement for Stateful Failover.
  Thanks in advance

  Hi,
  I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
  I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
  Option 1:
  2x10GE = 20GE Etherchannel for Data
  1x1GE LAN Failover
  1x1GE STATE Failover
  Option 2:
  1x 10GE Data
  1x 10GE LAN & STATE Failover
  Option 3:
  2x10GE = 20GE Etherchannel for Data
  4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
  (etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
  Option 4:
  1x10GE LAN & STATE Failover
  8x1GE = 8 GE Etherchannel for Data
  I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
  What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
  The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
  Thanks in advance for your feedback!

• DC and ADC Synchronization through ASA 5580

  Hi , I have a Windows 2008 server acing as DC connected to one of the interface of ASA 5580, and have couple of ADC in the branches which are connected to different interfaces of ASA.  The routing is happening through the ASA. When trying to do DCPROMO on the ADC it’s giving an error.  Natting is not there in the ASA and I have access-list configured for “Permit IP Any any ” for all interface.  Any clue wht could be the problem ?

  1) Please check the syslog to see if it's being blocked by the firewall.
  2) Run packet capture on both interfaces with ACL just between the DC and ADC:
  access-list cap-test permit ip host host
  access-list cap-test permit ip host host
  capture cap-DC access-list cap-test interface
  capture cap-ADC access-list cap-test interface
  Try the "DCPROMO", and check the packet capture to see where it is breaking.

• Asa 5580 storage

  Hey all, are the hard drive bays on the front of ASA 5580s usable? I'm not finding any documentation regarding those bays and like the idea of using it for local log storage rather than storing logs on the 1gig of flash. We've been hitting limits on the number of logs our syslog server can process from these firewalls and I was thinking of sending all the logs to local disk (if possible) them moving them off to another server every 8-12 hours. 

  I do not believe that this is possible.  When logging to flash you only have the option to log to the internal flash, disk0 by default. All other disks which you insert into the ASA will be defined as external flash.
  However you can tell the ASA that when the buffer is almost full and about to "wrap around" itself (ie. overwrite existing logs) to send the logs to a syslog server.  Something like this:
  The following commands tells the ASA to save logs to the buffer until it is full and then send it to an FTP server.  The /Syslogs specifies the directory path on the FTP server followed by the username and password for the FTP server.
  logging flash-bufferwrap
  logging ftp-server 10.1.1.1 /Syslogs FTPadminUsername FTPadminPassword
  Please remember to select a correct answer and rate helpful posts

• If i need a firewall,can ASR 1006 replace ASA 5580?

    i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?
     thank you!

  Fly,
  There is no official documentation that states which L3 device can replace an ASA, since they are completely different devices with some capabilities in common.
  I would strongly recommend that you reach your account manager at Cisco for this one. They will be able to provide you accurate info.
  Mike.

• ASA 5580 PAK key issue.

  Hi,
  Please anyone let me know how to fix this issue?
  We got a replacement ASA 5580 from Cisco. We were not aware of PAK, Is there any other possible to generate Activation key?
  Can we generate PAK or Activation Key using SO (service order) number?

  You can request new license after perfoming RMA to have same feature set.
  Check via:
  https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet
  Under:
  RMA License Transfer

• ASA 5580-20

  Dear Experts,
  In my ASA 5580-20 system LED is flashing RED how can i trobleshoot this.
  I checked rarepanel everything is ok also i saw environment also showing ok
  Please guide me how can i trableshoot this issue
  Thanks
  Srini

  Typically when the LED is flashing RED, there would have been syslog messages generated for that.
  so check your logs

• CSCup43257 - ASA Traceback in Thread name ci/console while modifying an object-group

  Hi Team,
  When can we see Updated releases showing up with 9.1.5-13 or later mentioned on the page, customer wants to see this update which has been verified by the submitter.

  Hi Team,
  When can we see Updated releases showing up with 9.1.5-13 or later mentioned on the page, customer wants to see this update which has been verified by the submitter.

• Upgrading license for more context cisco asa 5580

  Hi guys:
  This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
  Upgrading the License for a Failover using ASDM (No Reload Required)
  Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
  •1.       On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.
  •2.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.
  •3.       Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
  •4.       Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
  •5.       Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
  •6.       Click Apply. This completes the procedure.
  link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml#norelasdm
  But then I checked on the cisco web page that there are some license that need to reload I see this:
  All models
  Downgrading any license (for example, going from 10 contexts to 2 contexts).
  Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
  link: https://www.cisco.com/en/US/docs/security/asa/asa81/license/license81.html
  So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
  Regards

  No reload is required when you are upgrading from 5 to 10 security context license.
  Reload is only required on the following feature:
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1361750
  Hope this helps.

• ASA 5580 not sending traps

  I must be missing something in the config as this is happening on multiple ASA's. I have the following config in place and not receiving any traps on our management servers. I don't even see the Trap PDU's increasing in the snmp-server statistics. Any suggestions and advice is much appreciated.
  snmp-server host inside 10.235.42.38 community ****
  snmp-server host inside 10.236.32.34 community ****
  snmp-server host inside 10.236.36.34 community ****
  snmp-server host inside 10.236.43.34 community ****
  snmp-server location MEH
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change fru-insert fru-remove
  snmp-server enable traps remote-access session-threshold-exceeded
  logging enable
  logging standby
  logging list snmp message 212001-212015
  logging console snmp
  logging trap debugging
  logging asdm informational
  logging host inside 10.236.38.36

  Are you able to ping the snmp servers from the firewall? Is the snmp server subnet directly connected to the firewall, or multiple hops away? Another thing to note is between the ASA and the snmp servers, are there any other firewall, or ACL that might be blocking the snmp traps?
  If you run packet capture on the ASA firewall inside interface, are you seeing the snmp traps being sent out?
  Lastly, what does the output of "show snmp-server statistics" show?

• Pb LMS 4 and ASA 5580

  Hi,
  First question: we tried to add asa5580 (8.4) to LMS4.0.1 but LMS don't know ASA (Cisco Products 914?).
  - other devices were added without problem
  -I see LMS4.0 supports inventory collection in the supported dev table lms4.0
  Second Question:
  I want export syslog to another space on the same server, how often ?
  Because my cutomer want to save syslog on one year!
  Thanks

  Hi,
  Regarding your first question, your screenshot show how the ASA appears in the topology tool. Since topology services are not supported for ASA devices it will appear thus.
  If you are successfully managing the ASA, you would go into the detailed device report (menu "Reports, Inventory, Detailed Device") and you should be able to get output similar to the attached (for an ASA 5510 in this case) for inventory services.
  Regarding your second question, how often depends on your syslog message volume. You can set up a job to run as a recurring job with whatever frequency is necessary using "Reports, Fault and Event, Syslog" and specifying the range you want. The reports can be written to disk locally or sent to an e-mail address (if you have the server setup to be able to e-mail).
  Update: Another alternative for syslog archiving is found in the Syslog Backup feature. Please refer to the LMS 4.0 Admin Guide at page 16-5, linked directly here.
  Hope this helps.

• Cisco ASA 5580 Arp Collision Errors

  Dears,
  I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
  When i checked this MAC address in the same firewall it shows too many IP Addresses.
  What could be the reason ?
  Thanks...

  Hello Richard,
  My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
  Anyway try the following
  same-security-traffic permit intra-interface
  Let me know how it goes
  Julio

• Cisco ASA Upgrade from 7.0(8) to 8.2(1)

  Hi,   i need to upgrade my 5510 ASA from 7.0(8) to 8.2(1)       ( Please note its different query from my last thread)
  what i found online is i will have to do this upgrade in sequence, that is
  7.0.x -> 7.2.x --> 8.0.x --> 8.2.1
  is that correct?
  or i will go to 7.1.x first? like this
  7.0.x--> 7.1.x -> 7.2.x --> 8.0.x --> 8.1.x--> 8.2.1
  Please guide, Also i am assuming, reboot required after every upgrade right?

  ok, i found something on another Cisco document. that is what i thought
  To ensure that your configuration updates  correctly, you must upgrade to each major release in turn. Therefore, to  upgrade from Version 7.0 to Version 8.2, first upgrade from 7.0 to 7.1,  then from 7.1 to 7.2, and finally from Version 7.2 to Version 8.2 (8.1  was only available on the ASA 5580). "