CSCtu32204 - ASA 5580 : traceback in thread DATAPATH-3-1230
Someone had this problem? The ASA reboot unexectedly? and how can solve this problem?
The 8.4(4) release and later fix this problem.
Similar Messages
-
DfltCustomization File is missing in Cisco ASA 5580
I wanted to perform the customization of the SSL WebVPN page. But When I tried to create a new Customization object is is not happening as the
DfltCustomization object is not available.
We are having so many webvpn configuration and objects that i cant issue "revert webvpn all" command.
Can I able to import the File from any location or anyone can provide me the default customization object file so the I can export it into the ASA and create new custmixed object accordingly.
Or what other steps I can take to have customization happening in my Cisco ASA 5580. 8.2 (5) and ASDM 6.4.
With Regards,
FaizulHi Faizul,
I am including the DfltCustomization file, which has been exported from an active ASA.
Please try to upload it and let me know.
Portu.
Please rate any posts you find helpful. -
Hi,
How many Contexts can a Cisco ASA 5580-20 provide. I have seen that ir is upto 250. Can someone confirm that.
Please do tell me about the licensing part for the same. How many of then come as default with the box and what is the license conditions/specifications for additional contexts. Is it one extra license for every context.
Rgds
RajeshHi Rajesh,
Please refer to this URl Link:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/license/license82.html
Security Contexts
2
Optional licenses:
5
10
20
50
Let me know if this answers your query.
Thanks and Regards,
Vibhor -
ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?
Hello,
I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
According to the Configuration guide 8.4
Use the following failover interface speed guidelines for the ASAs:
• Cisco ASA 5510
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
• Cisco ASA 5520/5540/5550
– Stateful link speed should match the fastest data link.
• Cisco ASA 5580/5585
– Use only non-management 1 Gigabit ports for the stateful link because management ports have
lower performance and cannot meet the performance requirement for Stateful Failover.
Thanks in advanceHi,
I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
Option 1:
2x10GE = 20GE Etherchannel for Data
1x1GE LAN Failover
1x1GE STATE Failover
Option 2:
1x 10GE Data
1x 10GE LAN & STATE Failover
Option 3:
2x10GE = 20GE Etherchannel for Data
4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
(etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
Option 4:
1x10GE LAN & STATE Failover
8x1GE = 8 GE Etherchannel for Data
I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
Thanks in advance for your feedback! -
DC and ADC Synchronization through ASA 5580
Hi , I have a Windows 2008 server acing as DC connected to one of the interface of ASA 5580, and have couple of ADC in the branches which are connected to different interfaces of ASA. The routing is happening through the ASA. When trying to do DCPROMO on the ADC it’s giving an error. Natting is not there in the ASA and I have access-list configured for “Permit IP Any any ” for all interface. Any clue wht could be the problem ?
1) Please check the syslog to see if it's being blocked by the firewall.
2) Run packet capture on both interfaces with ACL just between the DC and ADC:
access-list cap-test permit ip host host
access-list cap-test permit ip host host
capture cap-DC access-list cap-test interface
capture cap-ADC access-list cap-test interface
Try the "DCPROMO", and check the packet capture to see where it is breaking. -
Hey all, are the hard drive bays on the front of ASA 5580s usable? I'm not finding any documentation regarding those bays and like the idea of using it for local log storage rather than storing logs on the 1gig of flash. We've been hitting limits on the number of logs our syslog server can process from these firewalls and I was thinking of sending all the logs to local disk (if possible) them moving them off to another server every 8-12 hours.
I do not believe that this is possible. When logging to flash you only have the option to log to the internal flash, disk0 by default. All other disks which you insert into the ASA will be defined as external flash.
However you can tell the ASA that when the buffer is almost full and about to "wrap around" itself (ie. overwrite existing logs) to send the logs to a syslog server. Something like this:
The following commands tells the ASA to save logs to the buffer until it is full and then send it to an FTP server. The /Syslogs specifies the directory path on the FTP server followed by the username and password for the FTP server.
logging flash-bufferwrap
logging ftp-server 10.1.1.1 /Syslogs FTPadminUsername FTPadminPassword
Please remember to select a correct answer and rate helpful posts -
If i need a firewall,can ASR 1006 replace ASA 5580?
i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?
thank you!Fly,
There is no official documentation that states which L3 device can replace an ASA, since they are completely different devices with some capabilities in common.
I would strongly recommend that you reach your account manager at Cisco for this one. They will be able to provide you accurate info.
Mike. -
ASA 5580 PAK key issue.
Hi,
Please anyone let me know how to fix this issue?
We got a replacement ASA 5580 from Cisco. We were not aware of PAK, Is there any other possible to generate Activation key?
Can we generate PAK or Activation Key using SO (service order) number?You can request new license after perfoming RMA to have same feature set.
Check via:
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet
Under:
RMA License Transfer -
Dear Experts,
In my ASA 5580-20 system LED is flashing RED how can i trobleshoot this.
I checked rarepanel everything is ok also i saw environment also showing ok
Please guide me how can i trableshoot this issue
Thanks
SriniTypically when the LED is flashing RED, there would have been syslog messages generated for that.
so check your logs -
CSCup43257 - ASA Traceback in Thread name ci/console while modifying an object-group
Hi Team,
When can we see Updated releases showing up with 9.1.5-13 or later mentioned on the page, customer wants to see this update which has been verified by the submitter.Hi Team,
When can we see Updated releases showing up with 9.1.5-13 or later mentioned on the page, customer wants to see this update which has been verified by the submitter. -
Upgrading license for more context cisco asa 5580
Hi guys:
This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
Upgrading the License for a Failover using ASDM (No Reload Required)
Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
•1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match.
•2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.
•3. Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
•4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
•5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
•6. Click Apply. This completes the procedure.
link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00806b1c0f.shtml#norelasdm
But then I checked on the cisco web page that there are some license that need to reload I see this:
All models
Downgrading any license (for example, going from 10 contexts to 2 contexts).
Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
link: https://www.cisco.com/en/US/docs/security/asa/asa81/license/license81.html
So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
RegardsNo reload is required when you are upgrading from 5 to 10 security context license.
Reload is only required on the following feature:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1361750
Hope this helps. -
I must be missing something in the config as this is happening on multiple ASA's. I have the following config in place and not receiving any traps on our management servers. I don't even see the Trap PDU's increasing in the snmp-server statistics. Any suggestions and advice is much appreciated.
snmp-server host inside 10.235.42.38 community ****
snmp-server host inside 10.236.32.34 community ****
snmp-server host inside 10.236.36.34 community ****
snmp-server host inside 10.236.43.34 community ****
snmp-server location MEH
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
logging enable
logging standby
logging list snmp message 212001-212015
logging console snmp
logging trap debugging
logging asdm informational
logging host inside 10.236.38.36Are you able to ping the snmp servers from the firewall? Is the snmp server subnet directly connected to the firewall, or multiple hops away? Another thing to note is between the ASA and the snmp servers, are there any other firewall, or ACL that might be blocking the snmp traps?
If you run packet capture on the ASA firewall inside interface, are you seeing the snmp traps being sent out?
Lastly, what does the output of "show snmp-server statistics" show? -
Hi,
First question: we tried to add asa5580 (8.4) to LMS4.0.1 but LMS don't know ASA (Cisco Products 914?).
- other devices were added without problem
-I see LMS4.0 supports inventory collection in the supported dev table lms4.0
Second Question:
I want export syslog to another space on the same server, how often ?
Because my cutomer want to save syslog on one year!
ThanksHi,
Regarding your first question, your screenshot show how the ASA appears in the topology tool. Since topology services are not supported for ASA devices it will appear thus.
If you are successfully managing the ASA, you would go into the detailed device report (menu "Reports, Inventory, Detailed Device") and you should be able to get output similar to the attached (for an ASA 5510 in this case) for inventory services.
Regarding your second question, how often depends on your syslog message volume. You can set up a job to run as a recurring job with whatever frequency is necessary using "Reports, Fault and Event, Syslog" and specifying the range you want. The reports can be written to disk locally or sent to an e-mail address (if you have the server setup to be able to e-mail).
Update: Another alternative for syslog archiving is found in the Syslog Backup feature. Please refer to the LMS 4.0 Admin Guide at page 16-5, linked directly here.
Hope this helps. -
Cisco ASA 5580 Arp Collision Errors
Dears,
I am receiving allot of Errors "%ASA-4-405001: received ARP collision from IP/MAC on interface dmz1 with existing ARP Entry IP/MAC
When i checked this MAC address in the same firewall it shows too many IP Addresses.
What could be the reason ?
Thanks...Hello Richard,
My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
Anyway try the following
same-security-traffic permit intra-interface
Let me know how it goes
Julio -
Cisco ASA Upgrade from 7.0(8) to 8.2(1)
Hi, i need to upgrade my 5510 ASA from 7.0(8) to 8.2(1) ( Please note its different query from my last thread)
what i found online is i will have to do this upgrade in sequence, that is
7.0.x -> 7.2.x --> 8.0.x --> 8.2.1
is that correct?
or i will go to 7.1.x first? like this
7.0.x--> 7.1.x -> 7.2.x --> 8.0.x --> 8.1.x--> 8.2.1
Please guide, Also i am assuming, reboot required after every upgrade right?ok, i found something on another Cisco document. that is what i thought
To ensure that your configuration updates correctly, you must upgrade to each major release in turn. Therefore, to upgrade from Version 7.0 to Version 8.2, first upgrade from 7.0 to 7.1, then from 7.1 to 7.2, and finally from Version 7.2 to Version 8.2 (8.1 was only available on the ASA 5580). "
Maybe you are looking for
-
I want a report to find the available stock on a particular day . Thanks , Tausif
-
How many people can join facetime at once?
Can you use facetime like video conferencing with multiple people? Thanks!
-
My ipad2 16 gb wifi not being detected by itunes
hi i bought a new ipad2 16 GB wifi, and connected to itunes,when it asked for upgradation for ipad2 ios 4.3.3 i downloaded the same and tried updating the OS but midway the updating got stuck and now neither itunes detects the ipad2 and the ipad2 is
-
Unable to open Adobe CS3 on windows 7 home premium 64 bit
I recently got a brand new machine with Windows 7 Home Premium 64 bit. I installed CS3, everything worked just fine but when I try to open it nothing happens. Anybody know what the problem is?
-
Error handling in generated stubs
Hello, I've been playing around with Flex Builder 3 and WS and I am puzzled by how one can handle generic SOAP error messages (i.e. not the service faults, but connection errors, message parsing related errors, etc.). Here is what I try: 1 Generate s