Etherchannel support for ASA 5585X

Similar Messages

• Redundant etherchannels for ASA 5585X

  Hi there ,  We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS).  Can I have this configuration for resiliency. 
  Etherchannel from ASA Primary - Switch 1 & Switch 2
  Etherchannel from ASA Standby - Switch 1 & Switch 2
  or
  Etherchannel from ASA Primary - Switch 1
  Etherchannel from ASA Standby - Switch 2
  ( Failover links between the Firewalls are already configured )
  Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
  Thanks

  The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
  I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
  One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.

• LMS 4.0 support for ASA firewall

  I need to add ASA 5520 to LMS 4.0, mainly for configuration archiving. ASA seems to be supported on LMS 3.2 as per the below link.
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/3.2/device_support/table/lms32sdt.html
  I had directly added the ASA to the DCR, with the right login credentials and SNMPv3 strings , but still LMS fails to detect the ASA.
  Thanks in advance.

  Thanks Nael for the reply, please find below the SNMP configuration on the ASA
  snmp-server group SNMPGRP v3 auth
  snmp-server user SNMPUSR SNMPGRP v3 encrypted auth md5 a9:ba:79:44:5b:b0:98:65:88:30:a1:8b:7b:69:a2:9c
  snmp-server host inside 10.88.80.11 trap version 3 SNMPGRP
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  The show version is given below.
  ASA5520# sh ver
  Cisco Adaptive Security Appliance Software Version 8.2(3)
  Compiled on Fri 06-Aug-10 07:51 by builders
  System image file is "disk0:/asa823-k8.bin"
  Config file at boot was "startup-config"
  ASA5520 up 8 days 19 hours
  failover cluster up 25 days 14 hours
  Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash M50FW080 @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
  0: Ext: GigabitEthernet0/0  : address is 001f.9e50.8a24, irq 9
  1: Ext: GigabitEthernet0/1  : address is 001f.9e50.8a25, irq 9
  2: Ext: GigabitEthernet0/2  : address is 001f.9e50.8a26, irq 9
  3: Ext: GigabitEthernet0/3  : address is 001f.9e50.8a27, irq 9
  4: Ext: Management0/0       : address is 001f.9e50.8a28, irq 11
  5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
  6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  This platform has an ASA 5520 VPN Plus license.
  Serial Number: JMXXXXX
  Running Activation Key: XX
  Configuration register is 0x1
  Configuration last modified by enable_1 at 15:05:29.268 AST Sun Jun 12 2011
  When I add the ASA to the LMS using SNMPv3, the Device Management shows a blue box with a question mark(shown below).
  Is ASA supported on LMS 4.0 with SNMPv3? Doing a troubleshooting on the LMS shows that LMS might only support SNMPv1 & v2.

• Cisco ASA support for PBR

  Does anyone know if Cisco has the PBR feature road mapped for future IOS releases or if they are building in new feature sets to load balance 2 different ISP connections much like F5. It seems more and more customers are asking for all in one functionality from their NextGen firewalls and the ASA seems to fall short in this category.

  As of right now, you can do PBR on the ASA when the ASA is in a cluster.  I am uncertain if there will be support for PBR or loadbalancing on a standalone ASA in the future.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html#pgfId-1943033
  Please remember to select a correct answer and rate helpful posts

• ASA 5585X Clustering

  I have two ASA 5585X-SSP20 need to Cluster config. I am little confused about ASA to Core Switch and Server Firm Switch Connectivity. In cluster mode if we config master asa two 10G port as an ether-channel then others cluster member same port config as a same ether-channel.So four port in two asa work in single ether-channel. If this right then my diagram is correct or wrong. Plz  help me.  

  Hi,
  yes,technically you could run two SSP20's with all 4 10g ports in the same spanned etherchannel as a "firewall on a stick". 
  If you look in the cluster configuration guide you'll see that the CCL (Cluster Control Link) needs to be sized the same as the data links so if you don't add any extra modules to your SSP20 firewalls you'll end up with 1x 10g for data and 1x 10g for CCL on each physical firewall.
  We currently have this setup in our environment; each SSP20 firewall is connected to a Nexus 7K switch where one 10G port is used for CCL and one 10G port is setup as a trunk for all inbound/outbound traffic to/from the firewall.
  Hope this helps!
  -Michel

• Best Log Setting for ASA & MARS

  Hi,
  I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?
  Thanks

  Which syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.
  The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.
  Regards
  Farrukh

• Configuration guide for ASA Ipsec.

  Ho guys.
  I need configuration guide for ASA Ipsec using Cli.
  Thank you.
  Sent from Cisco Technical Support iPad App

  Hi,
  please check the below link
  http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml?referring_site=smartnavRD
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  Thanks and Regards,
          ROHAN 

• Mount ASA 5585x on 2-post rack?

  Is it possible to mount the ASA 5585x on a 2-post rack?

  It is POSSIBLE but not recommended.
  It's designed for a 4-post installation, using either the slide or fixed rail kit and mounting to all four posts.That's what's shown in the installation guide.
  If it were my ASA at US$100,000+per unit, I'd want it to be securely mounted.

• Any support for SecureSocket on iOS in AIR 3.2?

  Hi there,
  I'm developing an energy metering application where we currently support web browsers running Flash Player 11. The plan is to support the applicaton also on mobile devices and I was glad to see all the improvements in CS 5.5 for targeting both Android and iOS devices. One problem though, we are using the SecureSocket class for secure communication towards a server. Works perfect on Android devices, already with AIR 2.6. However, there doesn't seem to be any support on iOS for SecureSocket. Even with the latest AIR 3.1 release the .isSupported property returns a brutal FALSE when checked.
  Is there any information available on any time schedule for a SecureSocket class for iOS? I'm very much facing a dead end here, I have a perfect solution but can't make it work on the most important mobile platform for our customer (both iPhone and iPad).
  I would appreciate any information you may have in this matter.

  We added DHE support in ASA 8.4.4 (AFAIR) 9.1.2, but it's still not in on Anyconnect even in 3.1, at least the internal enhancement request is not fulfilled.
  If I may know, where is this quesiton coming from? We added Suite-B support to both AC and ASA (and IOS), I have not seen DHE mandated anywhere (granted I have limited visibility).
  http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480

• [svn] 3219: Checking in support for Network Monitor in rpc.swc

  Revision: 3219
  Author: [email protected]
  Date: 2008-09-16 01:33:39 -0700 (Tue, 16 Sep 2008)
  Log Message:
  Checking in support for Network Monitor in rpc.swc
  Modified Paths:
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/messaging/channels/DirectHTTPChannel.as
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/rpc/AbstractInvoker.as
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/rpc/AbstractOperation.as
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/rpc/http/AbstractOperation.as
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/rpc/http/mxml/HTTPService.as
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/rpc/soap/Operation.as
  Added Paths:
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/netmon/
  flex/sdk/trunk/frameworks/projects/rpc/src/mx/netmon/NetworkMonitor.as

  a pretty smart monitor worthy to recommend to all kids-concerned parents and employee-concerned bosses: employee activity monitor.
  Learn morefrom here:
  www.employee-activity-monitor.com

• ASA 5585x IPS Service Contract CON

  Dear all
  actually i'm looking for the IPS contract support for ASA5585 (SSP IPS), i found two type of this from internet with details below:
  CON-SNT-AS82S10K  -  SMARTNET 8X5XNBD ASA5580-20-10K-K9
  CON-SUO1-A8S2P2S9  - IPS SVC, ONSITE NBD ASA 5585-X w/SSP20,,IPS SSP-20,16GE,10K
  could please someone tell me about different between this two

  Hello,
  You can always check with the Cisco Sales representative to get more information. Normally those guys are the ones that can provide you more details in regards of Entitlement informaiton.
  Mike

• Which routing protocols are supported on ASA 5585

  Hi,
  I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
  I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
  I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
  if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
  Thanks

  You're welcome.
  Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
  ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
  FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

• ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

  Hello Community,
  it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
  MC src and rcv
  (XChariot)
  |
  -----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)
  |
  MC src and rcv
  (XChariot)
  Test 1  (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341
  (Trace "WAN-IF_capture_225.1.2.154_no-frag" and
  output "L2FW-not_fragmented"
  The traffic passes through the Transparent mode ASA without any problems.
  Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.
  This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
  Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of  3(DstMAC):1(invalid udp).
  The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
  Any idea?
  Thank you in advance for you contribution.

  Hello Community,
  the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
  http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322
  Perhaps further test will be made with using lower interim versions.

• Flash File for ASA Firewall

                     can you anyone  provide the link for Flash type learning for ASA Firewall 5505.

  Hi,
  To be honest I havent used that many online resources of the type you are after.
  I would imagine that the CCNP Security - Firewall certification book current version would have a lot of usefull information related to the Cisco firewalls.
  The CSC also has some videos related to firewalling
  https://supportforums.cisco.com/community/netpro/security/firewall?view=video
  There is also the Cisco Live 365 site which has all the documents from the Cisco Live events around the world. You will need to register to get access to my understanding. There are also videos of the presentations there (atleast for some). Naturally the documents dont go deep into theory but they do have some helpfull information
  https://www.ciscolive365.com/connect/publicDashboard.ww
  You can also find a lot of guide videos on Youtube for example like this one
  http://www.youtube.com/watch?v=Y0ZnRmgINgE
  Sadly I cant help you much in this case. I personally learnt most about the Cisco firewall the hard way, basically without any supporting material and education (we only had CCNA and CCNP Routing&Swithching wihtout any course on the PIX firewall that was in use at that time and ASAs were still new). Eventually I learned what I needed and nowadays I just tend to refresh information from documents and mostly refer to the ASA Configuration Guide and Command Reference if I need to check on some command or confirm how something worked.
  Hope this helps
  - Jouni

• IPod Reset Utility is not supported for use with Windows Vista??????

  is there anyway to get pass this?
  i need to use the ipod resetutility to reset my shuffle
  but the only problem is that i have Vista and the program isnt
  supported for vista. can someone help me out here?

  well the only problem with that is that
  everyone i know use vista -.-