I having pair of ASA 5520, between a day my internet traffic stops & to resolve i have to make secondary firewall active

I have I having pair of ASA 5520, between a day my internet traffic stops & to resolve i have to make secondary firewall active using "failover active"
the Memory utilization is in between 89-93 % but cpu is in between 34 to 45 %.

Any one yet? Does it sound very unfeasible ?

Similar Messages

  • ASA 5520 High Availability

    I have two ASA 5520s.  One has an IDS card and one doesn't. This makes the high availability wizard fail.  Can I manually setup the high availability.  I don't really need two ASA-SSM-20s.  I just want to have one ASA in Standby mode.  Is this possible.  Anybody have a configuration similar to this?
    Thanks,
    Alex Pfeil                  

    Hi,
    Let me first say that I have not configure a Failover pair where the units dont have matching hardware. So I kind of wonder even if the ASA accepts the configurations, will the failover act normally.
    Usually if I configure basic configurations for some ASA Failover pair I first configure all the basic configurations on the ASA and make sure that each interface on the ASA has the "ip address x.x.x.1 255.255.255.0 standby x.x.x.2" configuration under the interfaces
    I then configure the existing ASA with a basic Failover configuration such as
    failover
    failover replication http
    failover lan unit primary
    failover lan interface failover Management0/0
    failover key
    failover link failover Management0/0
    failover interface ip failover 255.255.255.0 standby
    I then prepare a blank ASA and finally configure its Failover too
    failover
    failover replication http
    failover lan unit secondary
    failover lan interface failover Management0/0
    failover key
    failover link failover Management0/0
    failover interface ip failover 255.255.255.0 standby
    I will then attach the Secondary unit to the network and finally attach the Failover link between the ASAs and let the Primary unit replicate all the configurations to the Secondary unit.
    Naturally this is something that would probably be best done during a separate scheduled maintanance break along with configuration backups etc just to be on the safe side.
    - Jouni

  • Cisco ASA 5520s in Cluster Outside interface stops sending traffic

    Hi,
    We are running a Pair of ASA 5520s in active/standby mode.  In the last couple days the active device will just stop communicating on the outside interface.  Because the rest of the interfaces are still up,  it will not fail over, so we have to fail it manually.  The secondary unit works and passes traffic correctly.  We then reboot the Primary. 
    Then after some undetermined time,  it happens again and we have to manually fail it the other way,  reboot the affected ASA and wait for it to happen again.
    We have a case with TAC but they have not been able to figure this one out.  Has anyone else seen this behavior?
    This is the version info:
    Cisco Adaptive Security Appliance Software Version 8.4(7)
    Device Manager Version 7.3(1)100
    Thanks

    Hi,
    There are various possibilities on the ASA device which might be causing this issue:-
    1) Block depletion
    2) Memory depletion
    Other things might be related to the external ISP as well.
    Can we collect some outputs from the ASA device at the time when the issue is seen on the ASA device.
    If you can share the output , i can have a look at it otherwise you can open a TAC case.
    Thanks and Regards,
    Vibhor Amrodia

  • ASA 5520 Not Failing over

        Hi All
    Im preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
    Firewall (Primary)
    Cisco Adaptive Security Appliance Software Version 9.1(1)
    Device Manager Version 7.1(2)
    Compiled on Wed 28-Nov-12 10:38 by builders
    System image file is "disk0:/asa911-k8.bin"
    Config file at boot was "startup-config"
    DEO-FW-01 up 5 hours 1 min
    failover cluster up 5 hours 1 min
    Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024KB
    Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                                 Boot microcode        : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08
                                 Number of accelerators: 1
    0: Ext: GigabitEthernet0/0  : address is 001e.f762.bc44, irq 9
    1: Ext: GigabitEthernet0/1  : address is 001e.f762.bc45, irq 9
    2: Ext: GigabitEthernet0/2  : address is 001e.f762.bc46, irq 9
    3: Ext: GigabitEthernet0/3  : address is 001e.f762.bc47, irq 9
    4: Ext: Management0/0       : address is 001e.f762.bc43, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 150            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 750            perpetual
    Total VPN Peers                   : 750            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has an ASA 5520 VPN Plus license.
    Here is the failover config
    failover
    failover lan unit primary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
    Here is the Show failover output
    Failover On
    Failover unit Primary
    Failover LAN Interface: SFO GigabitEthernet0/3 (Failed - No Switchover)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 3 of 160 maximum
    failover replication http
    Version: Ours 9.1(1), Mate Unknown
    Last Failover at: 12:53:27 UTC Mar 14 2013
            This host: Primary - Active
                    Active time: 18059 (sec)
                    slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
                      Interface inside (10.10.16.1): No Link (Waiting)
                      Interface corporate_network_traffic (10.10.16.21): Unknown (Waiting)
                      Interface outside (193.158.46.130): Unknown (Waiting)
                    slot 1: empty
            Other host: Secondary - Not Detected
                    Active time: 0 (sec)
                      Interface inside (10.10.16.2): Unknown (Waiting)
                      Interface corporate_network_traffic (10.10.16.22): Unknown (Waiting)
                      Interface outside (193.158.46.131): Unknown (Waiting)
    Stateful Failover Logical Update Statistics
            Link : SFO GigabitEthernet0/3 (Failed)
    Here is the output for the secondary firewall
    Cisco Adaptive Security Appliance Software Version 9.1(1)
    Device Manager Version 6.2(5)
    Compiled on Wed 28-Nov-12 10:38 by builders
    System image file is "disk0:/asa911-k8.bin"
    Config file at boot was "startup-config"
    ciscoasa up 1 hour 1 min
    failover cluster up 1 hour 1 min
    Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW080 @ 0xfff00000, 1024KB
    Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                                 Boot microcode        : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08
                                 Number of accelerators: 1
    0: Ext: GigabitEthernet0/0  : address is 0023.0477.12e4, irq 9
    1: Ext: GigabitEthernet0/1  : address is 0023.0477.12e5, irq 9
    2: Ext: GigabitEthernet0/2  : address is 0023.0477.12e6, irq 9
    3: Ext: GigabitEthernet0/3  : address is 0023.0477.12e7, irq 9
    4: Ext: Management0/0       : address is 0023.0477.12e3, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 150            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    Encryption-DES                    : Enabled        perpetual
    Encryption-3DES-AES               : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 750            perpetual
    Total VPN Peers                   : 750            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    Cluster                           : Disabled       perpetual
    This platform has an ASA 5520 VPN Plus license.
    Here is the failover config
    failover
    failover lan unit secondary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
    Here is the Show failover output
    failover
    failover lan unit secondary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
    Failover On
    Failover unit Secondary
    Failover LAN Interface: SFO GigabitEthernet0/3 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 0 of 160 maximum
    failover replication http
    Version: Ours 9.1(1), Mate Unknown
    Last Failover at: 12:58:31 UTC Mar 14 2013
    This host: Secondary - Active
    Active time: 3630 (sec)
    slot 0: ASA5520 hw/sw rev (2.0/9.1(1)) status (Up Sys)
    slot 1: empty
    Other host: Primary - Not Detected
    Active time: 0 (sec)
    Stateful Failover Logical Update Statistics
    Link : SFO GigabitEthernet0/3 (up)
    interface g0/3 on both are up via the No shutdown command. However I get the following error No Active mate detected
    please could someone help.
    Many thanks

    Hello James,
    You have configured  the IPs on the interfaces incorrectly.
    Let me point it out
    failover
    failover lan unit primary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.25 255.255.255.248 standby 10.10.16.26
    You are telling the Primary device use IP address 10.10.16.25 and the secondary firewall will be 10.10.26.26
    Now let's see the configuration on the Secondary Unit?
    failover
    failover lan unit secondary
    failover lan interface SFO GigabitEthernet0/3
    failover replication http
    failover link SFO GigabitEthernet0/3
    failover interface ip SFO 10.10.16.26 255.255.255.248 standby 10.10.16.25
    On the secondary you are saying the primary IP will be 10.10.16.26 and the secondary will be 10.10.16.25
    You have it backwards and based on the output I would say you configured it on all of the interfaces like that
    So please change it and make it the same on all of the interfaces so both devices know the same thing ( which IP they should use when they are primary and secondary, this HAVE to match )
    Hope that I could help
    Julio Carvajal

  • Cisco ASA 5520 traffic between interfaces

    Hello,
    I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
    ciscoasa# ping esx_management 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    ciscoasa# ping home_network 192.168.10.100
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Thank you in advance.

    Hi,
    Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
    I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
    packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
    I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
    I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
    Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
    Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
    Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
    Static Identity NAT
    static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
    OR
    NAT0
    access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
    access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
    nat (home_network) 0 access-list HOMENETWORK-NAT0
    Hope this helps
    - Jouni

  • Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

    Hi,
    I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
    The scanario:
    Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
    Any help or advice is much appreciated.
    Thanks.

    Hello Bernard,
    What you are looking for is a Remote Ipsec VPN mode not a L2L.
    Here is the link you should use to make this happen:)
    https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
    Regards,
    Julio

  • ASA 5520 Anyconnect License on Active/Standby Failover pair

    Hi
    Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
    Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
    Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
    Any help would be much appreciated on this one please
    Regards
    Graham

    Thanks Marvin
    Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
    We previously had the VPN Plus License, and it still shows VPN Plus
    Licensed features for this platform:
    Maximum Physical Interfaces : Unlimited
    Maximum VLANs               : 150      
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                     : Enabled  
    VPN-3DES-AES                 : Enabled  
    Security Contexts           : 2        
    GTP/GPRS                     : Disabled
    VPN Peers                   : 750      
    WebVPN Peers                 : 2        
    AnyConnect for Mobile       : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions           : 2        
    This platform has an ASA 5520 VPN Plus license.

  • Different between ASA-5520-K9 & ASA-5520-K8

    Hello Dear ...
    We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8. can any one please advise me what features we will miss or get.
    thanks in advanced.
    regards/
    Mannan

    They are exactly the same hardware. It's the license that makes it K9 which you can request from the licensing team at Cisco.

  • Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

    Recently i have installed ASA 5520 firewall, Below is the detail for my network
    ASA 5520 inside ip: 10.12.10.2/24
    Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
    Cisco Call Manager 3825 IP: 10.12.110.2/24
    The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
    the Default Gateway for Data user is 10.12.10.2/24 and
    for the voice users is 10.12.110.2/24
    now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

    Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
    ASA Version 8.2(1)
    name x.x.x.x Mobily
    interface GigabitEthernet0/0
     nameif inside
     security-level 99
     ip address 10.12.10.2 255.255.255.0
    interface GigabitEthernet0/1
     nameif outside
     security-level 0
     ip address x.x.x.x 255.255.255.252
    object-group service DM_INLINE_SERVICE_1
     service-object tcp-udp
     service-object ip
     service-object icmp
     service-object udp
     service-object tcp eq ftp
     service-object tcp eq www
     service-object tcp eq https
     service-object tcp eq ssh
     service-object tcp eq telnet
    access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
    access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
    ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-641.bin
    asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 1 Inside-Network 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 Mobily 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Mgmt-Network 255.255.255.0 mgmt
    http Inside-Network 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    telnet Inside-Network 255.255.255.0 inside
    telnet timeout 5
    ssh Inside-Network 255.255.255.255 inside
    <--- More --->              ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy RA_VPN internal
    group-policy RA_VPN attributes
     dns-server value 86.51.34.17 8.8.8.8
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value RA_VPN_splitTunnelAcl
    username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
    tunnel-group RA_VPN type remote-access
    tunnel-group RA_VPN general-attributes
     address-pool VPN-Users
     default-group-policy RA_VPN
    tunnel-group RA_VPN ipsec-attributes
     pre-shared-key *
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
    : end

  • HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

    Hi all!
    we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
    We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
    Best regards for all,

    You cannot make a 5520 establish failover with the mate being a 5525-X.
    1. The configuration guide (here) states:
    The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
    2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

  • ASA 5520 Upgrade From 8.2 to 9.1

    To All Pro's Out There,
    I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
    In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
    I appreciate all the help in advance.

    Hi,
    My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
    In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
    What you can basically do is
    Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
    You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
    So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
    If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
    If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
    https://supportforums.cisco.com/docs/DOC-31116
    My personal approach when starting to convert NAT configurations for the upgrade is
    Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
    Divide NAT configurations based on type   
    Dynamic NAT/PAT
    Static NAT
    Static PAT
    NAT0
    All Policy Dynamic/Static NAT/PAT
    Learn the basic configuration format for each type of NAT configuration
    Start by converting the easiest NAT configurations   
    Dynamic NAT/PAT
    Static NAT/PAT
    Next convert the NAT0 configurations
    And finally go through the Policy NAT/PAT configurations
    Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
    The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
    One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
    For example
    static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
    In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
    Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
    So to summarize
    Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
    Learn the new NAT configuration format
    Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
    Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
    Convert the configurations manually
    Lab/test the configurations on an test ASA
    During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
    Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
    Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
    Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
    Will add more later if anything comes to mind as its getting quite late here
    Hope this helps
    - Jouni

  • ASA 5520 upgrade from 8.4.6 to 9.1.2

    Dear All,
      I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
    Below is the process :
    Upgrade an Active/Standby Failover Configuration
    Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
    Download the new software to both units, and specify the new image to           load with the boot system command.
    Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
    Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
    active#failover reload-standby
    When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
    active#no failover active
    Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
    Reload the former active unit (now the new standby unit) by entering           the reload command:
    newstandby#reload
    When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
    newstandby#failover active
    This completes the process of upgrading an Active/Standby Failover       pair.
    Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 ) 
    It is mentioned on cisco site that
    Major Release
    —You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release. 

    Hi Tushar,
    The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
    Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
    http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
    - Prateek Verma

  • ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    This topic has been beat to death, but I did not see a real answer. Here is configuration:
    1) 2 x ASA 5520, running 8.2
    2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
    3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
    4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
    This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
    Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
    The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
    In any case, any experts out there that can answer question? TIA!

    Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
    Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
    Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
    Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
    Thanks much,
    Mike

  • Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

    Hi,
    i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
    I have installed 50 Site-to-Site VPN tunnels, and they work fine.
    but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
    it happens when there is no TRAFIC on, i suspect.
    in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
    this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
    in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
    i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
    Any idea?
    Thanks,
    Daniel

    What is the lifetime value configured for in your crypto policies?
    For example:
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400

  • ASA 5520 intervlan routing at low speed

    I have ASA 5520 and SSM-10 module. During copy between vlans, connected to gigabit port of asa the speed is up to 6,5 Mbyte/sec. Network cards and trunked switch are gigabit. I've temporarily disabled SSM but it didn't help. Here is my config. Also I found out, that putting SSM into bypass mode solves the problem. But I don't send any traffic to IPS...
    ASA Version 8.4(2)
    hostname ***
    domain-name ***
    enable password *** encrypted
    passwd *** encrypted
    multicast-routing
    names
    dns-guard
    interface GigabitEthernet0/0
    nameif DMZ
    security-level 50
    ip address 10.2.5.1 255.255.255.0
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    no ip address
    interface GigabitEthernet0/1.100
    vlan 100
    nameif Devices
    security-level 100
    ip address 10.2.0.1 255.255.255.0
    interface GigabitEthernet0/1.101
    vlan 101
    nameif Common
    security-level 100
    ip address 10.2.1.1 255.255.255.0
    interface GigabitEthernet0/1.102
    vlan 102
    nameif Design
    security-level 100
    ip address 10.2.2.1 255.255.255.0
    interface GigabitEthernet0/1.103
    vlan 103
    nameif Ruhlamat
    security-level 90
    ip address 10.2.3.1 255.255.255.0
    interface GigabitEthernet0/2
    no nameif
    security-level 100
    no ip address
    interface GigabitEthernet0/2.10
    vlan 10
    nameif HOLOGR
    security-level 40
    ip address 10.1.2.4 255.255.0.0
    interface GigabitEthernet0/3
    nameif outside
    security-level 0
    ip address ***
    interface Management0/0
    nameif management
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    management-only
    boot system disk0:/asa842-k8.bin
    no ftp mode passive
    clock timezone EEST 2
    clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
    dns server-group DefaultDNS
    domain-name ***
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network WWW
    host 10.2.1.6
    object network MAIL
    host 10.2.5.5
    object network TEST
    host 10.2.1.85
    object-group network DM_INLINE_NETWORK_1
    network-object host 10.1.0.88
    network-object host 10.1.6.1
    network-object host 10.1.6.5
    network-object host 10.1.0.57
    network-object 10.2.0.0 255.255.255.0
    network-object host 10.1.6.4
    network-object host 10.1.1.57
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq 2080
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_6
    network-object host 10.1.4.42
    network-object host 10.1.4.234
    network-object host 10.1.4.175
    network-object host 10.1.4.217
    object-group protocol DM_INLINE_PROTOCOL_5
    protocol-object udp
    protocol-object tcp
    object-group network DM_INLINE_NETWORK_3
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.6
    network-object host 10.2.1.14
    network-object host 10.2.1.91
    object-group network DM_INLINE_NETWORK_4
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.6
    object-group service DM_INLINE_TCP_2 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_5
    network-object host 10.2.1.14
    network-object host 10.2.1.39
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.6
    network-object host 10.2.1.85
    network-object host 10.2.1.31
    network-object host 10.2.1.32
    network-object host 10.2.1.40
    network-object host 10.2.1.55
    network-object host 10.2.1.35
    network-object host 10.2.1.3
    network-object host 10.2.1.2
    object-group service DM_INLINE_TCP_3 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_7
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    object-group network DM_INLINE_NETWORK_9
    network-object host 10.2.1.4
    network-object host 10.2.1.3
    object-group network DM_INLINE_NETWORK_2
    network-object host 10.1.1.101
    network-object host 10.1.6.1
    network-object host 10.1.6.4
    network-object host 10.1.6.5
    network-object host 10.1.0.57
    network-object host 10.1.1.57
    object-group network DM_INLINE_NETWORK_10
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    network-object host 10.2.1.3
    network-object host 10.2.1.2
    object-group service DM_INLINE_TCP_4 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_12
    network-object host 10.2.0.11
    network-object host 10.2.0.14
    object-group service DM_INLINE_TCP_5 tcp
    port-object eq pop3
    port-object eq smtp
    object-group network DM_INLINE_NETWORK_13
    network-object host 10.2.1.4
    network-object host 10.2.1.5
    object-group network DM_INLINE_NETWORK_14
    network-object host 8.8.4.4
    network-object host 8.8.8.8
    network-object host 10.1.1.1
    object-group network DM_INLINE_NETWORK_15
    network-object host 10.2.1.39
    network-object host 10.2.1.57
    object-group network DM_INLINE_NETWORK_16
    network-object host 10.2.1.14
    network-object host 10.2.1.6
    access-list outside_access_in extended permit tcp any 10.2.5.0 255.255.255.0 eq smtp
    access-list outside_access_in extended permit tcp host *** host 10.2.1.85 eq ***
    access-list outside_access_in extended permit tcp host *** host 10.2.1.6 eq ***
    access-list Common_access_in extended permit icmp any any
    access-list Common_access_in extended permit ip host 10.2.1.76 host ***
    access-list Common_access_in extended permit ip host 10.2.1.6 any log disable inactive
    access-list Common_access_in extended permit tcp host 10.2.1.6 host *** eq ***
    access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_1 6 host 10.2.5.5
    access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_3 10.2.2.0 255.255.255.0
    access-list Common_access_in extended permit udp object-group DM_INLINE_NETWORK_7 any eq ntp log disable
    access-list Common_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14 eq domain
    access-list Common_access_in extended permit ip object-group DM_INLINE_NETWORK_5 host 10.2.3.3
    access-list Common_access_in extended permit tcp object-group DM_INLINE_NETWORK_15 host 10.1.1.1 object-group DM_INLINE_TCP_3
    access-list Common_access_in extended permit ip 10.2.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
    access-list Common_access_in extended permit tcp 10.2.1.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_1
    access-list Design_access_in extended permit tcp 10.2.2.0 255.255.255.0 host 10.2.5.5 object-group DM_INLINE_TCP_2
    access-list Design_access_in extended permit ip 10.2.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 log disable
    access-list HOLOGR_access_in extended permit icmp any any log disable
    access-list HOLOGR_access_in extended permit tcp host 10.1.1.1 host 10.2.5.5 object-group DM_INLINE_TCP_4
    access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_9
    access-list HOLOGR_access_in extended permit ip object-group DM_INLINE_NETWORK_2 10.2.1.0 255.255.255.0
    access-list HOLOGR_access_in extended permit ip host 10.1.4.214 object-group DM_INLINE_NETWORK_12
    access-list Ruhlamat_access_in extended permit ip host 10.2.3.3 object-group DM_INLINE_NETWORK_10
    access-list Ruhlamat_access_in extended permit tcp host 10.2.3.3 host 10.2.5.5 object-group DM_INLINE_TCP_5
    access-list test extended permit tcp any host 10.2.5.1 eq telnet
    access-list test extended permit tcp any host 10.2.5.1 eq https
    access-list test extended permit tcp host 10.2.5.1 any eq https
    access-list test extended permit tcp host 10.2.5.1 any eq telnet
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 8192
    logging buffered critical
    logging trap warnings
    logging asdm informational
    logging from-address ***
    logging recipient-address *** level critical
    logging host Common 10.2.1.2
    logging flash-bufferwrap
    logging flash-maximum-allocation 8192
    logging permit-hostdown
    no logging message 106014
    no logging message 313005
    no logging message 313001
    no logging message 106023
    no logging message 305006
    no logging message 733101
    no logging message 733100
    no logging message 304001
    logging message 313001 level critical
    logging message 106023 level errors
    mtu DMZ 1500
    mtu inside 1500
    mtu Devices 1500
    mtu Common 1500
    mtu Design 1500
    mtu Ruhlamat 1500
    mtu HOLOGR 1500
    mtu outside 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any DMZ
    icmp permit any Common
    icmp permit any HOLOGR
    icmp permit any outside
    asdm image disk0:/asdm-645-206.bin
    asdm history enable
    arp timeout 14400
    object network WWW
    nat (Common,outside) static interface service tcp *** ***
    object network MAIL
    nat (DMZ,outside) static interface service tcp smtp smtp
    nat (DMZ,outside) after-auto source dynamic any interface
    nat (Common,outside) after-auto source dynamic any interface
    nat (Devices,outside) after-auto source dynamic any interface
    access-group Common_access_in in interface Common
    access-group Design_access_in in interface Design
    access-group Ruhlamat_access_in in interface Ruhlamat
    access-group HOLOGR_access_in in interface HOLOGR
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 *** 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    no user-identity enable
    user-identity default-domain LOCAL
    http server enable
    http 10.2.1.6 255.255.255.255 Common
    snmp-server host Common 10.2.1.6 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sysopt noproxyarp DMZ
    sysopt noproxyarp inside
    sysopt noproxyarp Devices
    sysopt noproxyarp Common
    sysopt noproxyarp Design
    sysopt noproxyarp Ruhlamat
    sysopt noproxyarp HOLOGR
    sysopt noproxyarp outside
    sysopt noproxyarp management
    service resetoutside
    telnet 10.2.1.0 255.255.255.0 Common
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access Common
    dhcprelay setroute Common
    threat-detection basic-threat
    threat-detection scanning-threat
    no threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 10.2.1.4 source Common prefer
    webvpn
    smtp-server 10.2.5.5
    prompt hostname context
    call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD
    CEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:ad02ecbd84a727e4a26699915feca3a5
    : end

    Hi Philip,
    I don't see any features configured that would affect the throughput of the data transfer. Do you see any CRC errors or overruns increasing on the interfaces during the transfer? If not, I would suggest setting up captures on the ingress and egress interfaces of the ASA so you can understand exactly why the connection is slowing down and see if the ASA is inducing the delay:
    https://supportforums.cisco.com/docs/DOC-1222
    -Mike

Maybe you are looking for

  • My flash player does not work on my tablet.

    My flash player does not work on my tablet

  • G5 dual 2.0Ghz bought in 2003+ 30" cinema display?

    Hi all. I bought the first generation G5 dual 2.0Ghz in 2003 and am sure that I have Radeon 9600 pro video card installed in the computer. Currently, I am thinking of buying 30" cinema display and did some research on it's specification. I found that

  • Alot of mails rejected

      TX2EHSMHS005.bigfish.com rejected your message to the following email addresses: [email protected] ([email protected]) TX2EHSMHS005.bigfish.com gave this error: Service unavailable; Client host [41.32.166.28] blocked using Blocklist 1, mail from IP

  • Dynamic Link complicated question

    This is the story..... 1. I shot & edited a training session (many sessions - over 40 hours) 2. I did minor editing in Premiere, used Dynamic Link to send to Encore, set up a first run title page with 8 links to the 8 chapters.(all end actions going

  • Authorization check in infoset qury

    Hi Experts, I need to insert logic to check for security authorization in a infoset query for company codes given on selection screen. How do i read the company codes given on selection screen into code section? the select-option name in generated pr