Redundant etherchannels for ASA 5585X
Hi there , We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS). Can I have this configuration for resiliency.
Etherchannel from ASA Primary - Switch 1 & Switch 2
Etherchannel from ASA Standby - Switch 1 & Switch 2
or
Etherchannel from ASA Primary - Switch 1
Etherchannel from ASA Standby - Switch 2
( Failover links between the Firewalls are already configured )
Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
Thanks
The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.
Similar Messages
-
Etherchannel support for ASA 5585X
Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
Thanks
PrabsHi,
To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
Quote from Cisco document
Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
Source:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
Here is also a link to the "interface" command for Etherchannel
http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
Hope this helps
- Jouni -
I have two ASA 5585X-SSP20 need to Cluster config. I am little confused about ASA to Core Switch and Server Firm Switch Connectivity. In cluster mode if we config master asa two 10G port as an ether-channel then others cluster member same port config as a same ether-channel.So four port in two asa work in single ether-channel. If this right then my diagram is correct or wrong. Plz help me.
Hi,
yes,technically you could run two SSP20's with all 4 10g ports in the same spanned etherchannel as a "firewall on a stick".
If you look in the cluster configuration guide you'll see that the CCL (Cluster Control Link) needs to be sized the same as the data links so if you don't add any extra modules to your SSP20 firewalls you'll end up with 1x 10g for data and 1x 10g for CCL on each physical firewall.
We currently have this setup in our environment; each SSP20 firewall is connected to a Nexus 7K switch where one 10G port is used for CCL and one 10G port is setup as a trunk for all inbound/outbound traffic to/from the firewall.
Hope this helps!
-Michel -
Mount ASA 5585x on 2-post rack?
Is it possible to mount the ASA 5585x on a 2-post rack?
It is POSSIBLE but not recommended.
It's designed for a 4-post installation, using either the slide or fixed rail kit and mounting to all four posts.That's what's shown in the installation guide.
If it were my ASA at US$100,000+per unit, I'd want it to be securely mounted. -
ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast
Hello Community,
it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
MC src and rcv
(XChariot)
|
-----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)
|
MC src and rcv
(XChariot)
Test 1 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341
(Trace "WAN-IF_capture_225.1.2.154_no-frag" and
output "L2FW-not_fragmented"
The traffic passes through the Transparent mode ASA without any problems.
Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.
This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of 3(DstMAC):1(invalid udp).
The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
Any idea?
Thank you in advance for you contribution.Hello Community,
the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322
Perhaps further test will be made with using lower interim versions. -
Creating syslog report on a separate server for ASA 5555-x
hello all,
how do we create syslog report for ASA to dump in a separate physical server?
thanksHello,
You mean send syslog messages to an external dabatase
If thats the case it should be
logging enable
logging server name_if IP_address
logging trap 7
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura -
Best Log Setting for ASA & MARS
Hi,
I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?
ThanksWhich syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.
The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.
Regards
Farrukh -
Configuration guide for ASA Ipsec.
Ho guys.
I need configuration guide for ASA Ipsec using Cli.
Thank you.
Sent from Cisco Technical Support iPad AppHi,
please check the below link
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml?referring_site=smartnavRD
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
Thanks and Regards,
ROHAN -
I need help configuring a connection with asdm 5.2 for asa
Hi All
I am very much a novice with asdm 5.2 for asa and I urgently need to configure a connection but don’t know how to. I have 2 domains at work and someone is trying to connect their sql client from their pc in one domain to the sql server in the other domain (DMZ).
When he tries to connect he gets the error
Cant connect to MySql Server at "IP Address" (10060)
He is trying to connect on port 3306. Could anyone please give me any tips on how i can resolve this quickly? I know i am
trying a shortcut on this one but I recently started a new job and thrown in the deep end here and need to learn this asdm 5.2 for asa product from scratch with nothing more than the manual that come with the cd . My Cisco knowledge is from 2001 when i did half of a ccna course.
Any help would be greatly appreciatedHi,
I'm not a security specialist but here is how I had it set up at home:
Essentially a NAT and a rule forwarding the port are needed. In this particular case I had an Oracle server running and a person requested remote access. So, for example, the source address was his external IP and the destination was the Oracle's external IP. For the NAT the source was the internal IP of the Oracle server and the interface was Outside.
Hope this points you in the right direction. -
New Terminal Service client plugin for ASA?
Hi all,
since Feb a new version (rdp-plugin.111024.jar) of the Terminal Service client plugin for ASA is available.
Can somebody tell me what is changed or new in this version? There are no release notes for this version, only for the older rdp-plugin.101215.jar.
Thanks,
MarkusHi Yasser,
Thank you for posting in Windows Server Forum.
As you have commented it happens with single user so might possible there is some issue with specific user profile.
Have you tried to login that user from different systems and check result?
Here I can suggest you to delete the roaming profile cache and verify result. You can enable GPO policy as below steps & then try to religion and check the result.
1. Edit the GPO that you want to modify.
2. Locate the following section: Computer Configuration \ Administrative Templates \ System \ User Profiles.
3. Double-click Delete cached copies of roaming profiles (the Group Policy setting).
4. Click Enabled.
In addition, you can checkthis article for user profiles guide. Also see whether you have applied proper
permission to that user for accessing that application.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
can you anyone provide the link for Flash type learning for ASA Firewall 5505.
Hi,
To be honest I havent used that many online resources of the type you are after.
I would imagine that the CCNP Security - Firewall certification book current version would have a lot of usefull information related to the Cisco firewalls.
The CSC also has some videos related to firewalling
https://supportforums.cisco.com/community/netpro/security/firewall?view=video
There is also the Cisco Live 365 site which has all the documents from the Cisco Live events around the world. You will need to register to get access to my understanding. There are also videos of the presentations there (atleast for some). Naturally the documents dont go deep into theory but they do have some helpfull information
https://www.ciscolive365.com/connect/publicDashboard.ww
You can also find a lot of guide videos on Youtube for example like this one
http://www.youtube.com/watch?v=Y0ZnRmgINgE
Sadly I cant help you much in this case. I personally learnt most about the Cisco firewall the hard way, basically without any supporting material and education (we only had CCNA and CCNP Routing&Swithching wihtout any course on the PIX firewall that was in use at that time and ASAs were still new). Eventually I learned what I needed and nowadays I just tend to refresh information from documents and mostly refer to the ASA Configuration Guide and Command Reference if I need to check on some command or confirm how something worked.
Hope this helps
- Jouni -
Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
Will this patch be installed in a version which I can use on ASA5520, if I understand the documentation correct, this patch is only installed in versions which are running on -X models of the ASA. 9.2, 9.3Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.
You need to add route exempt the inside interfaces to all private subnet. -
Best practice for ASA Active/Standby failover
Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1# -
Custom alert for ASA Secondary Status
Hello All.
Here is our dilemma.
We need a custom alert. Something that will trigger an alert if our secondary ASA goes to a "Secondary - Failed" state.
If the primary is active and secondary is in a failed state, we may never know until traffic tries to fail to the secondary and is
unable to do so because it is in a bad state.
We are not looking to see if the secondary firewall goes down nor if it becomes the primary from a failure of the primary, but if
anything changes the secondary status.
To put another way, if the line from "show standby" shows "Secondary - Failed"
we need to know about it because it means redundancy is broken.
We need to know if this line changes from this status:
Other host: Secondary - Standby Ready
I believe there is a monitor in Orion for the load balancers called something like "not
standby hot" designed for the same thing. Basically we need the same type of
monitor for the firewalls.
Any ideas on how to go about making this happen????
All of the posts I have discovered relating to this topic only cover alerts/notifications on whether a pair of devices go from
active to standby and vice versa.
Is this even possible with the OID's on the ASA's?
cfwHardwareInformation
cfwHardwareStatusValue
cfwHardwareStatusDetail
cfwBufferStatInformation
Posts we've already covered:
http://thwack.solarwinds.com/message/132423#132423
http://thwack.solarwinds.com/message/29931#29931
http://thwack.solarwinds.com/message/85319#85319
http://thwack.solarwinds.com/docs/DOC-170819
http://thwack.solarwinds.com/message/171653#171653
http://thwack.solarwinds.com/docs/DOC-118692
http://thwack.solarwinds.com/message/29931#29931
https://supportforums.cisco.com/docs/DOC-1295
http://thwack.solarwinds.com/message/71089#71089
Thank you in advance,
ToddHi,
One option is to use standard AuditTrail functionality on that field, then you'll have the entire chronological history for the field to work the periodic alert logic from.
Regards,
Gareth
Blog: http://garethroberts.blogspot.com/ -
New SourceFire IPS for ASA firewalls
I am in the process of ordering numerous ASA firewalls up to the 5585X models complete with IPS
I just found out that Cisco is now using SourceFire/Firepower for these, and is probably going to discontinue the old system.
I don't see a whole lot of documentation on this new system, and many of the links on the Cisco website simply link back to the old Sourcefire company page. So I had some general questions
1. How radically different is the new IPS/IDS system? Is it still based on signatures, threat ratings, etc.?
2. Where can I go to find documentation on this? Any books? PDFs?
3. How long has this been out? Has it been real-world tested?
4. can I manage these IPS systems with IME, or do I need new software? What about ASDM?> I just found out that Cisco is now using SourceFire/Firepower for these, and is probably going to discontinue the old system.
The legacy IPS is already announced for EOS/EOL.
> 1. How radically different is the new IPS/IDS system? Is it still based on signatures, threat ratings, etc.?
It's still mainly a signature-based system, more or less same as before. Expect an easier tuning and better defaults then before.
> 2. Where can I go to find documentation on this? Any books? PDFs?
Not that easy, Beside the infos on the cisco website the are also trainings like the SASAA 1.2 that start to integrate FirePower. But there it's only one topic of many.
> 3. How long has this been out? Has it been real-world tested?
As an IPS it probably deserves the status "real-worls tested". As a cisco-integrated system, well, I would say it's on the way.
> 4. can I manage these IPS systems with IME, or do I need new software? What about ASDM?
no IME any more! You use the FireSight Management-Center (appliance or VM). I heard that ASDM-integration is planned, but I wouldn't expect that anytime soon.
Maybe you are looking for
-
Hello. When I connect my imac Start, as usual, comes the start signal and then the white screen with the load signal then nothing happens. What could be the problem?
-
Repalcing UNIOn with full outer Join
I have a query wihch looks like , select colA,colB ,colC, coldD from A,B,C,D where (some join conditions) union select colA,colB ,colC, NULL from A,B,C where (some join conditions) This query is posing us serious performance issues and we want to tun
-
How many times does BT need to send out an engineer before they accept they are not living up to the contract you agreed with them and let you cancel your BT Infinity before the contract runs out? Everytime you have to go thru the rubbish of doing al
-
How to send a Control or frame Back(send to back)
Hi all , I have a Graphic Frame I want to sent this control back i.e implementing "Send to Back". How to do it progammatically from my plugin
-
Querying Cubes on Update Rules?
I have an update rule that currently queries an ODS to get the value of a key figure and then apply that key figure to the cube the update rule is intended for. Basically, this is the select statement I use in the routine: select defect_quantity from