Redundant etherchannels for ASA 5585X

Hi there ,  We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS).  Can I have this configuration for resiliency. 
Etherchannel from ASA Primary - Switch 1 & Switch 2
Etherchannel from ASA Standby - Switch 1 & Switch 2
or
Etherchannel from ASA Primary - Switch 1
Etherchannel from ASA Standby - Switch 2
( Failover links between the Firewalls are already configured )
Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions
Thanks

The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?
I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?
One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.

Similar Messages

  • Etherchannel support for ASA 5585X

    Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
    Thanks
    Prabs

    Hi,
    To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
    Quote from Cisco document
    Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
    Source:
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
    Here is also a link to the "interface" command for Etherchannel
    http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
    Hope this helps
    - Jouni

  • ASA 5585X Clustering

    I have two ASA 5585X-SSP20 need to Cluster config. I am little confused about ASA to Core Switch and Server Firm Switch Connectivity. In cluster mode if we config master asa two 10G port as an ether-channel then others cluster member same port config as a same ether-channel.So four port in two asa work in single ether-channel. If this right then my diagram is correct or wrong. Plz  help me.  

    Hi,
    yes,technically you could run two SSP20's with all 4 10g ports in the same spanned etherchannel as a "firewall on a stick". 
    If you look in the cluster configuration guide you'll see that the CCL (Cluster Control Link) needs to be sized the same as the data links so if you don't add any extra modules to your SSP20 firewalls you'll end up with 1x 10g for data and 1x 10g for CCL on each physical firewall.
    We currently have this setup in our environment; each SSP20 firewall is connected to a Nexus 7K switch where one 10G port is used for CCL and one 10G port is setup as a trunk for all inbound/outbound traffic to/from the firewall.
    Hope this helps!
    -Michel

  • Mount ASA 5585x on 2-post rack?

    Is it possible to mount the ASA 5585x on a 2-post rack?

    It is POSSIBLE but not recommended.
    It's designed for a 4-post installation, using either the slide or fixed rail kit and mounting to all four posts.That's what's shown in the installation guide.
    If it were my ASA at US$100,000+per unit, I'd want it to be securely mounted.

  • ASA 5585X in L2 trans. mode drops (ASP) fragm. IPv4 UDP multicast

    Hello Community,
    it seems there are problems with dropped fragmented IPv4 UDP Multicast traffice on an ASA 5585X platform running ver. 8.4(6)5. The following sample topology has been used for the verification scenario:
    MC src and rcv
    (XChariot)
    |
    -----C4503---------------ASA5585X-L2mode-----------IPSEC-Appl.------WAN----------Remote Site with (S,G) (10.10.4.156,225.1.2.154) (XChariot)
    |
    MC src and rcv
    (XChariot)
    Test 1  (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 1341
    (Trace "WAN-IF_capture_225.1.2.154_no-frag" and
    output "L2FW-not_fragmented"
    The traffic passes through the Transparent mode ASA without any problems.
    Test2 (S,G) (10.10.4.156,225.1.2.154) sends UDP with a UDP length of 3441 resulting in fragmentation.
    This traffic and unfortunately it is the same for the real application is drop by the ASA. The two ASP drops counters for "
    Dst MAC L2 Lookup Failed" and "invalid-udp-length" are increasing in a realtion of  3(DstMAC):1(invalid udp).
    The file"L2FW-frag_IPv4_UDP_MC_ASPdrops" shows first the capture on the WAN and then the captures on the ASP drops. In addition the three traces in pcap format.
    Any idea?
    Thank you in advance for you contribution.

    Hello Community,
    the following combination solved our problem for now, upgrade to ASA OS 9.1.3 (asa913-2-smp-k8.bin) and the change from virtual reassembly (default) to hardware reassembly -> global-cfg -> fragment reassembly full [interface].
    http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2019322
    Perhaps further test will be made with using lower interim versions.

  • Creating syslog report on a separate server for ASA 5555-x

    hello all,
    how do we create syslog report for ASA to dump in a separate physical server?
    thanks

    Hello,
    You mean send syslog messages to an external dabatase
    If thats the case it should be
    logging enable
    logging server name_if IP_address
    logging trap 7
    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
    Any question contact me at [email protected]
    Cheers,
    Julio Carvajal Segura

  • Best Log Setting for ASA & MARS

    Hi,
    I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?
    Thanks

    Which syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.
    The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.
    Regards
    Farrukh

  • Configuration guide for ASA Ipsec.

    Ho guys.
    I need configuration guide for ASA Ipsec using Cli.
    Thank you.
    Sent from Cisco Technical Support iPad App

    Hi,
    please check the below link
    http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml?referring_site=smartnavRD
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
    Thanks and Regards,
            ROHAN 

  • I need help configuring a connection with asdm 5.2 for asa

    Hi All
    I am very much a novice with asdm 5.2 for asa and I urgently need to configure a connection but don’t know how to. I have 2 domains at work and someone is trying to connect their sql client from their pc in one domain to the sql server in the other domain (DMZ).
    When he tries to connect he gets the error
    Cant connect to MySql Server at "IP Address" (10060)
    He is trying to connect on port 3306. Could anyone please give me any tips on how i can resolve this quickly? I know i am
    trying a shortcut on this one but I recently started a new job and thrown in the deep end here and need to learn this asdm 5.2 for asa product from scratch with nothing more than the manual that come with the cd . My Cisco knowledge is from 2001 when i did half of a ccna course.
    Any help would be greatly appreciated

    Hi,
    I'm not a security specialist but here is how I had it set up at home:
    Essentially a NAT and a rule forwarding the port are needed. In this particular case I had an Oracle server running and a person requested remote access. So, for example, the source address was his external IP and the destination was the Oracle's external IP. For the NAT the source was the internal IP of the Oracle server and the interface was Outside.
    Hope this points you in the right direction.

  • New Terminal Service client plugin for ASA?

    Hi all,
    since Feb a new version (rdp-plugin.111024.jar) of the Terminal Service client plugin for ASA is available.
    Can somebody tell me what is changed or new in this version? There are no release notes for this version, only for the older rdp-plugin.101215.jar.
    Thanks,
    Markus

    Hi Yasser,
    Thank you for posting in Windows Server Forum.
    As you have commented it happens with single user so might possible there is some issue with specific user profile. 
    Have you tried to login that user from different systems and check result?
    Here I can suggest you to delete the roaming profile cache and verify result. You can enable GPO policy as below steps & then try to religion and check the result. 
    1. Edit the GPO that you want to modify.
    2. Locate the following section: Computer Configuration \ Administrative Templates \ System \ User Profiles.
    3. Double-click Delete cached copies of roaming profiles (the Group Policy setting).
    4. Click Enabled.
    In addition, you can checkthis article for user profiles guide. Also see whether you have applied proper
    permission to that user for accessing that application.
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    TechNet Community Support

  • Flash File for ASA Firewall

                       can you anyone  provide the link for Flash type learning for ASA Firewall 5505.

    Hi,
    To be honest I havent used that many online resources of the type you are after.
    I would imagine that the CCNP Security - Firewall certification book current version would have a lot of usefull information related to the Cisco firewalls.
    The CSC also has some videos related to firewalling
    https://supportforums.cisco.com/community/netpro/security/firewall?view=video
    There is also the Cisco Live 365 site which has all the documents from the Cisco Live events around the world. You will need to register to get access to my understanding. There are also videos of the presentations there (atleast for some). Naturally the documents dont go deep into theory but they do have some helpfull information
    https://www.ciscolive365.com/connect/publicDashboard.ww
    You can also find a lot of guide videos on Youtube for example like this one
    http://www.youtube.com/watch?v=Y0ZnRmgINgE
    Sadly I cant help you much in this case. I personally learnt most about the Cisco firewall the hard way, basically without any supporting material and education (we only had CCNA and CCNP Routing&Swithching wihtout any course on the PIX firewall that was in use at that time and ASAs were still new). Eventually I learned what I needed and nowadays I just tend to refresh information from documents and mostly refer to the ASA Configuration Guide and Command Reference if I need to check on some command or confirm how something worked.
    Hope this helps
    - Jouni

  • Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520

    Patch: CSCun25809, AnyConnect Password Management Fails with SMS Passcode for ASA 5520
    Will this patch be installed in a version which I can use on ASA5520, if I understand the documentation correct, this patch is only installed in versions which are running on -X models of the ASA. 9.2, 9.3

    Once the ASA has dynamic NAT enabled to an outside interface, routing between same security level will not work.
    You need to add route exempt the inside interfaces to all private subnet.

  • Best practice for ASA Active/Standby failover

    Hi,
    I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
    Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy?  Thanks in advanced!

    Hi Vibhor,
    I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
    ASSA1# conf t
    ASSA1(config)# int g1
    ASSA1(config-if)# shut
    ASSA1(config-if)# show failover
    Failover On
    Failover unit Primary
    Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 3 of 60 maximum
    Version: Ours 8.4(2), Mate 8.4(2)
    Last Failover at: 14:20:00 SGT Nov 18 2014
            This host: Primary - Active
                    Active time: 7862 (sec)
                      Interface outside (100.100.100.1): Normal (Monitored)
                      Interface inside (192.168.1.1): Link Down (Monitored)
                      Interface mgmt (10.101.50.100): Normal (Waiting)
            Other host: Secondary - Standby Ready
                    Active time: 0 (sec)
                      Interface outside (100.100.100.2): Normal (Monitored)
                      Interface inside (192.168.1.2): Link Down (Monitored)
                      Interface mgmt (0.0.0.0): Normal (Waiting)
    Stateful Failover Logical Update Statistics
            Link : FAILOVER GigabitEthernet2 (up)
            Stateful Obj    xmit       xerr       rcv        rerr
            General         1053       0          1045       0
            sys cmd         1045       0          1045       0
            up time         0          0          0          0
            RPC services    0          0          0          0
            TCP conn        0          0          0          0
            UDP conn        0          0          0          0
            ARP tbl         2          0          0          0
            Xlate_Timeout   0          0          0          0
            IPv6 ND tbl     0          0          0          0
            VPN IKEv1 SA    0          0          0          0
            VPN IKEv1 P2    0          0          0          0
            VPN IKEv2 SA    0          0          0          0
            VPN IKEv2 P2    0          0          0          0
            VPN CTCP upd    0          0          0          0
            VPN SDI upd     0          0          0          0
            VPN DHCP upd    0          0          0          0
            SIP Session     0          0          0          0
            Route Session   5          0          0          0
            User-Identity   1          0          0          0
            Logical Update Queue Information
                            Cur     Max     Total
            Recv Q:         0       9       1045
            Xmit Q:         0       30      10226
    ASSA1(config-if)#
    ASSA1# sh run
    : Saved
    ASA Version 8.4(2)
    hostname ASSA1
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface GigabitEthernet0
     nameif outside
     security-level 0
     ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
     ospf message-digest-key 20 md5 *****
     ospf authentication message-digest
    interface GigabitEthernet1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
     ospf message-digest-key 20 md5 *****
     ospf authentication message-digest
    interface GigabitEthernet2
     description LAN/STATE Failover Interface
    interface GigabitEthernet3
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet4
     nameif mgmt
     security-level 0
     ip address 10.101.50.100 255.255.255.0
    interface GigabitEthernet5
     shutdown
     no nameif
     no security-level
     no ip address
    ftp mode passive
    clock timezone SGT 8
    access-list OUTSIDE_ACCESS_IN extended permit icmp any any
    pager lines 24
    logging timestamp
    logging console debugging
    logging monitor debugging
    mtu outside 1500
    mtu inside 1500
    mtu mgmt 1500
    failover
    failover lan unit primary
    failover lan interface FAILOVER GigabitEthernet2
    failover link FAILOVER GigabitEthernet2
    failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715-100.bin
    no asdm history enable
    arp timeout 14400
    access-group OUTSIDE_ACCESS_IN in interface outside
    router ospf 10
     network 100.100.100.0 255.255.255.0 area 1
     network 192.168.1.0 255.255.255.0 area 0
     area 0 authentication message-digest
     area 1 authentication message-digest
     log-adj-changes
     default-information originate always
    route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 10.101.50.0 255.255.255.0 mgmt
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh 10.101.50.0 255.255.255.0 mgmt
    ssh timeout 5
    console timeout 0
    tls-proxy maximum-session 10000
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    crashinfo save disable
    Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
    : end
    ASSA1#

  • Custom alert for ASA Secondary Status

    Hello All.
    Here is our dilemma.
    We need a custom alert.  Something that will trigger an alert if our secondary ASA goes to a "Secondary - Failed" state.
    If  the primary is active and secondary is in a failed state, we may never  know until traffic tries to fail to the secondary and is
    unable to do so because it is in a bad state.
    We  are not looking to see if the secondary firewall goes down nor if it  becomes the primary from a failure of the primary, but if
    anything changes the secondary status.
    To put another way, if the line from "show standby" shows "Secondary - Failed"
    we need to know about it because it means redundancy is broken.
    We need to know if this line changes from this status:
    Other host: Secondary - Standby Ready
    I believe there is a monitor in Orion for the load balancers called something like "not
    standby hot" designed for the same thing.  Basically we need the same type of
    monitor for the firewalls.
    Any ideas on how to go about making this happen????
    All of the posts I have discovered relating to this topic only cover alerts/notifications on whether a pair of devices go from
    active to standby and vice versa.
    Is this even possible with the OID's on the ASA's?
    cfwHardwareInformation
    cfwHardwareStatusValue
    cfwHardwareStatusDetail
    cfwBufferStatInformation
    Posts we've already covered:
    http://thwack.solarwinds.com/message/132423#132423
    http://thwack.solarwinds.com/message/29931#29931
    http://thwack.solarwinds.com/message/85319#85319
    http://thwack.solarwinds.com/docs/DOC-170819
    http://thwack.solarwinds.com/message/171653#171653
    http://thwack.solarwinds.com/docs/DOC-118692
    http://thwack.solarwinds.com/message/29931#29931
    https://supportforums.cisco.com/docs/DOC-1295
    http://thwack.solarwinds.com/message/71089#71089
    Thank you in advance,
    Todd

    Hi,
    One option is to use standard AuditTrail functionality on that field, then you'll have the entire chronological history for the field to work the periodic alert logic from.
    Regards,
    Gareth
    Blog: http://garethroberts.blogspot.com/

  • New SourceFire IPS for ASA firewalls

    I am in the process of ordering numerous ASA firewalls up to the 5585X models complete with IPS
    I just found out that Cisco is now using SourceFire/Firepower for these, and is probably going to discontinue the old system.
    I don't see a whole lot of documentation on this new system, and many of the links on the Cisco website simply link back to the old Sourcefire company page. So I had some general questions
    1. How radically different is the new IPS/IDS system? Is it still based on signatures, threat ratings, etc.?
    2. Where can I go to find documentation on this? Any books? PDFs?
    3. How long has this been out? Has it been real-world tested?
    4. can I manage these IPS systems with IME, or do I need new software? What about ASDM?

    > I just found out that Cisco is now using SourceFire/Firepower for these, and is probably going to discontinue the old system.
    The legacy IPS is already announced for EOS/EOL.
    > 1. How radically different is the new IPS/IDS system? Is it still based on signatures, threat ratings, etc.?
    It's still mainly a signature-based system, more or less same as before. Expect an easier tuning and better defaults then before.
    > 2. Where can I go to find documentation on this? Any books? PDFs?
    Not that easy, Beside the infos on the cisco website the are also trainings like the SASAA 1.2 that start to integrate FirePower. But there it's only one topic of many.
    > 3. How long has this been out? Has it been real-world tested?
    As an IPS it probably deserves the status "real-worls tested". As a cisco-integrated system, well, I would say it's on the way.
    > 4. can I manage these IPS systems with IME, or do I need new software? What about ASDM?
    no IME any more! You use the FireSight Management-Center (appliance or VM). I heard that ASDM-integration is planned, but I wouldn't expect that anytime soon.

Maybe you are looking for