Support Query ASA 5525

Hi,
I want to understand difference between CON-SNT-A25K9 & CON-SW-A25K9. My question is if I suggest CON-SNT will suffice or I need to consider both the components. As per my understanding CON-SNT includes Hardware replacement, TAC access and update upgrade OS options. Please clarify.

Hi Fritz,
Normally underrun errors causing because of the over subscription / when you have the Qos enabled in your ASA.
If you have Qos enabled for that interface. You c an try to by disabling the Qos on that interface.
Minimize the sub-interfaces created on an interface.
And then you can try to maximize the throughput by distributing the traffic between 2 BUSes. If you have this option.
3 Maximizing Throughput (ASA 5550)
The ASA 5550 has two internal buses providing copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity. For Slot 1 (Bus 1), you can use either the copper ports or the fiber ports. The copper ports are enabled by default.
For maximum throughput, configure the ASA so that traffic is distributed equally between the two buses. Lay out the network so that traffic enters through one bus and exits through the other.
For example, the following figure shows the ASA configured so that traffic from the unsecure network and the secure network is evenly distributed between Bus 0 and Bus 1. Traffic from hosts on the secured network flows through interface 0/0 on Bus 0 to hosts on the unsecured network. Traffic from hosts on the unsecured network flows through interface 1/0 on Bus 1 to hosts on the secured network.
HTH
Regards
Karthik

Similar Messages

  • HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

    Hi all!
    we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
    We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
    Best regards for all,

    You cannot make a 5520 establish failover with the mate being a 5525-X.
    1. The configuration guide (here) states:
    The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
    2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

  • How to Enable logging of the ASA 5525?

    I need help to enable logging of the ASA 5525 for all new rules created today from the firewall module, rules changed, deleted desabilidas and disabled rules.
    Not found in the historic level of the ID on new firewall rules.
    0 or emergencies—System is unusable.
    1 or alerts—Immediate action needed.
    2 or critical—Critical conditions.
    3 or errors—Error conditions.
    4 or warnings—Warning conditions.
    5 or notifications—Normal but significant conditions.
    6 or informational—Informational messages.
    7 or debugging—Debugging messages.
    Thank you.

    You cannot log only those changes but you can log *all* changes.
    The messages 111008 and 111010 are the ones to look for (as described in this post).

  • ASA 5525, v9.1.2 - IPAA: Error freeing address ip-address, not found

    Hello everybody!
    The following problem:
    VPN-dial-in on the ASA .
    There are different VPN group policies , each with its own DHCP pool .
    Authentication is performed by the AAA AD .
    Everything works properly.
    However, 3 users of a VPN group can not dial in . On the firewall then this error always comes in the log :
    IPAA : Error freeing address 172.24.16.41 , not found
    That address is nowhere else on the firewall , but was once assigned to a user . But this Network Object is deleted now.
    The DHCP pool for this VPN Group goes from .33 to .63 .
    I don not understand why the ASA always wants to take the .41 However, even if no one else is logged in via VPN .
    No matter which one of the 3 users I take, the ASA always wants to assign the .41 .
    For all the other users that are having no problem, it assumes a different IP from the pool.
    I recreated the pool, created another pool and assigned that pool, I rebootet the ASA. No luck.
    Also did a "clear arp".
    No improvement .
    Ideas ?
    As I said, all other VPN groups and users have no problems.
    ASA 5525 , v9.1.2
    Thank You!

    Problem solved.
    The User is only allowed to be in one of the VPN-Groups in the ActiceDirectory.
    Those 2 problem-users where in two VPN-groups.
    So, problem fixed.

  • Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

    Hello
    I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
    Setup:
    We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
    Configuration in regards to certificate:
    crypto key generate rsa label vpn.company.dk modulus 2048
    crypto ca trustpoint vpn.trustpoint
    keypair vpn.company.dk
    fqdn none
    subject-name CN=*.company.dk,C=DK
    !id-usage ssl-ipsec
    enrollment terminal
    crl configure
    crypto ca authenticate vpn.trustpoint
    ! <import intermediate certificate>
    crypto ca enroll vpn.trustpoint
    ! <send CSR to CA>
    crypto ca import vpn.trustpoint certificate
    ! <import SSL cert received back from CA>
    ssl trust-point vpn.trustpoint outside
    Problem:
    When I try to import the certificate I receive the following error:
    crypto ca import vpn.trustpoint certificate
    WARNING: The certificate enrollment is configured with an fqdn
    that differs from the system fqdn. If this certificate will be
    used for VPN authentication this may cause connection problems.
    Would you like to continue with this enrollment? [yes/no]: yes
    % The fully-qualified domain name will not be included in the certificate
    Enter the base 64 encoded certificate.
    End with the word "quit" on a line by itself
    -----BEGIN CERTIFICATE-----
    <certificate>
    -----END CERTIFICATE-----
    quit
    ERROR: Failed to parse or verify imported certificate
    Question:
    - Does any one of you have any pointers in regards to what is going wrong?
    - Especially in regards to fqdn and CN, I also have a question. My config
    fqdn none
    subject-name CN=*.company.dk,C=DK
    would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
    So do you have insight or pointers which might help me?
    Thank you in advance

    I also have a wildcard cert for my SSL VPN ASAs.
    When i import the cert I use ASDM instead of CLI...
    I import the wildcard as a *.pfx file and type in the password. works fine...
    Perhaps the format is incorrect?
    Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
    Not sure if this helps but give ASDM a try?

  • P2P blocking on ASA 5525 with Software Version 8.6(1)2

    Hello,
    We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
    Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
    We have DMZ setup & also inline IPS module.
    Thanks in advance.
    Regards,
    Sandeshc Chavan.

    Hi Chavan , 
    You can try to block this by port. 
    The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). 
    The config is
    Access-list BLOCK-P2P-TRAFFIC deny tcp any any range  6881 6889 log 
    And applies to the desire interface with the "Access-group command"
    For example:
    Access-group  BLOCK-P2P-TRAFFIC outbound interface DMZ
    However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
    Also you can execute  from the cmd on windows  the command  netstat -a and check the port Bit torrent is using .
    Hope this helps.

  • ASA 5525-X code 8.6.1 downgrade

    Can I downgrade the firewall code to 8.0, it's running 8.6.1 right now.

    Hi,
    Unfortunately, the new ASA5500-X series only supports the newer software levels. From 8.6(1) onwards. To my understanding it shouldnt be possible to downgrade the ASA any lower from that software level.
    Here is a quote from Cisco document
    SoftwareQ. What software is supported on the Cisco ASA 5500-X Series Next-Generation Firewalls?
    A. The Cisco ASA 5500-X Series supports Cisco ASA Software Release 8.6.1  and later. CWS requires ASA Software Release 9.0.1 or later. The IPS  service on the ASA 5500-X Series requires Cisco IPS Sensor Software  Release 7.1.4 or later. AVC and WSE require ASA CX Software Release  9.1.1 (Cisco ASA Software Release must be 9.1.1).
    Source:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.html
    - Jouni

  • Renaming ASA 5525 IPS

    I have a cluster of 2xASA 5525s with software IPS modules. I would like to rename the hostname of each of the IPS modules. This is easy enough but I was wondering how this affects the reporting data in IME. I know the IPS name is used as a PK field in IME so you can't edit it. I'm worried if I delete the devices from IME and re-add them with their new hostnames that the historic data will be lost for the sensors. Is there any way around this? Will IME automatically pick up the new hostname from the ISP meaning I won't have to re-add them?

    thank you very much
    I re-image ips and "show module" and "session IPS"
    ciscoasa# show module
    Mod Card Type                                    Model              Serial No.
      0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525            FCH1623704D
    ips ASA 5525-X IPS Security Services Processor   ASA5525-IPS        FCH1623704D
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 a493.4caa.50b3 to a493.4caa.50bc  1.0          2.1(9)8      8.6(1)
    ips a493.4caa.50b1 to a493.4caa.50b1  N/A          N/A          7.1(4)E4
    Mod SSM Application Name           Status           SSM Application Version
    ips IPS                            Up               7.1(4)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
    ips Up                 Up
    Mod License Name   License Status  Time Remaining
    ips IPS Module     Enabled         perpetual
    when loggin IPS display
    ***LICENSE NOTICE***
    There is no license key installed on this IPS platform.
    The system will continue to operate with the currently installed
    signature set.  A valid license must be obtained in order to apply
    signature updates.  Please go to http://www.cisco.com/go/license
    to obtain a new license or install a license.
    why no license!!

  • ASA 5525 IPS

                       I have a asa 5525 and the license with IPS ,but i dont know How usede the IPS issue.anyone can tell me?

    thank you very much
    I re-image ips and "show module" and "session IPS"
    ciscoasa# show module
    Mod Card Type                                    Model              Serial No.
      0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525            FCH1623704D
    ips ASA 5525-X IPS Security Services Processor   ASA5525-IPS        FCH1623704D
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 a493.4caa.50b3 to a493.4caa.50bc  1.0          2.1(9)8      8.6(1)
    ips a493.4caa.50b1 to a493.4caa.50b1  N/A          N/A          7.1(4)E4
    Mod SSM Application Name           Status           SSM Application Version
    ips IPS                            Up               7.1(4)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
    ips Up                 Up
    Mod License Name   License Status  Time Remaining
    ips IPS Module     Enabled         perpetual
    when loggin IPS display
    ***LICENSE NOTICE***
    There is no license key installed on this IPS platform.
    The system will continue to operate with the currently installed
    signature set.  A valid license must be obtained in order to apply
    signature updates.  Please go to http://www.cisco.com/go/license
    to obtain a new license or install a license.
    why no license!!

  • ASA 5525 firewall Trace Route.

    Hi,
    We are Having  ASA 5525 firewall and Whenever I am performing traceroute passing through the firewall and i am not getting any hop count after firewall( Firewall IP is also not shwoing in Trace Route.
    ICMP I had allowed and also configure ICMP in the Policy_Map global Policy.
    PLease help me to resolve this issue.
    Regards,
    Dheeraj

    Hi Dheeraj,
         firewall blocks Traceroute as doesnt decrements the TTL value by default. You would need the following to enable the same:
    Make the Firewall Show Up in a Traceroute in ASA/PIX
    ciscoasa(config)#class-map class-default
    ciscoasa(config)#match any
    !--- This class-map exists by default.
    ciscoasa(config)#policy-map global_policy
    !--- This Policy-map exists by default.
    ciscoasa(config-pmap)#class class-default
    !--- Add another class-map to this policy.
    ciscoasa(config-pmap-c)#set connection decrement-ttl
    !--- Decrement the IP TTL field for packets traversing the firewall.
    !--- By default, the TTL is not decrement hiding (somewhat) the firewall.
    ciscoasa(config-pmap-c)#exit
    ciscoasa(config-pmap)#exit
    ciscoasa(config)#service-policy global_policy global
    !--- This service-policy exists by default.
    WARNING: Policy map global_policy is already configured as a service policy
    ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5
    !--- Adjust ICMP unreachable replies:
    !--- The default is rate-limit 1 burst-size 1.
    !--- The default will result in timeouts for the ASA hop:
    Cheers,
    Naveen

  • DNS Resolution in Cisco ASA 5525

    Hey all,
    I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.
    Current Version: Cisco ASA 5525
    ASA Version: 8.6(1)
    I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.
    What I've done.
    dns domain-lookup inside
    dns domain-lookup outside
    name-server x.x.x.x (Primary internal dns server)
    name-server x.x.x.x (Secondary internal dns server)
    name-server 8.8.8.8 (Google external dns server)
    name-server 8.8.4.4 (Google external dns server)
    domain-name example.com
    With this config I can, however, ping hostnames of internal servers.
    This is an example of me pinging an external hostname.
    ciscoasa# ping google.ca
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:
    No route to host 2607:f8b0:4009:803::101f
    Success rate is 0 percent (0/1)
    Any ideas?
    Thanks!

    officeasa# ping www.google.com
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:
    No route to host 2607:f8b0:4009:802::1012
    Success rate is 0 percent (0/1)
    John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?
    (I know without certain information you cannot help but I need to ensure security on my end)
    Thanks for understanding.

  • NAT issue on ASA 5525 8.6(1)

    Hello Experts,
                        We have recently installed new 5525 8.6(1) ASA's. Our setup is like; where wer are using Public IP for web server, which needs to be mapped/natted to internet VIP address and that VIP is configured on F5 LB. Setup is below; This Public IP is the webserver IP. The firewall get hits, but web server page is not being displayes. In the logs FW built tcp but then tear down the session, syslog id (302014) 77 TCP Reset-I
                              |INTERNET|
                                     |
                                     |
                             195.201.55.X
                                [ ASA ]
                              Natting to
                             10.100.100.151
                                  [ F5 ]
                                    |
    Real Servers---> .150   .151
    NAT Config is;
    nat (DMZ1,OUTSIDE) source static 10.100.100.151  195.201.55.X
    Your help will be appreciated if you can provide the right nat config;
    Regards

    Hi Jouni,
                The packet tracer looks good, all green tick boxes. I need to install wireshark on the Servers to makesure they are getting request from the Firewall.
    The funny thing is, on the firewall if I change the NAT say, from public IP translate to the real IP of the servers, then it works perfectly. But as soon as I change the NAT rule i.e Public IP translate to the VIP address, then it doesn't bring up the webpage. though I can ping the VIP address from the firewall, and the VIP address is the same subnet as the FW and F5 boxes with /24 mask! e.g  FW int ip is 10.100.100.1 and F5 connecting to FW is 10.100.100.3  and the VIP is
    10.100.100.151/24.
    Akshy,
             On the FW I did the TCP Ping, but It doesn't work. Like I said, I will install wireshark on the server and then will see if it works.
    Many thanks guys for your quick response and help. I will let you know the result.
    Regards

  • Adding the ABAP code to SAP Query to support Query's ALV Double click.

    Hi, Expert.
    I need to add some ABAP Code into SAP Query (or Infoset) to support the double click event on ALV cell of result of query.
    Is it possible & How to do ?
    Thank you very much.
    Best Regard
    Nattapash C.

    Hi, Gautham.
    I've put BREAK-POINT in all code section e.g. INITIALIZATION, END-OF-SELECTION..
    I found there are some section for add code that will be executed when query is processing before output data to ALV.
    What I need to know is Where I can input the code after ALV output. For support the Double Click Event on Query's ALV cell.
    Best Regard,
    Nattapash C.

  • Etherchannel support for ASA 5585X

    Hi there , Just trying to find out which all versions of ASA 5585X can support etherchannel features .
    Thanks
    Prabs

    Hi,
    To my understanding any ASA (except ASA5505) from 8.4(1) onwards can use EthernetChannel
    Quote from Cisco document
    Interface FeaturesEtherChannel support (ASA 5510 and higher)You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.We introduced or modified the following screens:Configuration > Device Setup > InterfacesConfiguration > Device Setup > Interfaces > Add/Edit EtherChannel InterfaceConfiguration > Device Setup > Interfaces > Add/Edit InterfaceConfiguration > Device Setup > EtherChannel
    Source:
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp43273
    Here is also a link to the "interface" command for Etherchannel
    http://www.cisco.com/en/US/docs/security/asa/command-reference/i3.html#wp1932200
    Hope this helps
    - Jouni

  • Which routing protocols are supported on ASA 5585

    Hi,
    I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
    I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
    I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
    if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
    Thanks

    You're welcome.
    Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
    ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
    FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

Maybe you are looking for

  • Error while deploying BPEL Process using FTPAdapter

    Hi, I have process which uses FTPAdapters. When I deploy in developer instance it doesn't give any error, but when I try to deploy in middle tier instance i get below error Error deploying BPEL archive.An error occurred while attempting to deploy the

  • I keep getting error message saying Song Cannot be Played on ipod

    I am able to download my cd's and even got one song downloaded from itunes. When I purchase a song I keep getting a message saying that that song was not downloaded to teh iPod, since it cannot be played on that iPod. I also cannot play the song in m

  • Where is the iphoto plist file in Mountain Lion

    I upgraded to ML and iPhoto 9.3.2 and imported a few GB of photos. After the import iPhoto started crashing. It seems like the first step is to delete the plist file but I can't find it in ML. Anyone know where it is?

  • How do I stop photoshop from loading photos

    Photoshop has been loading my photos (a 12,000 photo file) for over 18 hours now and I cannot stop it.  I think that there is a problem and I would like to just stop it and start over.  How do I do this?

  • BSE clarification

    Dear All, I would like to seek clarification on balance sheet evaluation. 1) why want to do BSE on raw mats, finished goods, merchandise? 2) if not do BSE, what will happen? 3) when do BSE, it will hit both balance sheet account and p&l account. only