Cisco :: ASA5540 - Run Firewall To Display MTU Packet Size Being Received On Interface?

Jul 5, 2012

I have a ASA5540 firewall set-up with an interface MTU of 1500.  
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this.  Any command that can be run on the firewall to display the MTU packet size being received on an interface?
We are also running Solar Winds so could query an OID if such a variable exists.

View 1 Replies


Cisco Firewall :: ASA5540 Management Interface IP Addressing?

May 9, 2011

How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed

View 1 Replies View Related

Cisco Firewall :: How To Clear Input Errors In ASA5540 Interface

Feb 26, 2013

My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall.   [code] I need to Clear the Input errors on this particular Interface.Will Clear interface GigabitEthernet 0/0 will work?

View 4 Replies View Related

Cisco Firewall :: ASA5540 - No ICMP Reply From Inside Sub-interface

Apr 28, 2013

I need to monitor with ping the inside sub-interface of my ASA5540, is that possible? I get the ICMP requests but no replys going out from the box.
 I need to ping the from the
ASA Version 8.0(5) 
interface GigabitEthernet0/1
nameif inside


View 2 Replies View Related

Cisco Firewall :: 5510 Change Dashboard To Display More Meaningful Interface

Dec 27, 2010

We've recently shut down an interface on one of our ASA 5510s as we no longer use that service provider.  The dashboard, however, still insists on showing traffic usage on this interface.  How do I change the dashboard to display a more meaningful interface?

View 7 Replies View Related

Cisco :: ASA Received Large Packet?

Jan 13, 2011

I've got a lot of these messages in my logs from SVC users:Code:

View 13 Replies View Related

Cisco :: Packet Didn't Received By Host

May 12, 2011

Problem Host A unable to reach Host B, trace route from Host A it reach to Router B but the packet unable reach to the Host B here the 1st level troubleshoot I did

1. Traceroute and ping success from router A to host B

2. Ping success from router B to host B success

I wonder the packet reach to router B but it didnt pass to Host B.

View 5 Replies View Related

Cisco VPN :: ASA5540 L2L IPSec And Packet Filtering

Mar 24, 2013

I need to set up several L2L ipsec tunnels using ASA 5540 (8.2) as a central node and ASA 5505s (8.4) for branch offices. So far I've configured ipsec for the sake of testing between a 5540 and one of 5505, but it blocks ICMP between hosts behind ASAs. Although there's an echo response from 5540's inside interface ( to echo requests from a host behind ASA 5505 and I see ipsec counters growing. I still can't figure it out despite hurting my eyes with cisco manuals for the relevant ASA software versions.

One thing I couldn't understand in the 8.4 documentation - it says I need ACLs to allow ipsec traffic on outside if I don't NAT/PAT it. Isn't it achieved with "sysopt connection permit-vpn" or do I have to do it manually? I've actually tried adding access-groups for the "in" traffic on outside and those ACLs get hits on both ASAs.
The packet-tracer shows some weird DROP at phase 6 on 5505, but I see no rule denying this traffic and the description doesn't mention implicit rules. [code]

View 1 Replies View Related

Cisco :: (Received Encrypted Packet With No Matching SA / Dropping)

Jun 24, 2011

Got to set up a site to site VPN to one in a clients office and we're struggling to get Phase 2 working, just seems to loop around saying "Received encrypted packet with no matching SA, dropping" which to me means the ACLs arent mirrored correctly?

View 3 Replies View Related

Minimum Acceptable Size For Preamble In Ethernet Packet

Jun 5, 2012

I want to know that what is the minimum acceptable size of preamble in ethernet frame. if it is less than 7 bytes before sfd begins , will the packet drop?

View 1 Replies View Related

Cisco WAN :: 7204 - Small Packet Size And Full BGP Table

Feb 7, 2012

I'm looking for a Cisco device to run a full BGP table with a 60Mb link. And one of the main restrictions is that my traffic is almost 100% real-time (voip). So the average packet size is small. Today we own a Cisco 7204 NPE400 with 512Mb RAM. I think even though I upgrade it to a G2, due to the small average packet size, the router will be near to its limit. Maybe a Cisco 7300 NSE-150? Or should I think about a switch?

View 3 Replies View Related

Cisco VPN :: Cannot Ping Packet Size Larger Than 9200 Over IPSec On ASR

Feb 22, 2011

I have an existing site-2-site VPN between a Cisco 2621 router (IOS 12.3) and Cisco 1841 (IOS 12.3) and I can ping packet size of 17000 over the IPSec tunnel without any issue:c2621#ping source f0/1 repeat 20 size 17000,Type escape sequence to abort.Sending 20, 17000-byte ICMP Echos to, timeout is 2 seconds:Packet sent with a source address of!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (20/20), round-trip min/avg/max = 144/146/148 msc2621#I replaced the Cisco 2621 with a more powerful ASR 1002 running IOS version asr1000rp1-adventerprisek9.03.01.00.S.150-1.S.bin.  However, I can not ping packet size larger than 9200 over the IPSec tunnel:Feb 24 02:42:52.362: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:00 Thread:015 TS:00000015834854465792 %IPSEC-3-PKT_TOO_BIG: IPSec Packet size 10072 larger than maximum supported size 9216 hence dropping it.Success rate is 0 percent (0/10)asr1002# Why is not working?  Basically the more expensive ASR router can not perform the same task as the old Cisco 2621 router.

View 6 Replies View Related

Cisco Switching/Routing :: 2600 - Source IP Set To Public When Packet Received

Mar 27, 2012

We have Cisco IP phones behind a 2600 series router:Most of the time when the PBX receives a packet from the phone, the source IP of the packet is set to the public IP of the router ( as expected. However, once in a while, we get packets (at the PBX) with the source IP set to the private IP of the phone ( router is configured by our provider, and they can't give us any explanation for this behaviour. Is it safe to assume that PAT is not configured properly at the router?

View 2 Replies View Related

Cisco Switching/Routing :: 4500 / Packet Received With Invalid Source MAC Address

Sep 3, 2012

Most of the 4500 Switches in our network are giving the similar error for so many ports
%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 1 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on p  t Gi2/6 in vlan 100
Its impossible to do a wireshark packet tracing for all the ports. 

View 2 Replies View Related

Cisco Switching/Routing :: 4507 - Packet Received With Invalid Source MAC Address

Feb 14, 2012

Issue I am having with a Cisco 4507? Below is the error i am receiving.
Feb 14 10:06:09 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 508 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
Feb 14 18:44:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 119 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
Feb 15 00:51:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 366 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112


View 9 Replies View Related

Cisco Firewall :: ASA5585X - Packet Rate On Inside And Outside Interface Doesn't Match

Oct 24, 2012

I am doing some per-deployment testing with a ASA5585X and noticed that when I feed it a stream of SYN packets on the outside interface the measured traffic rate on the inside interface going out is about 10x the rate of the outside interface going in.
laptop ---  ASA --- PC
I send 6k TCP SYN pkt at interface rate from the laptop targeted at PC. No packets are dropped by Ac Ls or policies and can be sniffed at the PC.
Show interface commands show:
sh int inside:
... ...
  Traffic Statistics for "inside":
1 minute input rate 23 pkt/sec,  1303 bytes/sec
1 minute output rate 4454 pkt/sec, 820757 bytes/sec
sh int outside:
... ...
Traffic Statistics for "outside":
1 minute input rate 885 pkt/sec,  70847 bytes/sec
1 minute output rate 7 pkt/sec,  425 bytes/sec
I would expect that if 885 pkt/sec enter the firewall on the outside interface the same amount or less would exit it on the inside...? Why this is not the case? The packet rate is about 5x and the data rate is about 10x greater.

View 6 Replies View Related

Cisco Application :: ACE 4710 MTU Size On Interface

Jun 13, 2011

I have a Problem with an an ACE4710 Setup. Between my 2 Ace's there are Switches which don't Support Jumbo Frames - Is there a way to configure the Interface on the ACE to an Standard MTU Sive (15xx) ,I'm using SW-Version A3(2.7). 

View 2 Replies View Related

Cisco Security :: ASA5540 Interface Input Errors - Overrun

Nov 16, 2009

Why packets overrun are incrementing on the ASA even when I've only 40Mbps of throughput traffic?All interface are 1000- Full Duplex, both on ASA and on Catalyst3750.I've test the ASA5540 generating GET HTTP, about 40Mbit of traffic.When I use one ingress interface and one egress interface, interface input overrun counter is zero.When I use the same traffic with 3 ingress interfaces(slot0) and 3 egress interfaces(slot1), interface input overrun counter increase(60k overrun in only 2 minutes).

View 4 Replies View Related

Cisco WAN :: 1921 / Multicast Not Received Properly Via Bridged Ethernet Interface

Jun 9, 2011

Using a small network (WAN) with three 1921 routers (IOS 15.1(T)) connected via E1 links. One host (industrial PC - core 2 due running Win XP Pro) connected to each router. The spare Gigabit Ethernet port on each router is bridged with the active one (so a portable management PC (laptop) can be plugged in there and communicate with the router and the industriual PC.
Multicast routing strategy between the routers is as per "Anycast - Static RP", with PIM sparse-mode enabled on all interfaces and sink RP defined on all three routers.
Problem occurs when a (IPV4) multicast application on one PC communicates with the others:
(a) IGMP V2 membersip reports etc. work correctly at the sender and at the other two PCs receiving the multicast stream

(b) Multicast routing on the WAN is working correctly; running Wireshark on the receiving PCs shows that multicast data is received on the expected group.

(c) But, there is an error in the Ethernet packets

i. The first packet's Ethernet header contains the correct destination MAC address 01:00:5E:aa:bb:cc where aa:bb:cc match with the last three octets of the mulicast group's address, and that packet is received OK by the listening multicast application

ii. However, subsequent packets' Ethernet headers have the wrong MAC address 01:00:5E:00:00:00 (the last three octets are all zeroes and these packets are discarded by Windows on the receiving PC and not seen by the multicast application.
Problem is related to the presence of integrated routing & bridging; if I delete the bridge virtual interface,disable bridging and give the two Gigabit Ethernet ports their own IP addresses, the multicast reception works correctly; all received multicast packets have te expected value on the destination MAC address (matching the group address)I have used the same integrated routing/bridging configuration successfully on Cisco 2611 and 2811 routers and there was no such issue with the multicast packets.Have I overlooked some subtle aspect of configuration in the 1921 router or have I uncovered a bug...?
For reference - snippets from router configuration scripts
In the non-working configuration (with Integrated Routing & Bridging)
 interface GigabitEthernet0/0
no ip address
duplex auto
speed auto

In the working configuration all the bridging is gone and the two Gigabit Ethernet interfaces have a very plain & simple configuration in different subnets
interface GigabitEthernet0/0
ip address
no ip directed-broadcast
ip pim sparse-mode
duplex auto


View 7 Replies View Related

Cisco Switching/Routing :: Nexus 7000 Determining Jumbo MTU Size On Interface

Feb 7, 2011

I am trying to determin if Jumbo frames are enabled on out Nexus 7000, and I am getting mixed info back from the swtich.I looks like the system jumbo MTU size is 9216 by default, but the interfaces all say the MTU of the interface is 1500 bytes. According to this article, the interface MTU should read 9216 is the jumbo frames are enabled globally. Is this correct. Is there a way to verify if Jumbo frame support is turned on? [code]

View 4 Replies View Related

Cisco Wireless :: WLC 5508 - Ignoring Primary Discovery Request Received On Interface

Jan 13, 2013

Im receving this error on my syslog server: capwap_ac_sm.c:1443 Ignoring Primary discovery request received on non-management interface (2) from APalready checked the configuration and everything seems ok. They are registered and with clients associated.What could be the cause?

View 2 Replies View Related

Cisco :: One Of ASA5510 Ethernet Interface Always Display Red Light?

May 21, 2011

I find that one of the ethernet interface of ASA5510 always display RED light

View 3 Replies View Related

Cisco Switches :: SG 300 Web Admin Interface Does Not Display Properly

Nov 11, 2011

Went to log into the web admin interface on my SG-300 today and I get this in both IE and Firefox:
I'm not able to login by typing user/password and just pressing enter. I've tried power-cycling the switch, however, since the power cycle, the font-panel system LED has been blinking green. I seem to recall, though I can't locate the reference now, that this means the switch is running with factory settings, but that cannot be right because:
1. I had previously saved a new configuration on the switch, which it should be using now.

2. It is answering on the configured non-factory IP address -- just not rendering the web admin interface successfully.
I've had this unit for approximately a month. This is not the first issue I have had with this unit (see: [URL] and I'm experiencing some strange LAN speed issues since I installed it. Do I need to RMA this thing?

View 1 Replies View Related

Linksys Wireless Router :: E4200 - Few Seconds For Web Interface To Display

Jul 16, 2011

I have a E4200 setup for 2.4 & 5G running the latest firmware. When I connect to the router wireless and log in, it takes a few seconds for the web interface to display. Same happens when switching to the different config tabs. Is there any reason for this? I would think it would be immediate but it takes anywhere from 3-5 seconds for IE9 to respond.

View 2 Replies View Related

TP-Link ADSL2+ Wireless :: TD-W8970 Web Interface Doesn't Always Display Fully

Mar 13, 2013

Region : UnitedKingdom
Model : TD-W8970
Hardware Version : V1
Firmware Version : 0.6.0 0.11 v000c.0 Build 121203 Rel.46289n

However, when I initially connect to the router, either on the LAN or remotely via the internet, the router takes a long time to display the initial page (up to 1 minute) and then usually displays the page without any variable data included. Frequently it also fails to show the menu on the left either. By hitting Refresh several times, eventually it will load the page fully.

View 2 Replies View Related

Cisco Firewall :: ASA5540 - EAL4 Transparent Firewall Config

Mar 14, 2011

I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?

View 1 Replies View Related

Cisco Firewall :: VPN Between ASA5540 And Router

Sep 10, 2008

I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.

View 28 Replies View Related

Cisco Firewall :: K-value Mismatch With EIGRP On ASA5540

Mar 7, 2011

I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary.   Here are the log messages I got:
Mar  8 15:11:08: %PIM-5-NBRCHG: neighbor UP on interface Vlan150 (vrf default) Mar  8 15:11:08: %PIM-5-DRCHG: DR change from neighbor to on interface Vlan150 (vrf default)
Mar  8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Vlan150) isup: new adjacencyMar  8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Vlan150) isup: new adjacency
Mar  8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Vlan150) is down: K-value mismatch
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
What causes a K-value mismatch, and how to I rectify the situation?

View 1 Replies View Related

Cisco Firewall :: ASA5540 Configured With Standby IP

Aug 6, 2012

I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]

1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.

View 1 Replies View Related

Cisco Firewall :: One ASA5540 With Two 3750 Connections

Jan 9, 2013

i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.
so, here is my questions:
1. does ASA5540 support multi vlan?

2. does it support spanning tree protocol?

3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?

4. achive network redundancy

View 3 Replies View Related

Cisco :: Packet Loss In Side Interface?

Oct 27, 2011

I had all kinds of packet loss and I was ofcourse suspecting my ISP. But then I tested pinging my internal interface and found that it has packet loss as well. I have about 10% packetloss to my interface with, I have the same thing from several different inside hosts. My inside rule is the implicit one, any, any. service IP.In the log I can see a teardown and build of the icmp whenever the packet loss accour.There is no packet loss pinging the outside interface from the internet.

View 3 Replies View Related

Cisco Firewall :: ASA 5550 - How To Change The Context Size

Nov 6, 2011

I'm having a problem with a context, I have two CISCO ASA 5550 (failover) and also we have the CISCO CSM to monitoring it, but since some weeks is showing a memory usage of 100% but then it drops until reach zero and then again the graphic goes up. This is the second time that the graphic shows this
I also check this on the CLI and i'ts fine because is showing the real percent, so my question here is why is showing this kind of behavior, I mean it was working fine before.
In the other hand I checked the secondary device and this is showing a 99% of used memory, but as the other one this graphic doesn't drop
I also checked via CLI and it says that it had the 99% memory used , Is there a way that i can put more memory on the context or what do you suggest that I can check on my firewalls.

View 1 Replies View Related

Cisco Firewall :: Config Migration From ASA5540 To An ASA5545-X?

Jan 22, 2013

Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
They are going to be using it as a VPN concentrator primarily.
Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X? Or if they upgrade to 9,0(1) or higher, then they should be the same?

View 2 Replies View Related

Copyrights 2005-15, All rights reserved