Cisco Firewall :: 5520 - Different DMZ Behavior After Upgrade To ASA 8.4(4)
May 23, 2012
I upgraded a pair of ASA 5520s from ASA 8.3 to ASA 8.4(4) this week and now my DMZ hosts cannot reliably communicate with eachother. I have a DMZ network of 10.20.20.16/28 configured. 10.20.20.17 is the ASA/Gateway and 10.20.20.19 is one host and 10.20.20.20 is another host. These two hosts had no problem communicating with eachother before the upgrade. Now, they usually cannot communicate with eachother. Occasionally they can communicate, but only for a few minutes. What is strange is I never had any access lists for these hosts to talk with eachother before the upgrade (because their traffic to eachother should have never reached the firewall) but now I needed to create an access list on the DMZ interface allowing these two hosts to talk. ICMP works fine, but only if the ACL is in place. TCP rarely works.
We have instructed our user community to start their VPN sessions by connecting to our ASA 5520 with a browser to download (if necessary) and initiate the Anyconnect essentials VPN client. Everything was working fine until a few days ago.
We have had several people report the same problem. They connect with the browser, enter their login information and are greeted with our "authorized use only" message by the ASA. Then, instead of downloading (if necessary) and starting the VPN client software, the web page just goes back to the login prompt without displaying any error message. The client software is never downloaded or started.
We've been able to work around this by installing the client software manually (where necessary) and starting the VPN client from the start menu. However, this isn't our preferred solution because this method won't have them automatically picking up updated versions of the VPN client.
We have seen this behavior before when there was a pending Java update that had not been applied. However, that doesn't seem to be the case this time. Clients have recently updated to IE9, but I have personnally been running the Anyconnect client and launching through IE9 for months.
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
We wish to upgrade 8.2(3) to 8.2(5) on our asa 5520 and 5510. I have been looking for Cisco guides for installation instructions but havent been able to track any. or is it just as striaght forward as copy image, reboot secondary and the primary
I have a 2 ASA 5520 firewalls for high availability and need to upgrade IOS from 7.2(4) to 8.2 or latest. What could be the better way and upgrade procedure. Below is show version details and IOS upgrade to latest.
Cisco Adaptive Security Appliance Software Version 7.2(4)Device Manager Version 5.2(4) Compiled on Sun 06-Apr-08 13:39 by buildersSystem image file is "disk0:/asa724-k8.bin"Config file at boot was "startup-config"
IGN-ASA-1 up 45 days 17 hoursfailover cluster up 45 days 17 hours Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHzInternal ATA Compact Flash, 256MBSlot 1: ATA Compact Flash, 512MBBIOS Flash M50FW080 @ 0xffe00000, 1024KB
We have 2 ASA 5520s in active/standy. We run IOS 8.2(5)24 and I wondered if I need to upgrade as I see the versions have gone to 8.4 and beyond! We are not getting any issues and I'm aware of the difficult migration from 8.2 to 8.4 etc due to the NAT change.
I have a couple of ASA5520 and ASA5550, and I wanted to know if it is worth it to upgrade the software from 8.2(4) to 8.2(5)? Because of the RAM I cannot upgrade to 8.3 for now.
We are currently on 8.0(4) and planning on upgrading our failover pair to 8.4.2, I read some documents saying that we can perform a zero downtime upgrade.
According the below documents Version 8.2 supports mismatch memory failover, [URL]
Upgrade Path:
Active Firewall: Standby Firewall: 8.0(4) 8.0(4)-->8.2.2 8.0(4) Upgrade RAM-2G---Reload faiover to standby 8.2.2 8.0(4)--->8.2.2 8.2.2
[code]...
Can I perform zero downtime upgrade with the above upgrade path? Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.
"Performing Zero Downtime Upgrades for Failover Pairs
The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support." [URL]
In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.
I'm trying to implement some best practices for ASA running on Software Release 8.2 and had a question about the default security-level behavior. Let's say I have 3 interfaces...
I have an ACL on the inside interface allowing http access to anywhere. Because of the ACL, the implicit higher to lower security level access is nullified. Correct?
I do NOT have any ACL on the dmz interface applied. So, would the servers in the dmz be allowed outbound access to the Internet due to the default higher to lower security level behavior?
I need to upgrade the ASA 5520 from OS 8.2(5)26 to 8.2(5)33. the ASA only has 64M of flash. I have a 256M flash card. What are the steps to upgrade the flash? I am not sure how it will boot up because the new flash will be blank?
I have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair - On the standby from the CLI clear configure boot
last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
"Multiple sessions per tunnel are not supported"
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units. And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.
I was trying to upgrade from 8.3.1 to 8.3.2. but I am unable to copy via tftp to the ASA flash or disk0:
ASA5520# copy tftp: flash: Address or name of remote host []? 10.88.127.153 Source filename []? asa831-k8.bin Destination filename [asa831-k8.bin]?
[code]....
Half way thru writing to the disk, it goes for a reboot. There is more than enought space on the disk0. I tried copying via a Compact Flash, but the ASA is not detecting the Compact Flash (which I thinks should be disk1). I tried copying a asdm file, even that also went for a reboot.I am stuck now, unable to upgrade
I need to upgrade the flash memory of the ASA 5520 from 256Mb to 512Mb. As far as I realized the built-in flash memory called system compact flash and there is also an empty slot which it is possible to install a user flash.
What is the difference between user and system compact flash? and for upgrade can I just insert the user compact flash or do I need to upgrade the system compact flash? Where can I find the part number for each type?
I have asa 5520 k8 model presently i am running with IOS version 8.0(4) i am upgrading to 8.2(5) is ? any license required from Cisco to upgrade to this IOS, and also let me know how many site to site vpn can be configure on this device.
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active [code]...
This platform has an ASA 5520 VPN Plus license. Serial Number: JMX1051K2S5.
I have a project to upgrade an ASA 5520 to 9.1.x, then add another ASA for failover. What will be the correct way ?
I had the 2 Gb memory.
I have rewritten all nat statements (during my other 8.2 to 8.3 or 8.4 upgrade project, the nat conversion was catastrophic, so I rewrite all now).
Can I upgrade directly to v9 ? Or 8.2 -> 8.4 -> 9.1 ?
I think to :
- inject actual config in the new ASA in 8.2 - remove nat statement - upgrade to 8.4 - configure new nat - upgrade to 9 - connect the new ASA to the network and deconnect the other ASA - test - upgrade old ASA to 8.4 or 9 directly ? - configure failover
I am going to be updating the IOS on our Cisco ASA 5520 from verion 7.0(8) to 8.2(5). I am also going to setup AnyConnect. Are there any major changes in the 2 IOS versions that I need to be aware of or will the config work in either version? Also, we are currently using the Cisco VPN Client to connect to our network. Will that still work after the upgrade?
In case I configure duplicate IP addresses to the same VLAN(two interfaces in VLAN 1100 have IP address 192.168.2.2) I see following ARP messages rapidly(those six messages were received in less than 2ms time-frame)
I am researching on the behaviors of routers when MTU is increased beyond the MTU set in the routers. Also, when I use jumbo frames instead of normal MTU, how does it affect the network. So, what I plan to do is
LAN_A -- > blackbox --> WAN --------> WAN --> blackbox --> LAN_B
All the traffic coming from LAN_A will be of size 1500 Bytes or less. The blackbox in the center will add an overhead of 4 bytes, recalculate the CRC and transmit the packet on the WAN side. I wanted to know that:
1- if my LAN router and WAN router, both are set at 1500 MTU, then will WAN router drop the packet if it receives a packet greater than 1500B ?
2- If i keep my LAN side to 1500 MTU and I switch my WAN router to Jumbo frames, how will this configuration affect the complete network ? Will it work or not ?
3- I want to add the overhead on every packet coming in from LAN side, so, what options do I have to achieve this goal ?
We have a lab network set up with a 7609 router as the central core. Scenario: Laptop with a SIP client. In the lab is a session border controller that will route signaling and media to a SIP gateway with a call agent (172.23.112.201) and a media "handler" (172.23.113.6). The call processing device will forward packets to an RF network (108.x.x.x) where an NCS cable modem sits.Call signaling works perfectly fine. However, RTP traffic from the laptop to the NCS phone is getting routed incorrectly. RTP traffic from the phone to the laptop works fine. [code]
Packet captures show the laptop to phone RTP packets are being routed back towards the corporate router. These time out with ICMP TTL exceeded packets. There are static routes for 172.23.113.0/27 to the optical interfaces that go to the SIP gateway. Interestingly, I can ping an IP on the SIP gateway (not used for media, but is pingable) in that static range (172.23.113.1) just fine from the 7609 (i.e. it's not getting routed to the corporate router). Unfortunately, the IP for the media endpoint on the SIP gateway is not pingable. Config for the 7609 is attached.
Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56. Switch 56 can ssh into Switch 55 and ssh into Switch 57 Switch 57 can ssh into Switch 55 and ssh into Switch 56
The software on .56 is:
C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running into?
We upgraded and re-configured two existing ASA5520 platforms in order to provide an SSL VPN solution for one of our customers.
The customer opted to deploy AnyConnect Essentials the functionality / features they required for day one were catered for in the Essentials license and budget constraints meant Premium licensing could not be included in the original deployment.
The licenses added to the system were: L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users) ASA-AC-M-5520 AnyConnect Mobile - ASA 5520 (req. Essentials or Premium)
The customer is now seeing a growing number of mobile devices and wishes to support the BYOD culture growing within the business; as a result we now need to use features available in AnyConnect Premium. I am aware from reading the following document [URL] that AnyConnect Essentials and Premium licenses cannot co-exist on an ASA; I need to ensure we purchase the appropriate upgrade for the customer.
Is there an SKU to upgrade / migrate an existing Essentials deployment to Premium? I've reviewed the licensing guide and price list but cannot find a method which enables this transition.
Document at url... is quite interesting,One of these goes about the behavior of a switch (2960-S and 3750G) when QoS is not enabled vs the one when QoS is simply enabled with "mls qos".What additional commands, beside "mls qos", would be needed so as to simulate as accurately as possible the switch's behavior when QoS is not enabled?
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
I've just been testing QOS on 3560 with version 15.0(1) and it seems the the default qos trust behavior on access ports has changed. By default the trust state of a port is not to trust anything, however rather than rewriting the DSCP value of the incoming packets and settign it to 0 the switch now seems to leave the DSCP value unchanged.
SW04-C3560(config)# do sh mls qos int g0/2 GigabitEthernet0/2 trust state: not trusted trust mode: not trusted trust enabled flag: ena [Code]......
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
