I'm working on a BoM for a customer and i need to offer an ASA5525-X pair in HA with AVC and WSE subscritption, I've two question:
1) In order to use AVC and WSE I need the ASA bundle that includes the SSD HD right? (ASA5525-SSD120-K9)
2) In order to have both ASA's in HA, do i need to order two Suscriptions (ASA5525-AW3Y-PR) or only one that is "shared" in the cluster?
I need to know if the cisco ASA next generation specially ASA 5515X support PBR or no ?how to implement it? Also if i have many internet connections and i need to dedicate 2 ISP’s ADSL internet lines to certain service (such as mail) if the 1st fail, so the 2nd line come up to make redundancy with it ----------- Is this available on cisco ASA next generation.
View 1 Replies View RelatedWe currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb.
Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput.
a customer have 2 pix 525 with ver 7.0.1 in a failover configuration with serial cable and 2 sc fiber interface and 2 fastethernet 1 used for failover. the strange behaviour is that when i try to do traffic from inside to dmz or dmz to inside the maximum transfer is 862Kb/s to 1MB/s not more.... i don't understand what's happened. the show mem and show cpu are normal 7% mem used and 1-2% cpu used. attached you will find the configuration.
View 5 Replies View RelatedI bought a Cisco ASA 5510 (P/N: ASA5510-BUN-K9) and i would like to know if i have to buy some license,What i mean is, for the basics, it still being necessary aquire some license?
View 3 Replies View Relatedwe have a customer with 2 x ASA5510-SEC-BUN-K9 running in an active/active HA mode. On the primary ASA he has 25 SSL premium licenses, but on the secondary ASA he has only 10 SSL licenses. Is there a need that both ASA´s has the same kind of licenses?
View 5 Replies View RelatedI have registered the license purchased for the ASA 5585X appliances and have received the following listed as features.
> Failover : Enabled > Encryption-DES : Enabled > Encryption-3DES-AES : Enabled > Security Contexts : 20 > GTP/GPRS : Disabled > AnyConnect Premium Peers : Default > Other VPN Peers : Default > Advanced Endpoint Assessment : Disabled > AnyConnect for Mobile : Disabled > AnyConnect for Cisco VPN Phone : Disabled > Shared License : Disabled > UC Phone Proxy Sessions : Default > Total UC Proxy Sessions : Default > AnyConnect Essentials : Disabled > Botnet Traffic Filter : Disabled > Intercompany Media Engine : Disabled > 10GE I/O Plus : Disabled(code)
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
I am in need of some information regarding licesnes on the ASA 5505.I have a client who is connecting their main office to a DR site via a site-to-site VPN. I understand that the standard license for the ASA 5505 is for 10 clients.Does the site-to-site connection consume one of these licenses?Does each endpoint communicating over the site-to-site VPN consume one license also?For example, if I have the site-to-site VPN and 10 servers on each side, would that mean that I need 21 licenses; 1 for the VPN and 20 for each server on each side?
View 4 Replies View Related I have a customer who has purchased a Cisco 5510 and after we received it and all the necessary VPN, 3DES etc. licensing for it, then informed us that they order 2 T1 lines so they can have Internet failover.
My question is: Does this require an additional specialized license from Cisco in order to enable and configure it? And if so, what that part number is?
so I look up ASA5505 licensing and for VLAN support see: 3 (no trunking support)/20 (with trunking support)*
I need 3 VLANs...inside, outside, and DMZ..but when it is creating the third (DMZ) it says I am only allowed to have 2 VLANs and can only create the third if its set to not forward traffic. ?
I am pretty new to cisco and the learning community forums is truely one of a kind.Actually, I work on a company which deals the Cisco products, Routers/Firewalls/Switches and stuffs. I am sure you get the picture. What confuses me is the product licensing of ASA5500. To be more specific, we are proposing certain things. And that came with the product pricing sets and all. But I amn't having a clear picture on ASA 5500 Strong Encryption License (3DES/AES). Does that come inbuilt(free) or should there be any pricing behind that!?
View 5 Replies View RelatedJust looking for some good reasons why I should upgrade a Cisco PIX 515e cluster to an ASA Cluster to present to the business.
View 1 Replies View RelatedWe have the following setup on our Cisco ASA version 8.6.1 One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover. So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.
View 4 Replies View RelatedI have 2 cisco asa 5540's configured in active/standby mode. I need to change the hostname and domain name as per our standards. Does changing the hostname has any impact on the traffic flow?
View 1 Replies View RelatedI have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5) which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then.
View 1 Replies View RelatedI have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
[Code].....
I am looking to deploy a cloud/borderless network solution and cannot get my head around how the licenses (AnyConnect Mobile and essentials) will be applied in a multiple context deployment. Any correct documentation.
View 1 Replies View RelatedA customer is currently running a 5520 ASA pair in active/standby HA mode. The devices also have an IPS module, one of them using a temporary (60-day) license. So, right now, licensing is identical on both ASAs and HA is operational.
The question is what exactly will happen after 60 days, once the temporary license expires? Does HA shutdown completely once it's determined that the licensing isn't a 100% match any longer, or does it just cripple one feature (such as the IPS module)?
The customer is balking at purchasing SMARTnet for the 2nd ASA, so I need to explain exactly what is going to happen (if anything) once the license on the 2nd ASA drops off...
last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
"Multiple sessions per tunnel are not supported"
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units.
And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.
I was wondering if it is needed to license the IPsec VPN clients in the ASA5500 firewalls...I know that you have license the SSL VPN peers (AnyConnect). I am almost sure that for the IPsec you don't have to.
View 1 Replies View RelatedI just learned that the licensing structure for the ASAs is changing, but I don't have any details. We have roughly 30 ASAs (from 5505s to 5585s). If there's a licensing change, I need to do an impact assessment and plan accordingly.
View 5 Replies View RelatedI have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA
[code]....
We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
I am using LMS version 3.2 and i am not able to generate EOS/EOL report with error no connection to Cisco.Saw an update i LMS portal as this:
Now Available! LMS 3.2:Patch for un-interrupted service of Cisco.com download for Device/Software/PSIRT/EOX updates (To be applied on or before 15-June-2011)
so upgraded the patch cwcs33x-win-CSCto46927-0.zip and restarted the demeon as read in the read me file for the patch.Now the job execution status is always shows running, its neither fail nor pass.
So we're looking at building a server farm using HP DL385 Gen8 servers. We want to use SSDs, but the ones from HP are at least double the cost of other SSDs. Anyone put a generic Intel, OCZ, etc... SSD in an HP gen8 server?
View 3 Replies View RelatedI had a DI-524 for years and I had no problem. My girlfriend wanted more range /speed for her netbook, and bought a DIR-655.
Had no problem with the netbook (acer One) and the Wii. But the Iphone 1st gen (cracked, but working good up to now) won't see any Wifi.
What to say. I have to read the F* manual, I know. But Geez. "The high end" said the guy at the store.
I should have search the web a bit more before buying because this subject (iphone connect problem) is a popular topic. [URL] won't change a thing. The Iphone don't see the wifi network.
Hardware Version: B1 Firmware Version: 2.00NA
I have two routers 1921 and 2901 and both of them are connecting to one Reliable Internet Line from one ISP. 1921 master router and 2901 as a Slave. this is my question, how i can make a Backup DHCP Sever in 2901 as a same IP address generation?
Example :
1921-------> Ip Generator 10.1.1.0 /24
2901-------> Ip Generate 10.1.1.0 /24
both generate same ip address, when the Master is lost, Slave could be Covered the LAN.
Anyone having problems connecting N150 router to a 1st Generation Nest Thermostat? Nest support says it's a problem with them not conforming "to the TCP/IP specifications around Network Address Translation (NAT) timeouts and are disconnecting Nest too soon". Any way to work around this problem until/if a firmware update fixes it?
View 3 Replies View RelatedI will be implementing a new firewall (cisco asa 5515x) on my existing 3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the implementation successfull. I will put my 3750x as my DMZ and my 2960s as my inside. The 3750x have multiple subnet and also the 2960s.which features and technologies i need to know on those 3 products. my 3750x and 2960s don't have any ACL defined and most common features are vlan, switchport, trunking, spanning-tree, stacking, vtp.how my asa knows that my 3750x/2960s have multiple vlans. my current connection right now on 3750x and 2960s is just through 6 ports i assigned as one trunk, below is my config [code]
my 2960s vlans are almost the same with my 3750x except vlan 160, 170, 192. but of course when i put this in asa, i have to segragate vlan for 3750x (192, 100, 110,160, 170) and 2960s (130, 150). for my 2960s connection to the asa and since this will have big bandwidth, i will use 3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2 ports on my asa (and trunk it) connecting to my 3750x. the one internet ports and my one management ports on my asa will stay like that.
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies View RelatedWe had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies View Related