Cisco Firewall :: ASA 5510 - HA No More Working After Upgrade To 8.4.1(11)
Jun 2, 2011
we recently upgraded our ASA 5510 active/standby cluster from ASA Version 8.3.2 to 8.4.1(11). Unfortunately the standby ASA is now crashing a few seconds after the configuration was synchronized from the active ASA.
Also completely disabling HA, bringing the default config to standby ASA again and activating HA afterwards did not work. Also tried through the Wizard provided by ASDM to be sure to have no errors with requirements.
How to solve this without doing a downgrade back to 8.3.2. ?
View 4 Replies
ADVERTISEMENT
Jun 24, 2012
After I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens.
Even the logging shows nothing.
View 7 Replies
View Related
Nov 1, 2011
We have a 5510 ASA that was running 8.0 and were using it for clientless VPN access. Through this, we published bookmarks that linked to an internal Microsoft 2008R2 RemoteApps server, which users logged on to and then launched RemoteApps (basically being RDP sessions to apps on the server).All worked fine until we upgraded to 8.4 over the weekend and we now can't launch the RemoteApps. We can still login through the ASA, still click a bookmark to take us to the RemoteApps server's webpage, still then authenticate against the domain fine and still see the published apps. The problem now is when we launch the apps we get "this computer can't connect to the remote computer" messages and the app fails to launch. Nothing has changed on the RemoteApp server side, only the upgrade to 8.4.
View 2 Replies
View Related
Apr 30, 2012
Is it possible to upgrade directly from 8.0(4) to 8.2(5) software in 5510. Is there be any workaround in regards to the config.
View 3 Replies
View Related
Mar 11, 2012
1-Can I do this upgrade directly? i have single ASA 5510 running 8.0.4, i want to upgrade it to 8.2.1, is it as simple as copying IOS and setting boot sequence?
2-I am copying IOS 8.2.1 from my another 5520 ASA, and installing it on 5510 ASA, will it cause any issues? just checking if there is any secret keys involved that can cause issue? (As far hardware req is concerned i have checked my both ASA matches Memory/Flash requirements)
View 1 Replies
View Related
Apr 27, 2013
Can I upgrade ASA from "disk0:/asa708-k8.bin" & asdm-508.bin directly to asa825-33-k8 and asdm-712 ?
What is the proceedure if i go from 7 to 8 ? For me what will be the suggested upgrade from asa708-k8.bin & asdm-508.bin ??
View 1 Replies
View Related
Apr 4, 2012
I am using Cisco ASA5510 Firewall in my network. The IOS is Software Version 8.0(5)24. The Flash is 512 MB and DRAM 1GB on the ASA. I want to upgrade the IOS on my Firewall and use the Latest one.
Also, what are the IOS details for upgradation. The Firewall is serving both the VPN and FW Rules.
View 7 Replies
View Related
Oct 12, 2011
I have a two ASA HA and I'd like to upgrade the license to ASA5500-SSL-250. I need to know if i have to purchase one license (ASA5500-SSL-250) for the Active unit and one license (ASA5500-SSL-250) for the standby unit.
View 3 Replies
View Related
Jan 24, 2013
I am trying to find out the best path to upgrade to two ASA 5510 running 9.0 (1). I know there are changes in the new version. Let me know what information you need and i will post.
View 2 Replies
View Related
Mar 31, 2013
How to upgrade cisco asa 5510 from 8.0(4) to latest ios. Update latest one and step to upgrade. also need to update IPS firmware also because this device together with IPS.
View 9 Replies
View Related
Apr 2, 2013
One of my clients has an ASA 5510 running version 7.0(8) and ASDM 5.0(8). My question, to what versions of each software can I update the appliance to? Additionally, must I upgrade incrementally? i.e from 7.0 to 7.1 then to 7.2? I did find this article ,URL,That states you must go from 5.0 to 5.1 to 5.2, but 5.1 and 5.2 do not appear to be on the download page. The earliest release I could find was 6.2. Can I update the ASA version all the way up to v8 and then update ASDM? Also, noob question, updating the software doesn't erase any of the configurations does it? This is a live firewall and downtime for reconfiguration isn't much of an option.
View 7 Replies
View Related
May 16, 2012
Im upgrading a asa 5510 from 8.3 to 8.4.
I know from 8.2 to 8.3 was not a mirror update because of nat and access-list but is from 8.3 to 8.4 a mirror update or is there anything which I should be aware of?
View 5 Replies
View Related
Dec 25, 2012
I need to upgrade to firewall which supports Active/Standby configuration.I am currently using a ASA-5510,SSM-20 8.2(5).Will the configuration file from the ASA-5510 work on the 5515X?
View 1 Replies
View Related
Jul 6, 2011
We want to run ASA 8.4.x on an old ASA5540. We need to upgrade its memory to 2 GB with the following memory upgrade: ASA5540-MEM-2GB=
I suspect that we will completely remove the existing 1 GB of memory and replace it with 2 GB. If this is the case, can I use this 1 GB of memory removed from the ASA5540 and put it in a ASA5510 instead of buying a ASA5510-MEM-1GB= for the ASA5510?
View 2 Replies
View Related
Feb 3, 2013
I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime.
View 8 Replies
View Related
Sep 6, 2011
When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
[Code].....
View 3 Replies
View Related
Apr 26, 2011
Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
View 6 Replies
View Related
Mar 2, 2011
I have an ASA5510 which was running version 8.31. SSH was working fine on version 8.31 but since i upgraded it to version 8.41 the SSH stopped working.
View 7 Replies
View Related
Jan 15, 2012
An ASA5510 (with 1 webserver behind it, just starting to build the cluster) was functioning OK with version 8.2: I was able to log in using RDP to the server bhind it from some trusted IP's.
I updated ASDM to the latest version 6.4.7, and then the ASA-software to 8.3.2. After reloading, I could not access the server anymore. I saw that changes were made to the config. Then I updated to version 8.4.3, same results of course, and this is the config. [code]
View 11 Replies
View Related
Oct 1, 2012
Is it required for the 3des license upgrade for the asa5510 to reboot for the further configuration of site2site tunnels.
View 1 Replies
View Related
Apr 12, 2011
I need to upgrade the active/standby failover pair of 5510 ASA's to have1 Gig DRAM each, and I am trying to plan out the upgrade process. I'm looking for a zero downtime upgrade process.
I know that the failover pair has to have the same amount of memory, so how do I perform a zero-downtime upgrade process?Can I power off the standby unit and upgrade it's memory first? Or will it cause a memory mismatch between the active and standby units when it is powered on?
View 2 Replies
View Related
Jul 1, 2011
I configured ASA 5510 with IOS 8.4.2 version. I configured SSH to outside and backup interface with any any permission.
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 backup
configured password with command
passwd < Password>
While connecting from outside through Putty i am not able to authenticate the password.
Aftter entering user name as pix its asking password. After entering its not authenticating.
I taken output by telnetting to inside after connecting to the firewall from outside and entering username as pix
PM-ASA-5510# sh ssh sessions
SID Client IP Version Mode Encryption Hmac State Username1 122.169.252.112 2.0 IN aes256-cbc sha1 KeysExchanged pix OUT aes256-cbc sha1 KeysExchanged pixSPM-ASA-5510#
View 5 Replies
View Related
Aug 22, 2012
Our NOC is trying to configure a site to site tunnel to one of our customers. The tunnel is up and operational, however we can't get our NAT rules to match what we want.
We are running ASA version 8.4(3)
The traffic is sourced from 172.16.1.50 (inside1) and destined to192.168.2.9 (outside), the nat configuration is posted below:
NOC-ASA5510-01# show run nat
nat (inside1,inside2) source static ng-noc-networks ng-noc-networks destination static ng-inside2-networks ng-inside2-networks
nat (inside1,outside) source static test test-EXT destination static otherside otherside
object network obj_any
nat (inside1,outside) dynamic interface dns
object network servers-noc
nat (inside1,outside) static 192.168.1.68
Here is the output from the show nat detailed:
NOC-ASA5510-01# show nat detail
Manual NAT Policies (Section 1)
I left off entry 1 but it doesnt have any translated hits either
2 (inside1) to (outside) source static test test-EXT destination static otherside otherside
translate_hits = 0, untranslate_hits = 624
Source - Origin: 172.16.1.50/32, Translated: 192.168.1.67/32
Destination - Origin:192.168.2.9/32, Translated:192.168.2.9/32
Auto NAT Policies (Section 2)
1 (inside1) to (outside) source static servers-noc 192.168.1.68
translate_hits = 0, untranslate_hits = 187
Source - Origin: 172.16.1.101/32, Translated: 192.168.1.68/32
2 (inside1) to (outside) source dynamic obj_any interface dns
translate_hits = 58417, untranslate_hits = 1511
Source - Origin: 0.0.0.0/0, Translated: 192.168.1.66/29
Here are the network objects:
object network test
host 172.16.1.50
object network test-EXT
host 192.168.1.67
[Code]...
View 2 Replies
View Related
Mar 8, 2012
I've got an ASA 5510 running 8.4.I have a host on an inside interface, with a static NAT configured on the ASA. The inbound/return half of the NAT doesn't appear to be working. [code] I run a ping from the host (192.168.100.98) to something on the outside (1.2.3.4)Running captures, I can see the outbound ping leaving, having been NATed OK. I can see the reply coming back in to the outside interface with the correct IP address, but I never get the final NATed packet appear on the inside interface. The packet just disappears inside the ASA.
View 2 Replies
View Related
Nov 14, 2011
I implemented a ASA5510 with latest software version. I configured outside interface, default route, PAT to the outside interface. I am able to ping and telnet to the inside interface of the ASA.But internet is not working.Did i miss any configuration?i enabled icmp to outside,. i did a ping to the next hop from ASA. but it is not working.
View 6 Replies
View Related
Feb 5, 2013
I find are steps to turn on SSH access. I have quite a few customers with ASA5510's installed. SSH is set up and working fine on every one. After a period of time, you are no longer able to SSH into the firewall. Using Putty, it just sits there on a blank screen without giving a "denied access" message or a login prompt. Rebooting the firewall will solve the issue and SSH access works again. Today, I had a customer with and active/standby configuration where I had to reboot both of them to be able to log in. Most of my customers are on 8.2.software as most don't want to reconfigure for the new NAT, etc.
I'm sure others have seen this before since it appears to be occuring on almost every ASA that I have access to. Is there any fix to eliminate this or is there something that can be run from the ASDM that will grant SSH access again without just doing a reboot?
View 4 Replies
View Related
Sep 24, 2012
We have 2 ASA5510 and 2 ASA5525. Got a very weird error; up to release 8.4 eigrp works fine, after upgrading to 8.6 eigrp stops working.Can't see any neighbors; but same command from another asa on same network but with release 8.4: [code] I want to put the 5525 on production but would like to do it with latest release; could this be a bug on 8.6?
View 12 Replies
View Related
May 9, 2013
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 5 Replies
View Related
Dec 5, 2012
I have an ASA 5510 and I am building a site-to-site vpn tunnel, peer on the other end is a sonicwall. I can initiate the tunnel from my end, but when he tries from his end it fails on phase 2 with this error in the logs:
"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy"
Obviously our crypto map's don't match, i have it restricted to specific ports on my end and he had it wide open on his end, but said he is not sure how to restrict it down to specific ports. My question is why would I be able to bring the tunnel up on my end if the crypto map's don't match and he can't bring it up?
View 1 Replies
View Related
Jun 11, 2013
I have an ASA with an outside ACL that is configured to allow 208.84.248.95 SIP/5060 to 1x.x.x.46. I show no hits. I added an ACL to do a packet capture, it sees the packet coming into the ASA but not going to the Serv Prov interface. I see hits on the vuong ACL but not the production acl_out ACL.. What is up?
NOTE:ACL_out is the ACL we use to allow outside traffic to enter our network.
FW1(config)# sh access-list | i 1.x.x.46
access-list acl_out line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0xc09a9387 (*NO HITS)
access-list acl_out line 658 extended permit udp host 208.84.248.95 host 1x.x.x.46 eq sip (hitcnt=0) 0x0f327179 (NO HITS)
[code]...
It was tested and verified from the inside network to make sure the server is listening on that port. Below we created an ACL to allow all IP from another test PC to the Server IP 1x.x.x.46. We did a telnet to port 5060 and it showed hits but not on the acl_out ACL.
ccess-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=0) 0x2759fa92
FW1(config)# q
FW1# capture capture1 access-list vuong interface outside
[code]...
Below we applied the same ACL to the ServProv interface to see if traffic was going where it was supposed to . By trying to telnet to the 1x.x.x46 IP from 63.x.x.140 IP. Looking below, no traffic appeared on the capture2.
FW1# capture capture2 access-list vuong interface ServProv
FW1# sh capture capture2
0 packet captured
0 packet shown
[code]...
Capture 1 above shows the last 3 incoming messages initiated from 63.x.x.140 to the 1x.x.x.46! Vuong ACL belows shows 3 more hits.....nothing on the acl_out ACL???
FW1# sh access-list vuong
access-list vuong; 1 elements; name hash: 0x29df3e90
access-list vuong line 1 extended permit ip host 63.x.x.140 host 1x.x.x.46 (hitcnt=6) 0x2759fa92
[code]...
View 1 Replies
View Related
Sep 19, 2011
I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
4 Sep 20 2011 16:20:33 fw_outside_ip 62678 outside_host 2001 Deny tcp src outside:outside_host_ip/62678 dst inside_host:inside_host_ip/2001 by access-group "outside_access_in" [0x0, 0x0]
When I try to use the packet tracer to simulate the outside traffic, I get the following
5 Sep 20 2011 16:17:41 inside_host 2001 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:outside_host/1065 dst inside_int:inside_host/2001 denied due to NAT reverse path failure
I've got over my NAT statement and access rule and can't find anything wrong with either.
Here are the pertinent NAT and access rule...
static (inside_int,outside) tcp interface 2001 inside_host 2001 netmask 255.255.255.255
access-list outside_access_in extended permit tcp host outside_host host inside_host eq 2001
View 5 Replies
View Related
Feb 5, 2012
i have here a ASA 5510 sec k9.
I build a Config with a DMZ,INSIDE and OUTSIDE Interface. My Plan is to use the IP-Address of the OUTSIDE Interface with PORT to setup a HTTP Server In the DMZ
But my Config doesn't work. And I have no Plan why .....
The Inside Interface have to work normal. The Traffic to the Internet is TRiggert from Inside with Dynamic PAT
ciscoasa(config)# exit
ciscoasa# show run
: Saved
:
ASA Version 8.4(1)
[Code].....
View 2 Replies
View Related
Jun 23, 2011
I have ASA 5510 connected as shown in attached diagram.Ideally when ASA 1 is active and if I boot Switch-1, ASA-2 shood take over. But that is not happening.When I boot SW1 , ASA-2 shows "Failover LAN Interface: failover Ethernet0/0 (Failed - No Switchover)" and remains standby.Fail over works properly If ASA-1 boots.
View 7 Replies
View Related
