I have an ASA 5520 with 2GByte RAM running Software Version 8.2(4)4.
As soon as I enable outside interface Gi0/0 I get the following error message on the console every now and then:
(set_exptime) Timer not a leaf 0x714644dc. Traceback: 0x805e4b3 0x8061b92 0x855ce33 0x85606e7 0x85634ee 0x8563f53 0x8564664 0x8564a12 0x85623a5 0x8063b63
mgd_timer_set_exptime: Not a leaf called from 0x855ce33
I have configured a second 5520 as failover mate and once I have activated the failover device and the configuration replication was finished this second device started the same tracebacks immediately.
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
we have a production network that uses five SG300 switches that functions brilliantly most of the time. four of our switches run in layer 2 mode and the last switch runs in layer 3 as it is used to route our 7 vlans as well as routing traffic between our two gateways. the switches use the original firmware that shipped with the devices (v1 device) and will be upgraded within the next week. the problem that we have is that the network seems to stop routing for all of the hosts after a given time. the only way to fix this issue usually is to reboot the main layer 3 switch. the main layer 3 uses a default route to one of the gateways and a return route has been applied in the gateway. the only thing i can think is that somewhere one of the devices routing tables become full and the network stops responding.
The issue that I am having is that the network cable I have that going from my router to my desktop computer, seems to be flaky, at least it seems that way...When I try to use the network cable that goes into this desktop, into another computer(one that I know works), the connection status alternates between connecting, and no network cable detected, connecting...and no network cable connected, and so forth.it NEVER connects. When I plug the cable back into the desktop, it does the same thing for maybe a minute, but then eventually connects. However, every other computer, laptop, macbook, another desktop PC, that I have tried connecting using this same cable never connects.
My desktop PC has occasional hiccups in which I can't connect to any website (via any browser, I've tried Firefox, Chrome, Opera & IE) for short periods of time (usually ~1 minute) but all other Internet connectivity seems to be normal. (I can ping Google for instance, and I remain connected to Google Talk, but I can't load the Google website.)
I recently did a fresh install of XP Pro SP3 and am pretty confident that there is no malware running on the system. (I'm running Microsoft Security Essentials and Windows Firewall but I also did a Malware Bytes scan which uncovered nothing.) The desktop is connected wirelessly but I don't suspect an issue with the router because my laptop (via wireless) and my girlfriend's desktop (via wired) can surf the web just fine when my computer is experiencing issues.
I checked for proxies (both in the browser settings and in Windows settings) but everything appears to be setup correctly (that is, unproxied.) DNS is set to the proper DNS servers for my ISP (Cox) but I also tried switching to Google's DNS servers with no luck.
My Wi-fi on my rig seems to have some odd problems. When I'm gaming i often get a lag spike every 10-20 second or so, and before I got the "Vista anti-lag" program I was also getting the enormous 60 second lag spike. I'm sure many Vista users recognize this problem. But here is the deal, the first kind of lag spikes completely disappear while talking on Skype! Which makes me wonder, what is it with Skype (only while talking) that removes the lag? Gaming with Skype makes all games run fluently without any spikes at all.
Basically I started disconnecting when I logged onto Blacklight Retribution after a recent game patch, after a few days the problem stopped and I was able to play again (with no changes to my computer) a few days later another patch was added and the problem occurred again, at first I thought it was a Blacklight specific problem (as this was my only installed game) however i installed a few other games (Kabold Online, Perfect World, Forsaken World, TF2, MW2 and C9) and I got the same problem on each of these games. I haven't been able to log onto a single Online game for more than 5 minutes, normally I'm disconnected at login, HOWEVER, my internet works completely fine in for everything else, i can browse the web, download game clients etc with no problem whatsoever.(Forgot to add, When i disconnect my LAN Cable mysteriously Unpluggs itself (according to computer) and a disable/enable in network manager reconnects it)
- Checked to see if drivers were up to date (they were) - Rolled back NIC Driver (and put it back when this didn't work) - Checked device manager for any problems with my NIC, (working as normal apparently) - Tried setting my NIC to 100mbps Full Duplex - Setting my power options to not interfere with NIC - Had a DHCP error in my event logs so i set my gaming machine to a static IP - Turned of UnUP, Turned on DMZ - Turned off "Green Ethernet" - I had other Errors in the form of a service stopping my NIC - Phoned ISP, Everything is OK there end but they sent out a new router, but problem still occurs - Noticed that a service was sending a stop control to my NIC, looked on forums for fixes and applied several of them - Reformatted computer with old XP (switched from windows 7), updated, installed latest drivers etc and still same problem except now I don't get anything in event viewer when the problem occurs.
The only thing i haven't tried is replacing my NIC, but considering the internet works completely fine for everything but Online games I'm unsure how this could be the problem.
we recently updated all of our WLC's to 7.098 and it all went smoothly, controllers rebooted and AP's updated their firmware and rebooted OK.One WLC (4402) which was working fine since the update now has no AP's associated. The AP's were all configured to run in HREAP mode and are on remote sites within our WAN. I have checked that all policies and ports are still open (none have changed anyway) but the AP's can not join with the contoller.The log from an AP trying to join with the WLC.
[Code] .....
The logs on WLC show as below.
*emWeb: Jan 12 13:14:13.629: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:1289 Authentication succeeded for admin user 'adann'*spamReceiveTask: Jan 12 13:14:12.919: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:21:a0:81:a4:10 supporting CAPWAP*spamReceiveTask: Jan 12 13:14:11.543: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:21:a0:81:8f:a0 supporting CAPWAP*spamReceiveTask: [Code] ......
I keep getting log messages like the following on my router:[RV220W]Tue Aug 14 00:00:14 2012(GMT+0200) [RV220W][Kernel][KERNEL] BW_LIMIT_PKTS IN=LAN SRC=10.0.0.10 DST=173.194.35.134 PROTO=TCP SPT=1159 DPT=443,i.e. a large number of BW_LIMIT_PKTS messages regarding traffic from the LAN to the WAN destined to ports 53, 443 and 80 only. Is it related to QoS policies? What is the meaning of this message?
I'm having the following issue with a couple of 1231's.
Some overall config info first:
This is a small office with 2x Catalyst 2950 (24-port, no PoE) switches and 4 AP1231G (autonomous). The APs get PoE from a PWRINJ3 each. The injectors are powered by the AP power supplies. Injectors and power supplies are mounted in the patch closet.
The 2 switches are connected together over 4 ports (20-23 on each switch), these ports are set to 1Q Trunk mode.
The APs are connected to the switches, 2 to each switch, on port 1-2. These ports again are configured as 1Q Trunk.
All this has been working without problems for a number of years.
A few weeks back, AP2 did not restart after a power cut (everything else did). All LEDs are off, port on switch has no LEDs lit. I did not get around to investigating this furtehr until last week. I unmounted (failed) AP2, took it to the spot where (working) AP3 hangs, and plugged it to the cable of AP3. AP2 came to life immediately. I unplugged it and plugged AP3 back in, which restarted immediately.
So I suspect a power supply issue on AP2. I took the injector and power supply that fed AP2 out of the patch closet. When connecting AP2 directly to the power supply, it came to life immediately. So I figure the injector is defective.
On the same day, I notice AP4 is also dead (again all LEDs off, no idea how long, could have been that day or could have been a few days - it has definitely been working after the power cut that appeared to have killed AP2).
So I order 2 new PWRINJ3s and for good measure 2 new power supplies. Later that day, I took the injector and power supply that fed AP4 out of the patch closet. When I try this combination (AP4, injector4 and P/S4), and connect it to a different wall outlet (and therefore a different port -16 - on the switch) IT WORKS! Should have triggered questions, but did not immediately.
Last Thursday I got the new injectors and power supplies. So I take one of each, hook them upto AP2 at my desk, and AP2 starts up. So I mount new injector2 and new P/S2 in the patch closet, put AP2 back in its place, connect all the cables - NOTHING. AP2 does not start. The "power" LED on the injecvtor lights up green, the "device status" LED remains off. I take AP2, new injector2 and new P/S2 to my desk, hook them upto a wall outlet (connected to switch port 17). AP2 starts immediately.
Meanwhile AP3 has (also) stopped working (no LEDs on at all). As far as I can tell, it stopped working after I briefly disconnected (and reconnected) the patch cable between injector3 and the patch panel in the patch closet. The LEDs on switch port 1 are off.
I have since tried to power cycle both switches (took power off both, waited a while, poewerd both back on). No change.
PS: the APs ran firmware 12.3(8)-JA until recently. AP1, AP3 and AP4 were upgraded to 12.3(8)-JEE after the the power cut that took AP2 out. THis is when I found out AP2 was dead. AP2 was still on 12.3(8)-JA. It was upgraded to 12.3(8)-JEE last week when it was on direct power on my desk.
Our costumers has implemented 2 AIR-WLC4402-50-K9 with Software Release 7.0.98.0, the wireless infrastructure consist in 2 Root-Mesh-LAP and 8 Mesh connect over-the-air to deploy outdoor coverage.
All the LAP are Aironet 1520 Series Mesh Access Points with equipped with 3 antennas for 2.4GHz and 1 antenna for 5GHz (backhaul).For one year all seems to be ok, yesterday after a power outage of one Mesh-Root-LAP, 5 Mesh-Lap continues reload each 10-12 minutes, on the WLC Log you can see event like a reboot from AP Console, on the LAP console i can capture this event before the reload:
Log on LAP Mesh %DOT11-6-GEN_ERROR: Error on Dot11Radio0 - Not Beaconing for too long - Current 0 Last 0 %SYS-5-RELOAD: Reload requested by Dot11 driver. Reload Reason: Radio Not Beaconing for too long .... LWAPP-5-CHANGED: CAPWAP changed state to DOWN AP1780-Mesh uptime is 11 hours, 10 minutes System returned to ROM by power spike %DOT11-6-GEN_ERROR: Error on Dot11Radio0 - Not Beaconing for too long - Current 0 Last 0%SYS-5-RELOAD: Reload requested by Dot11 driver. Reload Reason:Radio Not Beaconing for too long ....*Sep 1 16:05:43.399: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
What does it mean? That the beacon signal trasmitted from Root-Mesh-LAP cannot reach the Mesh-Lap and so the Mesh-LAP force a reload?Where we should search the cause? In the power instability or in a interference on the 5GHz radio interface?
On one of mesh Lap I found a strange reason for a releoad:AP1780-Mesh uptime is 11 hours, 10 minutesSystem returned to ROM by power spike
Log on WLC Log System Time Trap 0 Thu Sep 1 17:31:11 2011 AP Disassociated. Base Radio MAC:00:22:be:41:33:00 1 Thu Sep 1 17:31:11 2011 AP's Interface:1(802.11a) Operation State Down: Base Radio MAC:00:22:be:41:33:00 Cause=Heartbeat Timeout Status:NA 2 Thu Sep 1 17:31:11 2011 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:22:be:41:33:00 Cause=Heartbeat Timeout Status:NA [Code]....
we want to replace our 1242 AP's with the 1602 model and so far everything works like a charm. We have just noticed, that most of the clients which are connected on the 5GHz N radio, the web interface of the AP1602 shows his own host name instead of the clients host name.
For example: Radio0-802.11N2.4GHz SSID INTERN : [code].....
The Host name of the 1602 is "AP-LABOR", so why it shows the own host name for the Dell E6420 Notebooks on the 5GHz radio and on some "NONE"?
I've a WRV210 Wireless-G VPN Router with RangeBooster, that logs this alert almost every time, "Packet type : 0 -- free socket buffer only".Also each time that some devices, like Android, are connected to the Wifi, the wifi starts a reboot and drop cycle.
Some extra context information, I've connected to the router a Cisco Gigabit switch and all the wired devices are connected to the switch, that could overload the router? Other point I've a Cisco VOIP gateway connected to the router and a few VPN's and firewall rules setup.
Last week and just yesterday, our switch SG200 50/50 logged an error like this:
%CDP-E-MALFORMED_TLV: CDP message from 88:43:e1:ab:66:f8 cached with illegal Appliance VLAN-ID TLV
At the time of the error, the SA520 router's LAN Port 1 where the SG200 Port 49 connected went down. (Light is OFF) So internet is down and other V LAN are disconnected. The MAC address on the log is the SA520 router. This happens 2x now and it needs for me to reboot both switch and router. and goes back again online.
SG200 50/50 Port Firmware 1.1.1.8 SA 520 Firmware (Primary/Sec):2.1.51/2.1.18
I have searched the forums, and can see that I am not the only one with speed problems on this router. When I changed from a D-link dir-615 (yeah, no wonder I changed it ) my download speed dropped from 4-5 MB/s to 1,3 MB/s. I'm using a wired connection. Have tried disabling QoS in router settings, did a firmware upgrade, reset the router. You see, when I do speed tests on the internet I get 40-50 mbits download, 25-30 mbits upload. I have tried many different files to download, both torrents and through my browser.
my MSFC2 sent this strange log message. %DATACORRUPTION-SP-1-DATAINCONSISTENCY: copy error, The error message decoder tool says: "NOT FOUND". The level is "alert".
I am monitoring my WRVS4400N with SNMP and create graphs by MRTG. Problem is that data about traffic are strange, very low. I have 50 MB line but max traffic shown on graphs is about 8000 bits per second. Also the "shape" of graph does not correspond with real traffic.
I have a VPN tunnel between two 892s. When either ISAKMP or IPSec SA lifetime expires tunnel stops processing traffic. However nothing is logged in the syslog. But when I enable debug crypto isakmp error and debug crypto ipsec error following entries appear:
ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0 ISAKMP:(2041):R-U-THERE-ACK sequence number 0x63D809BB does not correspond to expected value 0x63D809BC %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=XX.XX.XX.XX, prot=50, spi=0x3560099E(895486366), srcaddr=YY.YY.YY.YY, input interface=GigabitEthernet0
ISAKMP:(2043): IPSec policy invalidated proposal with error 4
Is this a bug? IOS is Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.1(2)T2, RELEASE SOFTWARE (fc1)
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
I have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = %ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot: [Code] ......
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7 Type: NAT Subtype: Result: DROP Config: nat (inside10,outside) source dynamic LAN interface Additional Information:(code)
Two days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.
Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.
We have configured 20 route in ASA 5520. The CPU usage goes to 100 % at the moment when we add a specific route.route inside 10.254.101.0 255. 255. 255.0 10.254.102.254 1.This is the same case when we add this route at the first cli or as the 10th cli or the 21 cli (errespective of the position of cli) There is an another route out of which 20 routes we have configured is route inside 10.254.103.0 255.255.255.0 10.254.102.254 1.The normal case if we dont add the problamatic route , then the CPU utilization is only 2 %.
