Cisco Firewall :: ASA5510 Secondary Firewall Crashes After Upgrade To 8.4.1
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for staticallymapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there a workaround for this kind of scenario?
we have ASA 5510 which we need to upgrade from 8.0(3) to 8.2.5. can we directly switch to 8.2.5 from 8.0(3) , if not what all versions we need to go from.
What all point needs to check before that following is show flash output.
I am having ASA5510 firewall which has 1GB RAM currently. I want to upgrade to 2GB. When I opened the box, I can see only 1 slot to insert the RAM. I searched in Cisco website and I got to know that I need to use 2 x 1 GB RAM. So, I need to have 2 slots to do that. But, I am having only 1 slot in the box.
We are about to upgrade our ASA's from 7.04 to 8.2. Obviously I will be opening a TAC case to assist with the upgrade and I will also be upgrading ASDM software at the same time. These production firewalls are paired with an active --> failover scenario and not active --> active. I had previously engaged cisco regarding the upgrade and they have recommended an upgrade path to ensure success. Also, I have a pair of test ASA's that I've gone through the upgrade process with - documenting the changes in commands and any changes in my config (I didn't notice any).So, the reason for my post is this: What are the gotcha's that you may have run into when upgrading your ASA's?These are fairly high visibility ASA's and any downtime due to the upgrade needs to be mitaged as much as possible.
Upgrade from firmware 8.21 5o 8.31? I am installing 1GB of memory in my ASA 5510 and in the process I have upgrade the firmware.
- Will the upgrade change my configuration or will I have to change this manually myself at some point - What is the meaning of "Real IP" I am not sure what the means (reading up on it now) - What else should I be concerned about during the upgrade?
I have an ASA5510 which was running version 8.31. SSH was working fine on version 8.31 but since i upgraded it to version 8.41 the SSH stopped working.
An ASA5510 (with 1 webserver behind it, just starting to build the cluster) was functioning OK with version 8.2: I was able to log in using RDP to the server bhind it from some trusted IP's.
I updated ASDM to the latest version 6.4.7, and then the ASA-software to 8.3.2. After reloading, I could not access the server anymore. I saw that changes were made to the config. Then I updated to version 8.4.3, same results of course, and this is the config. [code]
We currently have a central hub using an ASA5510 and then a few site-to-site VPN connections to our support staff homes. The devices at the homes are Cisco routers. We were running version 8.25 on the ASA and all was working fine. We recently upgraded to version 8.42 and although all the functionality of the network is ok and it does what it should, our support staff cannot ping, ASDM or telnet to the ASA inside interface anymore whereas they could before the upgrade. The home VPNs all run on a 10.30 subnet (i.e. 10.30.1.x, 10.30.2.x etc etc). I can post our config (security edited of course), but it is quite a big config. The command management-access inside is specified and the 10.30.0.0/16 subnet is permitted to ASDM and Telnet. Are there any extra things that have to be done in version 8.42 to get this to work as the support staff do have to access the firewall for configuration purposes. At the moment, they have to telnet to one of the routers on the local LAN and then Telnet to the firewall from there.Prior to the upgrade, they were all able to ping the inside ASA interface and also telnet and HTTPS to it from their PCs at home. Now they cannot and the only change made was an upgrade to 8.42. Immediately after the upgrade none of them can ping the interface anymore and it seems it can only be accessed from the local LAN. I cannot find any access-lists that might be blocking the packets so can only assume it's something in the way 8.42 works.
I am a bit unclear as to the upgrade path I should take - I have 2 ASA 5510s in active/standby running 8.0(4)34 and would like to upgrade to 8.2.5. Do I need to first upgrade to 8.0.(5) before upgrading to 8.2.5, or can I just jump straight to 8.2.5?
I am using Cisco ASA5510 Firewall in my network. Upgraded the Memory and Flash to 1GB and 512MB.But the 5 interfaces ports are 10mbps.Can it possible to upgrade the module of Interfaceses from 10mb to 1gb?
Currently my ASA5510 has a 64MB internal flash. Does the ASA require a higher capacity flash for an IOS upgrade from 7.2(x) to 8.2(x)? The Cisco Release Notes does not state any internal flash requirement, but just wanted to double check.
I tried last night to upgrade the memory in my old 5510. It's about 5 years old and has the single memory socket. I followed the instruction included in the kit:
Mfr. Part#: ASA5510-MEM-1GB
I did wear an ESD wrist strap (genuine Cisco at that!) and ensured the memory was fully seated, the handles locked in.Upon restarting the ASA, for over 15 minutes, it stayed in mode: Power LED steady, Status LED flashing, other LEDs off. No response to attempts to SSL via Putty. I powered it off, verified the memory was indeed fully seated, and re-installed the original 256 MB module. It powered up normally in less than 5 minutes. Is there anything else to try before returning the memory? Tonight, I can try the same new memoy module and see if it works.
[code] I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base.I think I was wrong option selected in the process of upgrading, how should I do to be successful upgrade
I am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
we had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud , 0/1 for internal LAN users comming form Core Switch & 1/0 for Server farm LAN , 1/1 for Internet (outside)
the first 3 interface are considered inside with sec set at 100 while the 1/1 is outside with sec at 0.
Last night it suddenly started dropping all connections without any warning or any noticible log form the ASDM logging.
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped vector 0x0000000e edi 0x24d184b0 esi 0x0000000d ebp 0x1c6ceaf8 esp 0x1c6ceae0 ebx 0x09e965e0 edx
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
I have a problem with my ASA5505 after enabling botnet filter my ASA reboots.Also while booting it usualy takes around 30minutes of random cycles before loading the OS. It seems to be falling at the license check.To fix the boot I usualy unplug the ASA for about 15minutes and then it will boot up fine.
I've tried to upgrade a redundant setup from 8.2(4)4 to 8.2(5)22 ending with a stanby ASA continuously crashing after config sync phase. On the first crash it even corrupted the flash, leaving me no choice than initializing the box from scratch.
We are in the process of implementing secondary ISP to our ASA firewall and We would like to run both ISPs in parallel so we can test until we finally cutover?
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I seem to be experiencing a problem with content filtering on our 1941, if I add anymore patterns to the policy below the router crashes and requires a reboot, not sure why?
parameter-map type urlfpolicy trend cptrendparacatdeny0 max-request 5000 max-resp-pak 1000
I have two ASA 5520s in Active/Standby. I try and test this quartely to ensure it is working correctly. Everything works fine, except I have an issue with one interface. When doing a show failover, it shows the interface as failed on the secondary unit, and I am not sure why. It shows it as normal on the primary.
This host: Primary - Active Active time: 9277305 (sec) slot 0: ASA5520 hw/sw rev (2.0/8.2(4)) status (Up Sys) Interface WaterworksCanopy (192.x.x.x): Normal
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
We have 2 ASA 5505s in a data center at a remote site.
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".