Cisco Firewall :: ASA5585 - Debug Command Stops After Exiting
Oct 19, 2011
We are experiencing intermittent issues with the IPS on our ASA5585 vs 8.4(2). Probably something with the dataplane. So I want to keep debug cplane 255 activated and logged with log debug-trace setting to syslog server. But when session times out the debug command is cleared so the output stops. Since it is a intermittent issue I want to keep debug activated...Totally different behaviour then with routers which keeps it activated. how to keep debug activated on a ASA.
I use a C892 router with the IOS c890-universalk9-mz.152-1.T.bin. I just ran the command "debug ip packet 151 detail" and then the router stopped to work because it was overloaded. The ACL151 I used is as follow:
Extended IP access list 151 10 permit ip host 10.1.1.1 host 91.1.1.1 In the syslog then I got hundred of messages from IPSec: Jan 11 09:43:35.677: IP: s=10.80.10.254, d=10.64.19.99, pak 8A7453CC consumed in output feature , packet consumed, IPSec: to crypto engine(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
[code]....
For me it seems just like that this ACL is not applied and that I have a debug then for the whole traffic.
What would cause debug output to not show on a remote session via telnet connection where you've enabled terminal monitor?
The reason I ask is I was working with a client and we were debugging WCCP. I ran the debug ip wccp packets and events commands, then entered terminal monitor. After this, we saw nothing. We should have at least seen particular WCCP-related packets because we saw the necessary cluster view was established which can't be done without the exchange of these packets.
Can having syslog (logging) configured cause the issue? Did I use the command incorrectly?
My Nexus is a 5548-UP model, NX-OS version : 5.1(3)N2(1b)
I try to debug an OSPF and an ICMP problem using the debug ip ospf command and the debug icmp command but not output appear on the terminal. As the switch is remote, I entered the terminal monitor command of course.
SG01NX01# terminal monitor SG01NX01# debug ip ospf 1 packets SG01NX01# show debug
I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?
I have put 2 physicl interfaces (te0/8 & 9) on the ASA-5585 into a PO and am assigning ips/vlans to the sub-interfaces. I have 2 issues: - Why am I not able to ping the other sub-interface from the ASA itself? (I can ping the 1st one), Secondly, why the IPs are not visible in "sh int ip brief" ?Although I can see them in "sh ip" ..
/actNoFailover(config-if)# int po17.100 /actNoFailover(config-subif)# vlan 100 /actNoFailover(config-subif)# ip add
I am responding to a tender where the client is asking for the firewall to support an onboard disk drive for logging purposes, which is a minimum of 500 GB in size.
The other requirements all point towards the top of the range ASA 5585-X Chas w/SSP60,IPS SSP60,12GE, 8 SFP+,2 AC,3DES/AES.
I note the 5585 when configured on DCT comes with HDD blanking plates, is there an HDD supported on this?
I've read through netpro and found everyone points to this doc.
[url]....
However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations.
I got some issues with my CISCO ASA, the thing is that when I add a new rule on the device this rule duplicate and goes to the bottom. We already tried to delete the duplicate rule but it always show an error.
We saw this syslog on ASA5585 with version 8.4(1). I have two HA firewall pairs (contains 4 ASA5585, active/standby), and I saw this message on the standby ones.
Jun 7 07:36:26 10.99.96.32 last message repeated 4 times Jun 7 07:36:26 10.99.96.32 :Jun 07 07:36:26 HKST: %ASA-ha-3-210005: LU allocate connection failed
I have ASA5585 Firewall between my WAN Cloud and LAN Network. I plan to configure Layer 3 Vlan Interfaces inside FW and it would be Layer 3 gateway for some of Subnets. Layer 3 VLAN Interfaces are planned to be dual stack containing both IPv4 and IPv6 Address stack.
I plan to configure 6 to 4 Tunnel with my Hub Site where we have native Ipv6 awareness. One tunnel end point would be ASA and the other endpoint would be Hub site WAN Router/L3 Switch. So IPv6 traffic hitting to vlan interfaces on ASA would be policy checked and routed over tunnel interface to Hub Site.
6to4 Tunnel manual tunnel configuration on ASA. I have configured such tunnel on L3 Switch or Router with following config.
Int tunnel xyz ipv6 address <ipv6 address> ipv6 enable tunnel source <loopback address of my L3 Switch> tunnel destination <loopback address of my hus site L3 Switch/Router> tunnel mode ipv6ip end
I need to implement something similar in ASA. How can I do that?
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?
use of a pair of ASA 5585's in active/active mode with a shared outside interface.Last time I did this was with FWSM, there was a restriction where all contexts that share an outside interface have to be in the same failover group.Does this apply also to the ASA? My thought is that it will, but I am unable to find that in any documentation.
We're currently PATing everything from a particular subnet to the IP of an outside interface using our ASA5585 (dynamic PAT). We're experiencing pool exhaustion and therefore need to expand the global IP range. Any way of cutting over to the new range without dropping existing connections? For clarity, the current interface address is x.x.x.37/22 and the new PAT pool is x.x.x.114-6/22.
Running ASA5585’s in active/standby across a local campus MPLS network. Supported design, leading practice etc. Specifically our design is that two ASA5585 are configured as active/standby through a local campus MPLS network over 10gig links through ASR9k etc. The ASA’s are providing inter-vrf routing capability only with p2p l2vpn circuits configured for each logical interface between the ASA over MPLS etc.The failover link is via a direct fibre and the state link will be through a p2p l2vpn (option for direct fibre also)Is this a supported design to begin with?
I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.The integration is working fine, except when a user PC sends a large packet (~1500 bytes).With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
I have two ASA in failover with Active/standby configuration. When I switch from standby to active from the standby ASA I get a lot (like 100) of error messages like these below: [code] The failover works fine and nothing seems to be wrong with the firewalls function.
-Hardware is ASA5585-SSP-10. -Software version: ASA 8.2(5),
ASA is in multiple mode with 17 active context. Why these error messages appear and what they mean?
We have pair of ASA5585 (ver 8.4(4) with IPS module configured with Active/Standby failover. There are total 09 interfaces are connecting to different zones in the firewall and out of which three(3) interfaces are connecting to Palo Alto 2nd layer firewall. When we test the failover whatever interfaces not connecting Palo Alto failed or shutdown, ASA triggers the failover to other unit, however the Palo Alto is not detecting this failover and it still keeps its previous Active Palo Alto to pass traffic, thereby failing passing traffic on Active firewall through Standby Palo Alto firewall.
But when there's a interface failed or shutdonw on the interfaces where PaloAlto also connected, then once the ASA failover triggers and the same time Palo Alto also trigger its failover then both new active firewall and Palo Alto sending traffic through firewall.However we we cant all the interfaces of ASA also to connect Palo Alto and let the Palo Alto to inspect all the interfaces, but we need our ASA to work in a situation where any of the interfaces failed, the failover to work smooth the pass the traffic via either Palo Alto device.I just need to know is there anything tricky that we can configure on our ASA in this failover senario, or to confirm if there's no any workable solution to this situation.
I have attached the senario that I explained above. Just to emphasis the issue again, if any interface of Gig0/0, Gig0/4 or Gig0/5 failed on active firewall, ASA switching to standby firewall and act as Active, but Palo Alto still remains his Active state and the new Active ASA is not passing traffic via standby PA as its not detecting any of its interfaces as failed or unreachable..?
WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
I find are steps to turn on SSH access. I have quite a few customers with ASA5510's installed. SSH is set up and working fine on every one. After a period of time, you are no longer able to SSH into the firewall. Using Putty, it just sits there on a blank screen without giving a "denied access" message or a login prompt. Rebooting the firewall will solve the issue and SSH access works again. Today, I had a customer with and active/standby configuration where I had to reboot both of them to be able to log in. Most of my customers are on 8.2.software as most don't want to reconfigure for the new NAT, etc.
I'm sure others have seen this before since it appears to be occuring on almost every ASA that I have access to. Is there any fix to eliminate this or is there something that can be run from the ASDM that will grant SSH access again without just doing a reboot?
I have to be missing something small in my config. If I upgrade my ASA 5510 which I am routing and Na Ting off of, from 8.4.1 to 8.4.2.8, SIP stops. All phones go dead.
If I roll back to 8.4.1, SIP comes up.,... Go back to 8.4(2)8 and SIP goes down.....
This is without making any config changes. I have looked at it so long, I must be overlooking something simple.
user from home PC via Anyconnect making RDP session to work PC, on this PC Microsoft policy allow making disk mappind via RDP. Is that posible to inspect this traffic and deny this(disk mapping) action on ASA5585-X with IPS?
I have an asa5505 with software version 7.2(3) that randomly stops responding. The firewall sits in front of a public facing webserver that handles a significant amount of traffic.I was wondering that would happen when the asa5505 reaches or exceeds the 4000 connections per second limit... i.e. would this possibly explain why my asa5505 stops responding and requires a power cycle in order to start working again. when it "crashes" it does not respond on either the outside or inside interfaces.
Over the weekend this router was put into production. SSHv2 is configfured and was working fine. Due to some circumstances, we had to avoid configuring any zone-pairs that included the self zone. This of course left the router open somewhat. SSH was secured but of course a few IP's from poorly regulated parts of the world spent the weekend trying to brute force log into the router. No luck it seems. Anyway, SSH continjued working, then we set up self zone-pairs (out to self and self to out). As ssh can't be Inspected, we did a pass log for each direction. This worked for a bit, then SSH just stopped working. I've seen this happen on 891W's in the lab here too, so is not something perhaps done by some unseen DoS attack or something.
Where a 5510 running 7.2.4 code and being accessed via a web browser, stops initializing the main window at 87%?We can access the box via telnet and the CPU is running at 5%. The other error message is a warning the our OS is not supported by ASDM and we may encounter problems running the application.
I've got some ASA5505 which run as EzVPN clients in NEM, connecting to a ASA5510 as head-end. The ASAs are configured with a CSM and AUS. But whenever they are getting a new configuration through the AUS they stop trying to establish an EzVPN connection to the head-end. After a "reload" they run with the new configuration and establish the tunnel as expected.
I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).I had the following setup working without issue:
[Internet] <-----> PIX <-----> 1841 <-----> [LAN]
I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.
-I can successfully ping the LAN from the PIX. -I can successfully ping the Internet from the PIX. -I can successfully ping the PIX inside_lan interface from the router -I can not ping the outside interface from the router -I can not ping the Internet from the router
I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down. [code]
A client has an ASA 5505 with a base license. The version information and configuration is attached. In 8 hours, sometimes less and infrequently more, it becomes inaccessible. All connections are dropped and the only way to access the device is through a console connection. The WAN interface (VLAN 3) is connected to Verizon FIOS. The interface was set to 100 MBps and full duplex, but I just changed it to auto on both the speed and duplex to see what would happen. The LAN interface (VLAN 1) is also set to 100 MBps and full duplex It has not been changed.
The last time it happened logging was running, but nothing in the log indicated a problem. In fact, the last log entry was a couple of hours before the lockup (there's little or no traffic on the ASA while the problem is being diagnosed).
we just purchased 2 asa 5585-40's and tried to add them to our lms 3.2 system and we were informed by cisco tac that they were not supported in lms 3.2. since we don't having funding for an upgrade, any work around within lms that could allow me to add the devices so i can use lms for syslog and to fetch the firewall configs on a regular basis, instead of having to setup a seperate syslog server and having to tftp the config's everytime i make a change.
I know that I've run into this before but I can't remember the fix. I have a 5510. The 3 interfaces involved are INSIDE, OUTSIDE, and GUEST. Corporate users are allowed to put their iPhones on the Guest network, but the problem is that their Exchange ActiveSync stops working. It is tied to the external DNS name of the OWA server (we'll say webmail.abc.com). So the users are funneled out one public IP on the OUTSIDE interface and are trying to communicate with the outside of the OWA server, which is NATed to another public IP on the same outside interface. What do I need to do on the ASA to allow users on the guest network (behind the GUEST interface) to access the mail server using its public IP (behind the INSIDE interface)
