Cisco Firewall :: K-value Mismatch With EIGRP On ASA5540

Mar 7, 2011

I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary.   Here are the log messages I got:
 
Mar  8 15:11:08: %PIM-5-NBRCHG: neighbor 164.72.178.28 UP on interface Vlan150 (vrf default) Mar  8 15:11:08: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 164.72.178.28 on interface Vlan150 (vrf default)
Mar  8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.28 (Vlan150) isup: new adjacencyMar  8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) isup: new adjacency
Mar  8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 164.72.178.25 (Vlan150) is down: K-value mismatch
 
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
 
What causes a K-value mismatch, and how to I rectify the situation?

View 1 Replies


ADVERTISEMENT

Cisco WAN :: IOS 12.4 (16) / EIGRP Autonomous System Mismatch Detection?

Oct 3, 2007

It is possible to detect situation when two neigbour routers involved in EIGRP routing are configured by mistake with different AS number ?I tried this situation practically. Two routers are connected together via Serial link network. One router has AS 1, other AS 10. I try to detect AS mismatch. First I check what EIGRP packet are comming debug ip packet detail show source <my neighbour IP address> destination 224.0.0.10  Ip protocol type 88. These packets are EIGRP Hello packet.

I try to go more deeply into details.debug eigrp packetsI see only ongoing EIGRP Hello packets. But I don't see any incoming packet from my neighbour (which has different AS number). It seems, because of different AS number router silently drop eigrp packet.Other debug eigrp command also doesn't show any info about AS difference.

Cisco IOS 12.4 (16)

View 9 Replies View Related

Cisco Firewall :: ASA5540 - EAL4 Transparent Firewall Config

Mar 14, 2011

I am configuring an ASA5540 firewall for a client, only difference to usual being that it is to run in Transparent mode. I have looked through for an EAL4 transparent firewall config guide but found nothing and therefore assumed that the usual one would be used.The clients security bod has now come back and insisted MAC filtering should be used but I can find no reference of this anywhere. Does MAC filtering is required to make a transparent box EAL4 compliant and if so where I can find documentation supporting this?

View 1 Replies View Related

Cisco Firewall :: VPN Between ASA5540 And Router

Sep 10, 2008

I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.

View 28 Replies View Related

Cisco Firewall :: ASA5540 Configured With Standby IP

Aug 6, 2012

I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]

1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
 
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
 
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.

View 1 Replies View Related

Cisco Firewall :: One ASA5540 With Two 3750 Connections

Jan 9, 2013

i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.
 
so, here is my questions:
 
1. does ASA5540 support multi vlan?

2. does it support spanning tree protocol?

3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?

4. achive network redundancy

View 3 Replies View Related

Cisco Firewall :: Config Migration From ASA5540 To An ASA5545-X?

Jan 22, 2013

Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
 
Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
 
They are going to be using it as a VPN concentrator primarily.
 
Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X? Or if they upgrade to 9,0(1) or higher, then they should be the same?

View 2 Replies View Related

Cisco Firewall :: ASA5540 Port 80 Redirect To Https

Dec 21, 2011

Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? how to accomplish the redirect for a single site. 8.2.4 is current code

View 4 Replies View Related

Cisco Firewall :: ASA5540 Memory Upgrade - 3Gig

May 10, 2011

I upgraded our ASA5540 to 8.4, THEN noted the increased requirements for Memory. I purchased the 2Gig upgrade, but when installing in the Primary unit today, noted that there were 4 slots. Slots 1/3 had 512Mb modules, so I installed the 2 x 1Gig modules in slots 2/4.
 
The ASA5540 came up clean, and it "sees" the entire 3Gig of memory.
 
My question: Is this a SUPPORTED configuration? All documentation I have read only mentions 2Gig of memory. Also, If I had FOUR x 1Gig memory modules, would the ASA5540 support the 4Gigs of memory?

View 1 Replies View Related

Cisco Firewall :: Fails To Download File Through ASA5540

Dec 12, 2011

We have ASA 5540 with 8.2 SW. We are trying to download a file (3 MB pdf)  from https session which fails if done behind the firewall. In case, the client bypasses firewall, the file gets downloaded as usuall. Interesting thing here to note is that when client is behind the firewall, its takes a long time to download the file and the file size always 312 Bytes, of course its a corrupt file.

View 3 Replies View Related

Cisco Firewall :: ASA5540 Management Interface IP Addressing?

May 9, 2011

How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
 
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed

View 1 Replies View Related

Cisco Security :: Can Add SSM-4GE Module In ASA5540-AIP40-K8 Firewall

Dec 11, 2011

I have requirement received from one of my customer. the part number given as ASA5540-AIP40-K8, same time requesting for addition of another 4Port GE Module (i believe its SSM-4GE Module). Is any option to add this module in to the above specified model (ASA5540-AIP40-K8).
 
As per my understanding the ASA5540 have the option to add 1 additional module only, so if we AIP-SSM module, we don't have any free slot left with to add another SSM-4GE Module in the firewall.
 
i am not getting even the option to add SSM-4GE in the ASA5540-AIP40-K8

View 1 Replies View Related

Cisco Firewall :: Interoperability ASA5540 Routing And Nat With The Same Zones?

May 18, 2011

I am migrating firewall fortinet to ASA5540 with inside (192.0.0.0/24), dmz (192.168.0.0/24), and outside (x.x.x.x), but the users of inside network gain access to the aplication for two ways: the first way is trough routing between inside and dmz, for example 192.0.0.200 to 192.168.0.20, and the another way is trough static nat between inside and dmz for example 192.0.0.200 to 192.0.0.20 (192.168.0.20 static nat). Is posible in Cisco configure that? because when i configure only firewall route the first way is OK, but when i add the second way only nat is work!

View 10 Replies View Related

Cisco Firewall :: ASA5540 Can't Get DHCP Service From Outside To Inside Network

Jun 13, 2012

I have an inside network using PAT to one outside address. Our DNS server is on another local, but outside address.  I can't get the inside network to successfully get addresses.I have another inside address that just uses the wirewall and gets addresses just fine from the same server.I have the box checked in ASDN that enables DHCP on the inside interface and points to the correct DHCP server,PAT service is working properly if I use a hard coded address for a machine on the inside network.This is an ASA5540 with 8.3(2)

View 2 Replies View Related

Cisco Firewall :: How To Clear Input Errors In ASA5540 Interface

Feb 26, 2013

My Expertise with Cisco ASA is Very less. I have observed Input errors in a Couple of Interfaces in Cisco ASA 5540 Firewall.   [code] I need to Clear the Input errors on this particular Interface.Will Clear interface GigabitEthernet 0/0 will work?

View 4 Replies View Related

Cisco Firewall :: ASA5540 Dropping Packets On Large FTP Transfer

May 23, 2011

I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout".  What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?

View 1 Replies View Related

Cisco Firewall :: ASA5540 - No ICMP Reply From Inside Sub-interface

Apr 28, 2013

I need to monitor with ping the inside sub-interface of my ASA5540, is that possible? I get the ICMP requests but no replys going out from the box.
 
 I need to ping the 192.168.10.250 from the 192.168.5.55:
  
ASA Version 8.0(5) 
interface GigabitEthernet0/1
nameif inside

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA5540 - Disabling Anti-Replay For Specific Tunnel

Sep 23, 2012

We need Solution for disabling Anti-Replay on the Firewall for a specific tunnel. ASA 8.4(2) ) does not support disabling Anti-Replay on specific Ipsec tunnel , is it true , then if we want to disable Anti-replay , what we have  to do in ASA5540 .

View 4 Replies View Related

Cisco :: ASA5540 - Run Firewall To Display MTU Packet Size Being Received On Interface?

Jul 5, 2012

I have a ASA5540 firewall set-up with an interface MTU of 1500.  
 
I suspect that we are receiving packets with a larger MTU but have not found an easy way of confirming this.  Any command that can be run on the firewall to display the MTU packet size being received on an interface?
 
We are also running Solar Winds so could query an OID if such a variable exists.

View 1 Replies View Related

Cisco Firewall :: ASA5540 In Multiple-context SNMP / Icmp Doesn't Work

Jun 10, 2013

what´s going on with an asa540 configure in multiple-context mode.   I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
 
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
 
If I try to ping returns the same error:
 
CISCOASA/CONTEXTA#
 JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp  reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
   
Following attached the conf of my asa   My question is Why I can´t ping or even use snmp ?

View 5 Replies View Related

Cisco Firewall :: ASA5540-AIP20-K9 / Discover Actual Product Part Number

Nov 16, 2011

how can i discover product actual part number from the device through console.I have a bought a cisco  ASA5540-AIP20-K9 and i want to check either is the product is shipped us as a right product.And i want to check total BoM requriements from entering the ASA console through any CLI Command.Below My Cisco ASA BoM which i purchased.
 
ASA5540-AIP20-K9ASA 5540   Appliance w/ AIP-SSM-20, SW, HA, 4GE+1FE, 3DES/AES1CAB-ACUAC   Power Cord (UK), C13, BS 1363, 2.5m1SF-ASA-8.3-K8ASA   5500 Series Software v8.31SF-ASA-AIP-7.0-K9ASA   5500 Series AIP Sofware 7.0 for Security Service Modules1ASA-VPN-CLNT-K9Cisco   VPN Client Software (Windows, Solaris, Linux, Mac)1Included:   ASA5540-VPN-PRASA   5540 VPN Premium 5000 IPsec User License (7.0 Only)1Included:   ASA5500-ENCR-K9ASA   5500 Strong Encryption License (3DES/AES)1Included:   ASA-AIP-20-INC-K9ASA   5500 AIP Security Services Module-20 included w/ bundles1Included:   ASA-180W-PWR-ACASA   180W AC Power Supply1Included:   ASA-ANYCONN-CSD-K9ASA   5500 AnyConnect Client + Cisco Security Desktop Software1CON-SU1-AS4A20K9IPS   SVC, AR NBD ASA5540 w AIP-SSM-20,4GE + 1FE,3DES/AES1 

View 6 Replies View Related

Cisco Firewall :: EIGRP Metrics On ASA 2911

Aug 4, 2011

I have two 2911 routers running 15.0(1)M4 in a redundant topology connected to an ASA 5520 firewall running 8.4 version. All gears are running EIGRP. In order to distribute the incoming traffic between the two 2911 routers, I am using 'offset-list out' on them, but in the ASA's routing table I see updates from both 2911 with the same metric, i.e. the offset-list is not working. What are the default metric weights on ASA? How can I change them? I couldn't find any known bug.

View 14 Replies View Related

Cisco Firewall :: EIGRP And DMZ Distribution - ASA 5520

Dec 12, 2012

I have been able to get EIGRP  working successfully in the lab like I want.
 
Attached is the network overview:
 
We have a Data Center and Corporate office connected via Point to Point Fiber link, eventually we will have two of theseTwo 4948E switches in the Data center acting as cores setup with GLBPCorporate Office has a 3750X acting as a coreCurrently two 4948E's are connected to each other via Port Channel and a L2 trunkTwo set of ASA 5520's one acting as a firewall and for Cisco Any Connect and second for site to site VPN 
What is the best way/pratice that I can distribute this DMZ via EIGRP?  Should I just leave it static on the core like this?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 EIGRP Not Working

Sep 24, 2012

We have 2 ASA5510 and 2 ASA5525. Got a very weird error; up to release 8.4 eigrp works fine, after upgrading to 8.6 eigrp stops working.Can't see any neighbors; but same command from another asa on same network but with release 8.4: [code] I want to put the 5525 on production but would like to do it with latest release; could this be a bug on 8.6?

View 12 Replies View Related

Cisco Firewall :: 6509 / FWSM VLAN Configuration Mismatch And Some VLAN Deleted

Aug 12, 2012

We  have 6509 VSS with FWSM Module and we have created two context on it, one is INTERNALL CONTEXT othe is EXTERNALL Context? We have spanned various VLANS in switches and FWSM context level.  All VLAN Gateways are configured in context level.
 
Activity description : We had planned migration of these devices into a new Datacenter, it was a planned activity. During  migration of devices from one Dc to a new DC  we broke the VSS and kept the primary running and removed the secondary switch and migrated this secondary to new DC  and powered this device ON in the new DC and checked all the config was very much fine but this device was OFF network as secondary was brought to new DC just to limit the downtime during the primary switch movement.
 
During the activity ( Primary switch movement )We powered off the Primary switch  and mean time before shifting into new Data center  We had brought up secondary switch which was already existing in the DC was put live in the network and it was working fine without any issues.
 
Later  we had moved  Primary into new data center and tried to put into VSS with the secondary , during this period the secondary device into went into RECOVERY MODE  and  primary device was not responding and devices  went off network and immediatly we  removed the VSL link and brought up  primary into production network without secondary online in the network ( Without VSS just stand alone switch ) network started working, but bringing up the primary we found that some of the VLANS in the FWSM was deleted and some VLAN had misconfiguration ( example : say original  VLAN  ip 10.200.112.1 has become  10.300.13.1 ) also some of the access list as well as SVI was deleted making configuration mismatch.
 
Wanted to know while syncronization b/n primary and secondary switch in VSS if we pull out VSL link would create this type of issues.

View 1 Replies View Related

Cisco Firewall :: ASA 5540 Load-balancing Over EIGRP Not Working

Nov 15, 2011

We have an ASA 5540 running 8.4(1) on the inside of dual Internet-facing border routers. The routers run BGP facing out and EIGRP facing in, with the ASA also running EIGRP for the same AS. Both routers redistribute a default route into EIGRP. It was my understanding and expectation that the ASA would learn both of these, as they are equal cost, and load-balance the outbound traffic over the two links. This does not appear to be the case.
 
The routers both have:
 
router eigrp 100
network nn.nn.nn.nn 0.0.0.0
redistribute static

[Code].....

View 9 Replies View Related

Cisco Firewall :: ASA 8.4(2) / EIGRP / Redistribution And Site To Site VPN?

Aug 18, 2011

we are looking at adding our ASA's to our EIGRP autonomus system. .is it possible to redistribute "routes" which are accessible only from a site to site VPN?  I put "routes" in quote marks because the remote networks do not appear in the routing table.BTW the firewalls are running ASA 8.4(2)

View 2 Replies View Related

Security Key Mismatch

Dec 14, 2012

I have a 2wire router and can currently only connect to the internet with an ethernet cable. I've screwed my settings up trying to install my new router(WHOLE 'nother post lol!) Anyway it's not taking my Security Key..that I think is the right one. If I enter a different one it doesn't say incorrect, but it says possible security key mismatch or something like that.

View 1 Replies View Related

Cisco Application :: ACE 4710 - MSS Mismatch

Dec 5, 2011

I'm receiving a lot of these messages in a ACE4710 cluster. 192.168.100.1:80 is the VIP, 193.126.127.28:56380 is the client. Already tried to set the mss with this:
 
parameter-map type connection my map set tcp mss min 0 max 1380
 
policy-map multi-match L4_policymap
class vip_PRDWEB_http
loadbalance vip inservice
[code].....
 
But it doesn't work.

View 4 Replies View Related

Network Security Key Mismatch

Oct 24, 2011

I am trying to access the internet (Plusnet) using a laptop, via as wireless computer. All that appears on the laptop screen is "network security key mismatch. What is a security key?

View 1 Replies View Related

Cisco :: LAG From N7k To 5508 Getting Duplex Mismatch Errors

Jun 2, 2012

Seen Duplex MisMatch errors on a N7k with a LAG going to the 5508 WLC?  WLC code is 7.0.203.0. I found a BUG that is private to Cisco ( CSCth11041 ) that looks like it, but I want to make sure.

View 1 Replies View Related

Cisco VPN :: AnyConnect 2.5.2019 - SSL Certificate Mismatch

Sep 6, 2011

When i'm trying to connect using stand-alone Anyconnect (not through the web), I got the SSL error message "The certificate you are viewing does not match the name of the site you are trying to view" (attached).
 
The certificate I installed for the SSL connection on outside interface got Subject CN=testvpn.mydomain and Subject Alternative Name (SAN) --> DNS Name = testvpn.mydomain
 
It seems to me that instead of connecting to testvpn.mydomain, anyconnect try to connect to the its IP address. I did try to remove the IP address in Server List in the profile, but it still doesn't work.
 
If I'm using Clientless (through browser), I don't received this error which means the certificates installed correctly.
 
Is that a bug on anyconnect 2.5.2019 or is there other ways to force anyconnect to check name instead of the IP against the certficate?

View 4 Replies View Related

Cisco :: 6513 - LMS 4.0.1 Link Duplex Mismatch

Sep 18, 2012

In LMS I have a 6513 with several sx 1000 interface setup for etherchannel to catalyst 3750
 
both sides are set for autoduplex but LMS reports that there is a link duplex mismatch. We just installed the latest patches for the LMS 4.0.1

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved