We saw this syslog on ASA5585 with version 8.4(1). I have two HA firewall pairs (contains 4 ASA5585, active/standby), and I saw this message on the standby ones.
Jun 7 07:36:26 10.99.96.32 last message repeated 4 times
Jun 7 07:36:26 10.99.96.32 :Jun 07 07:36:26 HKST: %ASA-ha-3-210005: LU allocate connection failed
[Code]....
Customer is running ASA 5550 with software 8.2.5 version.
They continously get the below messages
%ASA-3-210005: LU allocate connection failed
%ASA-3-210007: LU allocate xlate failed
I have already searched in the forums and also BUG toolkit, These issue has either been resolved in prior relases or in 8.4 .x train. I didnt find any bug which says that it has been found in 8.2.5 release.
I have also run "show conn count" and "show xlate count" I see these is difference in count output.
From Standby
COGINBLRMBPB1INTF1# show conn count
6097 in use, 17220 most used
COGINBLRMBPB1INTF1# sh xlate count
[Code].....
we have two ASA 5520, on the failover unit is showing LU allocate xlate failed. We read on [URL] that it could be a memory problem , but have cheked it and we have 85% of memory free on both nodes. We also can see all xlate on failover unit.
We have forced failover this evenig and we can´t stablish outbound connexions by outside interface, we think xlates or nat cant work properly.
I got an asa5510. After problems with ipsec connections the log said :
LU allocate xlate failed this error repeats every minute. At the cisco site i found the following :
explantion : stateful failover failed to allocate a translation (xlate) slot record recommended Action : check the available memory by using the show memory command to make sure that the security appliance had free memory in the system. If no memory is available, add more memory
But when i do there is free memory. (about 54%)
What can i do to fix this ?
I am currently getting a strange error when trying to use and crypto services on our ASA 5520 (8.0.3)Initially I observed that a connected VPN had dropped.Then when I attempted to use ASDM or SSH I was blocked.
In the end I opened telnet as a test and this was successful. Syslog also shows that traffic is passing as normal.The only obvious error I can see when observing various debug traces is this;
FW02# CTM: rsa session with no priority allocated @ 0xCF1FBBA0
CTM: Session 0xCF1FBBA0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: rsa context allocated for session 0xCF1FBBA0
CTM: rsa session with no priority allocated @ 0xCE7A5EA8
[code]....
We have pair of ASA5585 (ver 8.4(4) with IPS module configured with Active/Standby failover. There are total 09 interfaces are connecting to different zones in the firewall and out of which three(3) interfaces are connecting to Palo Alto 2nd layer firewall. When we test the failover whatever interfaces not connecting Palo Alto failed or shutdown, ASA triggers the failover to other unit, however the Palo Alto is not detecting this failover and it still keeps its previous Active Palo Alto to pass traffic, thereby failing passing traffic on Active firewall through Standby Palo Alto firewall.
But when there's a interface failed or shutdonw on the interfaces where PaloAlto also connected, then once the ASA failover triggers and the same time Palo Alto also trigger its failover then both new active firewall and Palo Alto sending traffic through firewall.However we we cant all the interfaces of ASA also to connect Palo Alto and let the Palo Alto to inspect all the interfaces, but we need our ASA to work in a situation where any of the interfaces failed, the failover to work smooth the pass the traffic via either Palo Alto device.I just need to know is there anything tricky that we can configure on our ASA in this failover senario, or to confirm if there's no any workable solution to this situation.
I have attached the senario that I explained above. Just to emphasis the issue again, if any interface of Gig0/0, Gig0/4 or Gig0/5 failed on active firewall, ASA switching to standby firewall and act as Active, but Palo Alto still remains his Active state and the new Active ASA is not passing traffic via standby PA as its not detecting any of its interfaces as failed or unreachable..?
We're currently PATing everything from a particular subnet to the IP of an outside interface using our ASA5585 (dynamic PAT). We're experiencing pool exhaustion and therefore need to expand the global IP range. Any way of cutting over to the new range without dropping existing connections? For clarity, the current interface address is x.x.x.37/22 and the new PAT pool is x.x.x.114-6/22.
View 6 Replies View RelatedWe just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007:
LU allocate x late failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9 Device Manager Version 6.0(2). Compiled on Mon 01-Feb-10 10:36 by buildersSystem image file is
"disk0:/asa805-9-k8.bin"Config file at boot was "startup-config"
CP-ASA up 17 days 21 hoursfailover cluster up 17 days 22 hours
[code]....
I am interesting how ASA 5585-X with SSP-60 operates in dual firewall mode, if I install two SSP-60 modules in chassi, do I get one logical firewall with doubled performance of (SSP-60) ?
View 1 Replies View RelatedHow to allocate bandwidth for a certain host or service in Cisco ASA 5510 Firewall using ASDM? For instance, I would like to dedicate 2MB for H323 service (Video Conference Call).
View 1 Replies View RelatedI have put 2 physicl interfaces (te0/8 & 9) on the ASA-5585 into a PO and am assigning ips/vlans to the sub-interfaces. I have 2 issues: - Why am I not able to ping the other sub-interface from the ASA itself? (I can ping the 1st one), Secondly, why the IPs are not visible in "sh int ip brief" ?Although I can see them in "sh ip" ..
/actNoFailover(config-if)# int po17.100
/actNoFailover(config-subif)# vlan 100
/actNoFailover(config-subif)# ip add
[Code]....
I am responding to a tender where the client is asking for the firewall to support an onboard disk drive for logging purposes, which is a minimum of 500 GB in size.
The other requirements all point towards the top of the range ASA 5585-X Chas w/SSP60,IPS SSP60,12GE, 8 SFP+,2 AC,3DES/AES.
I note the 5585 when configured on DCT comes with HDD blanking plates, is there an HDD supported on this?
I've read through netpro and found everyone points to this doc.
[url]....
However that still doesnt allow traceroute through for us. We still see syslogs with deny's on high level random UDP ports to different Internet destinations.
[code]....
I got some issues with my CISCO ASA, the thing is that when I add a new rule on the device this rule duplicate and goes to the bottom. We already tried to delete the duplicate rule but it always show an error.
-Model 5585
-ASA Version: 8.2(5)
-ASDM version: 6.4(5)
I have ASA5585 Firewall between my WAN Cloud and LAN Network. I plan to configure Layer 3 Vlan Interfaces inside FW and it would be Layer 3 gateway for some of Subnets. Layer 3 VLAN Interfaces are planned to be dual stack containing both IPv4 and IPv6 Address stack.
I plan to configure 6 to 4 Tunnel with my Hub Site where we have native Ipv6 awareness. One tunnel end point would be ASA and the other endpoint would be Hub site WAN Router/L3 Switch. So IPv6 traffic hitting to vlan interfaces on ASA would be policy checked and routed over tunnel interface to Hub Site.
6to4 Tunnel manual tunnel configuration on ASA. I have configured such tunnel on L3 Switch or Router with following config.
Int tunnel xyz
ipv6 address <ipv6 address>
ipv6 enable
tunnel source <loopback address of my L3 Switch>
tunnel destination <loopback address of my hus site L3 Switch/Router>
tunnel mode ipv6ip
end
I need to implement something similar in ASA. How can I do that?
How do i measure the total throughput going via 5585-X.It has the firewall througput of 5Gbps. Looking at aggregate of all the interfaces traffic going through it seems about 4gbps is going through.
I use show traffic command and add up the trasmit and receive traffic on each live interface.Is that correct method and are there any more commands?
Problems connecting to different services and an online game. Examples:
1.) "Connection timed out" in Teamspeak 2. (debug log not really yielding much useful information).
2.) Torchlight 2 reported "Connection failed - Firewall errors detected."
- almost all other online applications work just fine (including voice over ip and games) What I've tried (without any success):
1.) I could connect in either case using my old laptop! Thus it works on a different computer, from the same network, at the same/similar time. Thus I concluded it must be somehow related to this laptop (its a new laptop).
2.) The TS2 server & entered information is 100% working, same applies to torchlight2 - also latest updates installed and of course the game is totally legal.
3.) Windows firewall: all the mentioned programs are on the allowed list. Also check whether its correctly set to "home network". Futhermore I also tried disabling the windows firewall entirely.
4.) No other firewall program in use.
5.) Check all programs I know of which might be related to network traffic (e.g. Qualcomm Atheros Killer Network Manager - disabled it).
6.) Tried both, wireless and ethernet cable connection.
7.) I even tried running the game, torchlight 2, via Tunngle (explained in a layman's words: a program that simulates Lan over the internet).
Some Information about my system:Its a new laptop. Network card is labled as "Killer e2200 PCI-E Gigabit Ethernet Controller.Runs Windows 7 and did start out empty: i.e. I installed every single program running on the machine and as far as I know none of them should have anything to do with network. Virus scanner is the lastest version of AVG free (no firewall included).
use of a pair of ASA 5585's in active/active mode with a shared outside interface.Last time I did this was with FWSM, there was a restriction where all contexts that share an outside interface have to be in the same failover group.Does this apply also to the ASA? My thought is that it will, but I am unable to find that in any documentation.
View 1 Replies View RelatedRunning ASA5585’s in active/standby across a local campus MPLS network. Supported design, leading practice etc. Specifically our design is that two ASA5585 are configured as active/standby through a local campus MPLS network over 10gig links through ASR9k etc. The ASA’s are providing inter-vrf routing capability only with p2p l2vpn circuits configured for each logical interface between the ASA over MPLS etc.The failover link is via a direct fibre and the state link will be through a p2p l2vpn (option for direct fibre also)Is this a supported design to begin with?
View 2 Replies View RelatedI have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.The integration is working fine, except when a user PC sends a large packet (~1500 bytes).With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
We are experiencing intermittent issues with the IPS on our ASA5585 vs 8.4(2). Probably something with the dataplane. So I want to keep debug cplane 255 activated and logged with log debug-trace setting to syslog server. But when session times out the debug command is cleared so the output stops. Since it is a intermittent issue I want to keep debug activated...Totally different behaviour then with routers which keeps it activated. how to keep debug activated on a ASA.
View 1 Replies View RelatedI have two ASA in failover with Active/standby configuration. When I switch from standby to active from the standby ASA I get a lot (like 100) of error messages like these below: [code] The failover works fine and nothing seems to be wrong with the firewalls function.
-Hardware is ASA5585-SSP-10.
-Software version: ASA 8.2(5),
ASA is in multiple mode with 17 active context. Why these error messages appear and what they mean?
WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
View 2 Replies View Relatedits possible to set up active/active failover using etherchannel on 5585s?
View 1 Replies View RelatedIs there a way to allocate CPU or memory resources to specific processes - similar to a QoS-style configuration where you can prioritize the processes being handled by the CPU? We have a 2811 router whose CPU periodically spikes to 100% utilization. At these times, all of our EIGRP neighbor adjacencies bounce - either a peer goodbye is received or the hold time expires.
Our thinking is that we could possibly tell the router to prioritize the EIGRP process with the CPU so that routing is maintained, even though we realize other processes (like qos or ISAKMP for our tunnels) may suffer.
I got a 40gb monthly broadband plan at home and there are 4 of us using the broadband..since i work long hours i hardly use internet but other flatmates sometime finishes the broadband 10days before the new cycle starts..so i was wondering if there is a way i can put a limit that every one get to use 10gb.
View 3 Replies View Relateduser from home PC via Anyconnect making RDP session to work PC, on this PC Microsoft policy allow making disk mappind via RDP. Is that posible to inspect this traffic and deny this(disk mapping) action on ASA5585-X with IPS?
View 1 Replies View Relatedwould like to know how a bandwidth gets distributed in switches.for example consider a scenariowhere i have a coreswitch A and coreswitch B connected between each other througha a 1Giga Fiber, now each of my core switche are connected to two edge switches through fiber links. all edge switches have giga ports. now if i connect a pc with giga link in th edge switch of coreswitch A and tansfer a file to a PC connnected to the edge switch in network B.. how much bandwidth would i get?how does the switch allocate bandwidth?
View 8 Replies View RelatedI have a WAG310G router which I have connected wirelessly to my PS3. When no one else is using the internet my connection is fine. However, when someone else does come on the internet my PS3 lags so bad that I can barely play it. I was wondering is there a way to allocate the bandwidth so that my PS3 gets more of it?
View 2 Replies View Relatedwe just purchased 2 asa 5585-40's and tried to add them to our lms 3.2 system and we were informed by cisco tac that they were not supported in lms 3.2. since we don't having funding for an upgrade, any work around within lms that could allow me to add the devices so i can use lms for syslog and to fetch the firewall configs on a regular basis, instead of having to setup a seperate syslog server and having to tftp the config's everytime i make a change.
View 3 Replies View RelatedFor quite some time now, we have been experiencing an issue with the Cisco VPN client that will make the client completely unusable. I have noticed that when a specific feature of Symantec Endpoint Protection is enabled, it will (about 25% of the time) cause the following errors to appear when attempting to connect anywhere with the Cisco VPN client. Once this error happens once, the VPN client then becomes useless.
Error #1
Reason 414: Failed to establish a TCP connection
Error #2
Reason 440: Driver Failure
Error #3
Reason 442: Failed to enable virtual adapter
It seems that fixing one error will cause the other error to come up.I have tried reinstalling the client with the same version and older versions and the issue still comes up. All users in the company are using Windows 7 64-bit with SP1 installed.The oddest thing about this is that all employees in the company have the same antivirus with the same features enabled, however, it only happens to a small percentage of employees.
My WRVS4400N, V2.0.2.1CPU:STAR 9202.Doesn't allocate IP address on DHCP for anything but the Open SSID. All others, WEP, WPA, WPA2, nothing.I tried different clients, Intel Centrino wifi, Cisco, AG-CB21 same results.The config is std, I tried one VLAN for ALL SSID, I tried different VLANS, same.
View 0 Replies View RelatedRecently i had a requirement for implementing a Qos on one of my Mpls link which is of 2Mbps, the requirement was to allocate a bandwidth of 512kbps for each connect that comes in and 512 kbps for out going, and it is in ASA 5510 firewall.
So i have done the configuration successfully, now the issue is, the bandwidth is limited to 512kbps only for all the connection,how many may be the connections, it working below 512kbps,
But my requriemt was for the first connection, it should allocate 512kbps , and for the second another 512kbps so on.its not happening, the bandwith got struckup at 512kbps , all the connection are sharing this bandwidth only.