Cisco Firewall :: PIX 515e Reason To Upgrade To ASA Cluster

Feb 24, 2011

Just looking for some good reasons why I should upgrade a Cisco PIX 515e cluster to an ASA Cluster to present to the business.

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 - Fail Over Cluster Software Upgrade

Jul 21, 2011

last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
 
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
 
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
 
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
 
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
 
"Multiple sessions per tunnel are not supported"
 
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units.
And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.

View 7 Replies View Related

Cisco Firewall :: Upgrade Firmware On PIX 515e?

Jun 23, 2011

I´ve a problem with my "old" PIX515e device. I wanted to flash this device to a new firmware level but forgot to disable the "lost enable" password before.  So I started to make the firmware upgrade on my device, ended up with "flashfs" is busy and I should start the enabled modus and "copy flash tftp" to activate the new flash version. Unfortunalty I cannot do this because I´ve lost my password. When I´m trying to boot this device up now, it will end with a error message...
 
Unable to locate boot image configuration
Booting first image in flash
No bootable image in flash. Please download an image from a network server in the monitor mode
Failed to find an image to boot
 
As mentioned, when I will load a new flash image over monitor mode, i cannot activate that image because of flashfs is busy.The password reset bin files will not work too. I tried that too but this one will recongnize no active installed flash.Is there any way to reanimate my PIX515e? In newer devices there are possibilites to work with changing config register but I´ve found nothing about that for a PIX515e.

View 1 Replies View Related

Cisco Firewall :: Upgrade / Replace 515E With ASA

May 15, 2012

I need to upgrade/ replace a Cisco 515 E firewall with a Cisco ASA. Not sure what model yet! The pix has about 80 lines of ACLs and I side and outside interfaces with No VPNs.. I was wondering of those lines of ACLs can be transferred over to ASA as is or there are things I need to watch for ?

View 21 Replies View Related

Cisco Firewall :: Import PIX 515E 6.3(5) Config Into New PIX 515E 8.0?

Aug 22, 2011

I need to redo the configuration on the new one?

View 11 Replies View Related

Cisco Switching/Routing :: 6509 - Upgrade Sup720 To Sup2T In VSS Cluster

Jun 21, 2012

I support an active VSS cluster using 2 x 6509E chassis with single Supervisor 3C modules in each chassis. I want to replace these with Supervisor 2T modules. All my service modules and line cards are supported with the Sup2Ts (I will also be implementing 6908 modules). Is there a document on the Cisco site for this? I haven't found one though I can find plenty that describe how to do a software upgrade.
 
(Note, I have a 3rd (non VSS) 6509E chassis that is also part of this core network and that will maintain VTP/V LAN's etc).

View 9 Replies View Related

Cisco VPN :: PIX 515e VPN To ASA Failing After Several Hours Following Upgrade?

Feb 13, 2011

I've got a PIX 515e firewall on a branch site running version 7.2.4.7(LD) connecting via a VPN to an ASA at the HQ with 7.2.5 code running. After several hours it is no longer possible to ping either the PIX or hosts behind it on the branch LAN though the tunnel still shows as being up.  In order to bring the link back up the local PIX has to be rebooted.The connection used to work with no problems when I was running PIX version 7.2.1 software but this had to be upgraded to 7.2.4 to support the new TCP normalization commands. VPN connections to other branch sites running PIX 7.2.1 remain active with no problems. The reason for the upgrade is to implement WAN acceleration between the sites however I still encounter this problem even when the WAN acceleration hosts are not installed.In addition to the software upgrade I added the following configuration to both the ASA and the PIX: 
 
tcp-map wanx_tcpmap
 synack-data allow
 invalid-ack allow
 seq-past-window allow
tcp-options range 28 28 allow

[code]....
 
The ASA originally had this code but the PIX did not and the VPN was stable, after upgrading the PIX and adding the code the link was no longer stable.

View 1 Replies View Related

Cisco Firewall :: ASA 5500X - Next Generation Firewall - Cluster Licensing

Apr 26, 2013

I'm working on a BoM for a customer and i need to offer an ASA5525-X pair in HA with AVC and WSE subscritption, I've two question:
 
1) In order to use AVC and WSE I need the ASA bundle that includes the SSD HD right? (ASA5525-SSD120-K9)

2) In order to have both ASA's in HA, do i need to order two Suscriptions (ASA5525-AW3Y-PR) or only one that is "shared" in the cluster?

View 1 Replies View Related

Cisco Firewall :: PIX 525 Cluster

Mar 15, 2012

We currently had to RMA both PIX 525s due to increasing crc errors. After swapping the old ones with the new we are still seeing crc errors on all gig interfaces. We have swapped the gig nic's and the sfp's and the fiber patch cables, yet still the crc errors continue to climb.

Another thing that's interesting is that when we disconnect the secondary we see an increase in throughput.

View 2 Replies View Related

Cisco Firewall :: Pix 525 Cluster Failover?

May 23, 2011

a customer have 2 pix 525 with ver 7.0.1 in a failover configuration with serial cable and 2 sc fiber interface and 2 fastethernet 1 used for failover. the strange behaviour is that when i try to do traffic from inside to dmz or dmz to inside the maximum transfer is 862Kb/s to 1MB/s not more.... i don't understand what's happened. the show mem and show cpu are normal 7% mem used and 1-2% cpu used. attached you will find the configuration.

View 5 Replies View Related

Cisco Firewall :: Upgrading ASA 5580 Cluster From 7.2 To 8.2

Aug 19, 2012

we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
 
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?

View 2 Replies View Related

Cisco Firewall :: Failover On ASA5510 - Reason Of Interface Tests

Jun 24, 2011

Do I correctly understand that when two ASA 5510 are in fail over pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the fail over link is down and one interface on primary got down also,  interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.

In this case why to make  tests on data interfaces ? What is the reason to make them? If the knowledge of that some interfaces  of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run no monitor-interface  if name command to dis load devices and network by foolish  tests?

View 5 Replies View Related

Cisco Firewall :: ASA Version 8.6.1 NAT To Exchange 2010 Cluster?

Feb 26, 2013

We have the following setup on our Cisco ASA version 8.6.1 One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover. So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.

View 4 Replies View Related

Cisco Firewall :: 5540 Changing Host-name In Asa Cluster

Feb 11, 2013

I have 2 cisco asa 5540's configured in active/standby mode. I need to change the hostname and domain name as per our standards. Does changing the hostname has any impact on the traffic flow?

View 1 Replies View Related

Cisco Firewall :: ASA 5585x Security Context In HA Cluster

Jun 6, 2012

I have a active-active setup with 2 cisco asa 5585x running 8.4 - the boxes ahve each 2 sec context's build-in - which gives 4 sec context in the cluster. I have 2 x 5 extra licenses (2 x ASA5500-SC-5)  which I haven't applied yet - will this give me a total of 10 or 14 security contextes? I am a bit in doubt because if I only get 10 sec contextes in this cluster then could I instead get a single 10 security context license (1 x ASA5500-SC-10) and add this - hereby I would get 12 then. 

View 1 Replies View Related

Cisco Firewall :: Management Interface In Cluster ASA 5515x?

Jan 6, 2013

I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
 
my config
 
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif

[Code].....

View 9 Replies View Related

Cisco Firewall :: ASA 5510 / 8.0 - Capture Type ASP Drop Entries With No Reason?

Dec 4, 2011

I have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason.  See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0#  show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]

View 2 Replies View Related

Cisco Firewall :: Migrate To Multiple Context Mode On ASA 5520s Cluster?

Jun 4, 2012

I have a pair of ASA 5520s in active/standby failover mode, single context.  I'll be migrating to multiple context mode later this week.  Do I need to break failover first?  Or if I don't need to, should I?  Or can I do this while maintaining failover?  Can either of these scenarios will work (or fail).  I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
 
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA

[code]....

View 1 Replies View Related

Cisco Firewall :: 6509 - Replacing Faulty FWSM Module In Cluster

Apr 15, 2013

We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
 
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
 
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.

View 1 Replies View Related

Cisco Firewall :: SNMP V3 Support IOS On Pix Firewall 515E?

Jun 13, 2012

I have an Pix 515E firewall with Pix724-33.bin IOS. I just want to know that does this IOS support SNMPV3 or I will have to upgarde it with some other version.

View 1 Replies View Related

Cisco Firewall :: 515e / Traffic Not Passing Through Firewall?

Jan 16, 2013

Ive got a problem with passing traffic through a Cisco 515e firewall.im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x? ive configured a group called infrastructure and added the 10.x.x.x addresses.ive configured acl 101 inbound on the outside interface:

access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
 
theres a route to the inside net:

inside 172.16.0.0 255.255.0.0 172.16.163.1
 
and theres a translation:

static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255
 
when i try and connect, using a packet capture  I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok. access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389

View 8 Replies View Related

Cisco Firewall :: Transparent Firewall Configuration In PIX 515E

Nov 25, 2012

I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
 
Here's the configuration:
 
PIX Version 7.0(1)
firewall transparent
names
!
interface Ethernet0
[Code]....

View 1 Replies View Related

Cisco Firewall :: 515e / Nating On Pix Firewall?

May 20, 2013

I have Pix firewall 515e on inside interface its has configured with IP 192.168.0.254.And Global Nating is configured.

global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0 0 0 
 
I want i configured Global nating only for only specific IP address E.g 192.168.0.0-192.168.0.30 and 192.168.0.200-192.168.0.254?How i do this?

View 13 Replies View Related

Cisco Firewall :: PIX 515e MAC To IP?

Oct 6, 2012

I have the following network.2 WAN links termination on my PIX 515e and all internal users connected to third interface.
 
Problem I am facing is that I have assign manual IP to users with some have full access to Internet while others have limited.
 
The users are changing their IP address while others are offline and I want to restrict them.
 
The only way I can think off is by binding IP to MAC as e.g ( Active wall software). But can it be done on PIX 515e and if so how?

View 11 Replies View Related

Cisco Firewall :: To Get Activation Key For PIX 515E

May 13, 2012

I have erased the Cisco image from my PIX 515E, and while i tried to load a new image its asking for activation key. I tried its old key. but no use.

View 1 Replies View Related

Cisco Firewall :: SSH Authentication In PIX 515E?

Sep 5, 2012

I have a PIX 515 Ewhich does authentication for SSH via RADIUS protocol and fails over to the local database if radius server goes offline. But when the radius server comes back online, authentication still takes place through LOCAL and not the radius server. Following are the commands:
 
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10

[Code].....

View 3 Replies View Related

Cisco Firewall :: PIX 515E Cannot Get Traffic Out

Dec 15, 2011

\I just configure my PIX 515E with version 7.0(4) and having problems to get traffic out on eth0 (if name outside). There is no problems between different VLAN ,all VLANs are configure on eth1. It is also possible to accass services on VLAN 10 (DMZ) from outside. The only thing I see in syslog is "Built Outbound" and "Teardown".

View 11 Replies View Related

Cisco Firewall :: NFS Protocol Across Pix 515E

Dec 30, 2011

I have a Pix 515E running PixOS version 8.0.4 with two interfaces, inside and outside.On the inside interface, I have a Redhat Enterprise Linux 5.4 64 bits machine as an NFS server version 4 (NFSv4).On the outside interface, I have three (3) Redhat Enterprise Linux 5.4 64 bits as NFS clients.I am looking for the exact UDP and TCP ports to be added to the ACL in order to accomplish

View 1 Replies View Related

Cisco Firewall :: Upgrading Pix 515E To ASA

May 15, 2012

I need ot upgrade a Cisco PIX 515 E to A Cisco ASA (not sure what type and modle yet!). the PIX currently has about 80 lines of ACLs and no VPNs. So only inside and outside interfaces and 80 lines of ACLs to be transferred over to the ASA.I was wondering if the ACLs can be transferred over to ASA as is?is there anything that I need ot watch for?

View 1 Replies View Related

Cisco Firewall :: TCP Tear-down In Pix 515e

Jun 30, 2011

I have an issue in the Cisco PIx 515e series. The IOS is 6.1(2).I have set sepecific access-list to allow incoming traffic to inside interface. But still the TCP 3-way handshaking is dropped here. [code]

View 6 Replies View Related

Cisco Firewall :: How To Allow Protocol 97 In PIX 515E

Oct 22, 2012

What would be the access-list entry to allow protocol 97? I am setting up foreign-anchor controller and need to allow protocol 97.

View 1 Replies View Related

Cisco Firewall :: Pix 515E Could Configure The Device

Oct 2, 2012

We just switched over from a T1 line to 50/4 Mbps cable Internet.  The speed was fine with the T1, but when we switched over to cable, the  download speeds didn't increase.  I'm getting 2-3 Mbps up and still only 1.5 Mbps down.  I inherited this network a few years ago, so I didn't configure the Pix initially but I have been managing it and can't find a setting limiting the bandwidth for the liffe of me.  I know it's not the Internet because when I connect a computer straight to the modem, the speed is great.  As soon as I put it through the Pix though, it slows way down. 

View 8 Replies View Related

Cisco Firewall :: PIX 515E Port Redirection?

Nov 30, 2011

I'm trying to use port redirection to allow outside access to a internal web server. As far as I can see, everything is configured properly. The Open Port Checker tool from yougotsingle.com says that the port (80) is open. However when I goto access it the connection times out.     The external address is static from my ISP, and I will call it xxx.xxx.xxx.xxx. The server is at 10.1.1.20, and is functioning properly over the LAN.

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved