Cisco Firewall :: SSH Run Command Output Stuck In ASA 5540

Mar 1, 2010

We have an ASA 5540 failover bundle working in Active/Standby mode. On our active asa 5540 when the sh run command is issued it gets stuck and displays the output after more than 15-20 mins.. and it takes another 10-15 mins to get back to the prompt..
 
However on the standby asa 5540 if the sh run command is issued, it displays the ouput and comes back to the prompt (even though this also takes 2-3 seconds)
 
I have tried rebooting the active asa 5540.We are running asa version 8.2.2.

View 8 Replies


ADVERTISEMENT

Cisco Firewall :: Save Command Output To Flash On ASA 8.4?

May 28, 2012

How do you save the command output from the CLI  to a file on flash?
 
With IOS, I would normally use a pipe command to redirect to tftp, but the ASA doesn't support this as far as I can tell. As a work around I was thinking I could save the output to flash and then tftp that file off the ASA.

View 5 Replies View Related

Cisco Firewall :: IPTables Command Translated ASA 5540 Ver 9.0

Nov 19, 2012

I would like to have these commands on our Firewall to avoid at least several students to use this service. How to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.
 
iptables -I INPUT -s hotspotshield.com -j REJECT
iptables -I INPUT -s hotspotshield.net -j REJECT
iptables -I INPUT -s anchorfree.com -j REJECT
iptables -I INPUT -s anchorfree.net -j REJECT
iptables -I INPUT -s openvpn.net -j REJECT
 
iptables -I OUTPUT -d hotspotshield.com -j REJECT
iptables -I OUTPUT -d hotspotshield.net -j REJECT
iptables -I OUTPUT -d anchorfree.com -j REJECT
iptables -I OUTPUT -d anchorfree.net -j REJECT
iptables -I OUTPUT -d openvpn.net -j REJECT

View 1 Replies View Related

Cisco WAN :: Branch 867vae-k9 Atm Output Stuck

Mar 14, 2013

we installed two weeks ago a 867VAE-K9 as a border router for a medical practice.It's got two vlan interfaces for inter-vlan routing, only one Gi interface up in trunk mode to the core switch and the ATM for ADSL2+ connection to the local ISP. A cisco wap is on the secon vlan for the patients. There is a voip pbx on a linux machine that registers 5 trunks to an external provider (only one trunk is used right now, and it works fine).(Almost) everything works fine :-) Sometimes (it can be hours or days) the routing to the internet stops. The meds can still use the LAN accessing everything in it with no lag, and the patients can access the isolated SSID on a Cisco wap on the second vlan. They simply cannot surf the internet.
 
- DNS and local routing is fine
- the router is reachable through the Gi interface
- they can send and receive traffic to and from the 867 vlans' IPs
- the ATM, dialer 0 and virtual access are up, line protocol up
- the dialer has got the IP address negotiated from the ISP
- default route is negotiated through ipcp
- the controller vdsl 0 is in showtime! state
- from the outside we can ping the PPP peer, but not the IP of dialer 0
 
The only thing is the queue counter of ATM which shows drops and total output drops. Attenuation is fine, noise margin not so well. The point is that outside traffic to the internet is at low levels and the routing almost always stopped when no one was using the internet (i.e. out of office hours). It already happened 7 times in 16 days. The problem obviously is that voice traffic is impaired by the stuck router, and no med there is able to ssh into the router and re-activate the atm 0 with a shut/no shut.
 
It is not necessary to reload. A fast shut/no shut of the atm0 (no wait between the commands) will make it running again.We're activating the smarnet for this router to update dsl fw and ios image, but I thought I could post here before that.[code] As a brutal workaround till the update/fix, I was thinking about monitoring the reachability of some external systems and use snmp from the lan to shutdown/no shutdown the atm (though I don't even know if that would be possible from snmp on this router).

View 1 Replies View Related

Cisco :: Show Ip Bgp Command Output S / D And H Values?

Aug 1, 2012

I have copied status codes from show ip bg command output and its explanation (from Cisco documentation site)., d and h (suppressed, dampened and history). I read somewhere that these are to control flapping routes. But not able to understand it completly.Raised this question in a couple of forums but didnt get a proper reply.The table entry is suppressed.??The table entry is dampened. ??The table entry history. The table entry is validThe table entry is the best entry to use for that network.

View 2 Replies View Related

Cisco :: Terminal Monitor Command Not Showing Debug Output?

Feb 22, 2011

What would cause debug output to not show on a remote session via telnet connection where you've enabled terminal monitor?

The reason I ask is I was working with a client and we were debugging WCCP. I ran the debug ip wccp packets and events commands, then entered terminal monitor. After this, we saw nothing. We should have at least seen particular WCCP-related packets because we saw the necessary cluster view was established which can't be done without the exchange of these packets.

Can having syslog (logging) configured cause the issue? Did I use the command incorrectly?

View 11 Replies View Related

Cisco WAN :: 7609-S Service Policy Output Command Not Supported?

Sep 26, 2012

I am facing issue while configuring service-policy output command in Cisco 7609-S router with c7600s72033-adventerprisek9-mz.122-33.SRE2.bin IOS. However, in the same series router having IOS c7600s72033-adventerprisek9-mz.122-33.SRC6.bin is supported service-policy output.Both the switch have WS-SUP720-3BXL  SUP.

View 2 Replies View Related

IP Is Stuck On Old Address / DNS Is Blank / Winsock Reset Command Not Found

Sep 6, 2011

Just got a machine from another company and I'm not allowed to re-image it but I need to get it on our network. I think its got some serious network configuration on it but don't know what.Windows 2000 SP 4 machineIP address/DNS are set to autoconfigure but the IP is stuck on an old address and the DNS is blank.Setting a fixed IP/DNS doesn't work.I can't ping anything successfully.DHCP Server is unreachableOther computers can successfully communicate with the router through the connected ethernet link.Computer has been restarted multiple times.netsh winsock reset results in winsock reset command not found.netsh int ip reset reset.log [code]

View 6 Replies View Related

Cisco WAN :: 6500 Traceroute Command Output For Routes With Equal Metrics

Aug 31, 2010

=>Routing Protocol in Question EIGRP.
=>Two equal metric routes for destination A(through R1 and R2-SVIs on two upstream 6500s)

Traceroute Output, is the output that alternates between 1.1=>10.1=>1.1 normal granted the two routes are "equal metric routes for the same routing procotol in use" or is that "round robin behavior" indicative of a routing problem?

View 11 Replies View Related

Cisco WAN :: Unable To Configure Service Policy Output Command In 2921 Router

Apr 25, 2011

I am not able to configure Service policy output command in Cisco 2921 router.While configuring I am getting below error.Same config is working fine in Cisco 3845  router.I am suspectting the problem with license in IOS.

View 3 Replies View Related

Cisco Application :: Sample Command Output Of Show Chassis Inventory For CSS 11501 / 11503 / 11506?

Oct 30, 2011

I am trying to get a sample command output of "show chassis inventory" for:

CSS 11501
CSS 11503
CSS 11506

View 1 Replies View Related

Cisco Security :: ASA-5540 / UI - Send Command ASDM Location (network Object IP Address) To Device

Dec 17, 2007

When ever I create a network object in ASDM 6.0(3) the UI also wants to send the command 'asdm location (network object IP address)' to the device.What is the purpose of 'asdm locaction ....'?  Is it telling the ASA-5540 that the IP address is allowed to connect to the device using ASDM?If that is the case why does 'asdm location xxx.xxx.xxx.xxx'get denerated for every network object I create?

View 3 Replies View Related

Cisco Switching/Routing :: Sup32 Upgrade On 6509 - Priority Command Not Supported In Output Direction For This Interface

Nov 15, 2012

I have 1x Cisco 6509 with Sup2 and MSFC2 and it is running on IOS (c6k222-jk9sv-mz.122-17d.SXB11). I have following policy map :
 
Policy Map VOIP
Class IP PHONE
priority percent 75
 
and the following command on each interface: service-policy output VOIP those configuration are working fine on SUP2 with MSFC2 but last week I tried to upgrade the SUP2 to SUP32 on the switch and upgrade the IOS to the latest version (s3223-adventerprisek9-mz.122-33.SXJ4) but when I try to put service-policy output VOIP on each physical interface I am getting the following error: 
 
"Priority command is not supported in output direction for this interface" and when I try to add service-policy output VOIP on a V LAN interface I am getting following error:
 
MQC features are not supported in output direction for this interface. Will I need to change something after upgrading to SUP32..

View 3 Replies View Related

Cisco Firewall :: ASA 5540 - Version Change In Firewall?

Mar 15, 2012

How are asa5540 in high availability mode upgraded for their versions.

View 1 Replies View Related

Cisco Firewall :: Polycom HdX8000 Behind ASA 5540 Firewall?

Dec 28, 2012

I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
 
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
 
Here is the problem.I get connected to the call but I cannot  the remote site cannot see and hear me.But I can see and hear them.

View 9 Replies View Related

Cisco Firewall :: Syslog Output Not Going To ASA 5510 On 8.2.2

May 24, 2011

I have an asa5510 on 8.2.2.  I have my logging configuration as below [code] I am not getting any syslog output to the syslog server.  I'm using kiwi syslog server latest version.  Have tried disabling/reenabling logging and changing inside host destinations.  Is there another command needed

View 4 Replies View Related

Cisco Firewall :: ASA 5540 Upgrade From 7.1 To 8.4

Jul 16, 2012

i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2  --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
 
[URL] 
 
I need to use this feature for only three or maximum four users in company then would i really need to do  memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
 
ASA-ISB-HQ# sh version  
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)

[Code].....

View 2 Replies View Related

Cisco Firewall :: 5540 - ASA 8.2 No Nat-Control

Nov 19, 2011

ASA5540# sh run nat-control
no nat-control
 
this means higher security can talk to lower security without NAT rules
 
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
 
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
 
global (dmz) 1 interface
global (inside) 1 interface
 
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
 
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
 
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
 
And do I have to have a global statement for NAT 0 ...like below?
 
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-

View 2 Replies View Related

Cisco Firewall :: ASA5505 Stuck In ROMmon Mode?

Sep 22, 2010

I've ended up in rommon mode on my new"old" RMA'ed ASA5505, and I'm stuck there, I'v tried to erase Disk0 and all that, and tftp'ed a new image into the box, but when booting I get the message :
 
INFO: Unable to read firewall mode from flash
WARNING: Unable to write firewall mode to flash, this is normal if flash is not formatted
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
This activattion key is invalid, use default settings only
i2c_write_byte_w_suspend() error, slot = 0x0, device = 0x40, address = 26 byte count =1. Reason: I2C_UNPOPULATED_ERROR

View 7 Replies View Related

Cisco Firewall :: ASA 5505 Not Booting Stuck On Error

Jan 16, 2011

I am get stuck on this issue, i have asa 5505 which was working more than 4 months, after power recycle  the firewall is not booting now, it gives the below error. i have tried to upload the new image however the story is same.

i2c_write_byte_w_suspend() error, slot = 0x0, device = 0x40, address = 26 byte count = 1. Reason: I2C_UNPOPULATED_ERROR.

View 2 Replies View Related

Cisco Firewall :: Stuck At Initial Stage PIX 515e

Oct 30, 2011

I have a new pix 515e for Home practice.
 
1. I couldn't telnet the switch after configuring. should i have to use cross cable or not to connect PC-PIX? (as new switches and routers run through straight cable). more importantly i couldn't even ping the inside ip which is telnet and ssh enabled.

2.  Receiving the following after executing each and every command on global mode.

-Configuration Replication is NOT performed From standby Unit to Active Unit
-Configurations are no longer synchronized.

View 9 Replies View Related

Cisco Firewall :: Output Bandwidth Limit On ASA 5505

Jun 11, 2013

I'm having a bit trouble to limit the bandwidth on outgoing traffic with a Cisco ASA 5505.
 
In my case I want to limit the bandwidth to 31mbit/s up and down on the outside interface. but with my current configuration, just the download rate gets limited to 31mbit/s when I do a tptest. and the upload is around 40/50mbit.
  
Here is the policy configuration,
 
access-list outside_bw extended permit ip any any
class-map outside_bw
match access-list outside_bw

[Code].....

View 1 Replies View Related

Cisco Firewall :: Cannot Log In To ASA 5540 ASDM After Configuration IPS

Jun 10, 2012

I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"               

View 2 Replies View Related

Cisco Firewall :: High CPU Utilization On ASA 5540

May 11, 2008

I have a remote site customer with a Cisco ASA 5540 running SSLVPN (Anyconnect)(8.03). It currently only serves about 450 SSLVPN clients. Since last friday, they've seen the CPU utilization go up to high 90% while only serving 400+ remote users. I saw some high cpu utilization bugs, but none looked to be relevant. How I can find the root cause of the CPU high utilization?

View 2 Replies View Related

Cisco Firewall :: ASA 5540 - NAT Not Working After Upgrade

Apr 26, 2011

Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
 
Here's the lowdown:
 
Our public IP for our IronPorts ends in .167.  That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
 
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts.  Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
 
After the code upgrade, the nat won't work.  No email sent or received.  Nothing but Deny's on the ASA with flags reading either "SYN" or "RST".  IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN  on interface outside
 
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.

View 6 Replies View Related

Cisco Firewall :: Reasons To Upgrade ASA 5540

Apr 29, 2012

I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?

View 4 Replies View Related

Cisco Firewall :: ASA 5540 Simulation In GNS3

Jan 26, 2013

I have to use GNS3 for simulate ASA5540.but it does not work. I've installed latest GNS3(0.8.3.1 all in one) in Win7 32bit environment, and used IOS file is asa842-k8.bin.but i can't unpack it properly. it said "Couldn't find any ZIP header in asa842-k8.bin".

View 2 Replies View Related

Cisco Firewall :: Asa 5540 8.2.3 Arbitrarily Reload

Dec 19, 2011

I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.

View 4 Replies View Related

Cisco Firewall :: ASA 5540 And FTP Over Implicit TLS / SSL Client

Jan 3, 2012

I am having the EXACT same problem as this user:URL
 
Error:   GnuTLS error -53: Error in the push function.
Response:   425 Can't open data connection.
Error:   Failed to retrieve directory listing
Response:   421 Connection timed out.
 
However I am using implicit instead of explicit. Here are the outputs of items that have been requested in the other thread.

View 1 Replies View Related

Cisco Firewall :: ASA 5540 SSH Not Working From Outside Port

Mar 13, 2011

We are try to connect ssh via outside system (from Internet) its was not getting connected.
 
When we try to connect from outside pool of ip than its working.

View 1 Replies View Related

Cisco Firewall :: ASA 5540 IPS Module Removal

May 20, 2012

I have 2 ASA 5540's that I want to run in HA A/F.  The active ASA has an IPS module running.  I no longer need this and would rather remove it than purchase another module for the spare.  What is the process to do this safely? After removal will the HA wizard recognize that the module was removed or do I have to update the software?

View 3 Replies View Related

Cisco Firewall :: ASA 5540 / Nat Line Removed From 8.4(3) To 8.4(4) 1?

Sep 23, 2012

we have noted the automatically removing of the only "nat (inside,any)" line, during the upgrade of ASA 5540 from 8.4(3) to 8.4(4) 1: why ?

View 1 Replies View Related

Cisco Firewall :: Unable To Run FTPS (FTP Over SSL) Across ASA 5540?

Mar 19, 2012

there was remote FTP - users behind ASA5540 can connect to it.
 
Now, with this ftp there is SSL/TLS encryption added and users behind this ASA can't connect to this FTPS.
 
It this possible for users behind ASA to connect to FTPSs?

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved