Cisco Firewall :: Asa 5580 Clarification Regarding Show Local Host?
Mar 28, 2012
we are observing the no. of conn thru asa 5580 is getting increased and one a fine day it will stop sending/receiving traffics.firewall# show conn count 1900000 in use, 2000008 most used As per the datasheet of this asa, the max conns permissible is 2 million (20 lacs). and the output shows that currently 1900000 connections are there and 2million+8 connections are most used.when i run " show local-host | include host|count/limit ", below are the outputs showing for max connections..
local host: <172.x.x.x>,
TCP flow count/limit = 35857/unlimited
TCP embryonic count to host = 25
UDP flow count/limit = 0/unlimited
local host: <DC01>, TCP flow count/limit = 306/unlimited TCP embryonic count to host = 8 UDP flow count/limit = 736807/unlimited
local host: <DC02>, TCP flow count/limit = 246/unlimited TCP embryonic count to host = 2 UDP flow count/limit = 582010/unlimited
local host: <172.y.y.y>, TCP flow count/limit = 1/unlimited TCP embryonic count to host = 0 UDP flow count/limit = 308412/unlimited
These are the top 4 connections, i wonder should we consider only the tcp flow count or udp as well ?
I ran into a very interesting problem that occurred today and I'm trying to figure out why it happened. If it was one ASA 5505 that just required the reboot, then I'd have just chalked it up to a glitch, but when we built a new AD/ DNS server on the main network at the main site and changed the 3 Remote site ASAs to point to the new DNS server in the DHCPD options, none of them could ping any local host names to the DNS server at the main site they were now pointing too, but external host names { URL} all translated and pinged fine.
From a laptop on one of the remote sites, we could ping the new AD/DNS server(192.168.0.3) and the old AD/DNS server(192.168.0.2) and everything else at the main site, and telnet to port 53 showed successful across the Easy VPN from the Remote site to the new server at the main site. When wire shark was added to the new DNS server at the main site, the DNS request and replies for {URL}, for example, came and worked fine, but any requests for local resources never made it to the server from the remote sites.
A reboot of one of the Remote Site ASA's corrected the issue. Then I rebooted the other two remote site ASAs, and now DNS was working fine for everybody. I had also tried clearing the ARP cache on the ASAs before resorting to rebooting them. I also tried rebooting the laptop thinking the local DNS cache needed cleared before resorting to rebooting the ASAs. I'm struggling to understand why external, public host names made it through and resolved from the remote sites to the new server at the main site, but anything local failed before even reaching the new server(The new DNS server could resolve requests made by computers at the main site, but the remote sites that traverse the Easy VPN from the ASAs failed). The new AD/DNS server is the only server configured for DNS for all remote site computers.
Is any of this making sense? I'm wondering if clearing the x late or local host tables would have corrected it without having to reboot. I'm just trying to grasp the understanding here and figure out what happened.
I just bought pc anywhere software, after instalation in my host pc and laptop(remote) it work very well when I used it in the same network in my Rv camping ground where I have a mobil router with a Verizon broad band card.Later when I come back home where I have a cable internet with a router, I tried to access the host pc but after several minutes trying it said cant find host pc.
I'm using 3 AP's 1140 with local authentication using local radius (flex connect mode).the radius server im using is MS 2008 R2.authentication is working great on all devices pc's&mobile.authentication method is PEAP wpa2 aes enterprise.after 3 or 4 hours devices loose connectivity to the web.the device seems to be still connected to the ap but there is no ping to host from local lan or any arp learnd on local router.only manual disconnect on device and reconnecting brings connectivity up again.in one case only reseting the AP's worked.
We are going to impliment Spectrum (CA) in my network,i have ASA-5580-20 firewall now my spectrum server want to communicate with firewall,then only it will discover the firewall logs.Now the problem is my spectrum server is in MZ zone(10.10.10.45) security leval is 70 and my inside interface(10.20.20.101) security leval is 100.
I am unable to ping from spectrum server to firewall because of high security leval.How can i solve this problem,can i change my inside security leval to 69 then i think it will ping.
i check ASR 1006 config with ESP-40, the firewall permonce can reach 40G, ASA 5580 is 20G, can ASR 1006 replace ASA 5580, is there any function feature problem?
I just purchased an E2500. I have a small home network dominated by Mac and Linux boxes, with an occassional Windows machine. On my previous router I had been running OpenWRT.
One of the nice features of DNSMASQ is that it will do local name resolution from the /etc/hosts file on the router. Is there anyway to turn on similar features in the E2500? I have a NAS box and a networked printer that require local name resolution. I had hoped that I could just create a DHCP reservation for them, and that the router would resolve their names for other hosts on the network. This does not appear to work.
Should I just be boxing this thing up and returning it in favor of a unit I can flash better firmware on to?
Im working for a client at the moment and I've had to setup a network printer for them, I've got 4 Windows 7 machines easily printing over the network to this printer that is connected wirelessly but they want one of there machines to use the scanning functionality of the printer.The scanner doesn't show up at all in the local network devices like the printer does and to be honest i don't really have any experience with scanning over a network to a windows 7 machine, but this printer does support scan to ftp so my idea is to setup a small ftp server on the windows 7 machine with a folder to stored scans on the desktop or something, then put the details of the server in to the printer making it as easy as possible for the customer to scan stuff and just get it from the folder on the desktop, i could also share this folder over the network for anyone to open and get a scan if needs be.
This is the configuration I am running:Internet > Cable Modem > Netgear WNDR3700 Router ~~ DAP-1522 > Wired Windows 7 PC + Linux PC + Printer.The Windows 7 and Linus PC's do communicate well to the internet as do any laptops accessing the router wirelessly and any devices wired to the router. That is the good news.
The bad news is that any devices located after the DAP-1522, including the DAP-1522 do not show up on the network map of either the router or any of the wireless laptops. Neither does the Win 7 PC connected through the DAP-1522 show any networked devices, whether through the DAP-1522 or not, even though network discovery is turned on.
Right now the DAP-1522 is set up to function as a bridge and is in "Static IP" mode. I tried changing it to DHCP, but the DAP-1522 will not allow saving that setting, even though it will allow changing it. It just reverts back to "Static IP". The firmware version is 1.31, and the firmware update went well after a workable logon to the admin page was discovered. Also the one-button (WPS) set-up to the router worked as far as allowing an internet connection.
What needs to change to allow all the devices to show up on the network maps and maintain internet access? Ultimately, I would like to stabilize the IP's of the major components of the network to make troubleshooting easier. But to do that the devices need to show up on the network maps, particularly of the router, so they can be added to the IP reservation table by selection.
accessing my cisco ASA, last night we were doing VA on our ASA, after that iam not able to access it through ssh nor telnet. its not giving me any error.. i tried from different system also. SSH & telnet allowed from inside to 0.0.0.0 i have re-generated rsa keys when it was working. ASA version is 8.2 now when i connect telent is giving me blank prompt. i can login using ASDM.
I got a problem with a cisco asa 5580 like two days ago and the device stop working (there was a mainteinance window and after that the device didn't work). Now we receive the RMA and we are trying to configure the failover so the new device get the configuration form the one that is working.
But this is the message that I gettin:
Failover message decryption failure. Please make sure both units have the same failover shared key and crypto license or system is not out of memory
We already changed the shared key and crypto license but the failover is still down, what are the features that the cisco need to activate to enable the failover?
We are using Cisco ASA 5580 (8.2) firewall. When i try to ping from inside lan to firewall DMZ interface IP it is not pingable and but from inside users i am able to ping firewall inside interface IP address.
I think we can't ping to other interfaces of ASA by default. But can we allow the single IP address who can ping all the interfaces of firewall?
We are not doing any natting in firewall, for that we used the Load Balancer.
A customer's ASA is presenting the System LED flashing red.I have already analysed the show tech-support and show environment output: Found nothing, everythink seems OK.Cisco ASA 5580-20 - 8.2.1.Single appliance, no failover, multiple context and transparent mode.
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.
I have encountered a problem in one of customer that the Active ASA 5580 is unable to sync with Standby Failover ASA. When Active is connected with FO and push the configs to it will not find the ethernet/Gig interfaces due to which the all the configuration were not applied and when the primary ASA the secondary is unable to respond.
When i attached console with the Standby ASA i have seen this error.
Number of interfaces on Active and Standby are not consistent.If the problem persists, you should disable and re-enable failover on the Standby.
For detail undestanding i am attaching the configs of primary and standby ASA. The KHI-DR-ASA-BB-01 is the standyby firewall.
If we switch from primary to secondary firewall the interfaces on the secondary go to state waitung than to failed. after awhile the secondary gives the control to the primary.
it seem that traffic passes the secondary firewall during this short failover time . we have several context created on the firewall, Switch Ports checked , cabeling check everythink checked
blackhole Interface inside (10.255.102.134): Normal (Waiting) blackhole Interface shared (10.255.102.134): Normal (Waiting) blackhole Interface inside (10.255.102.133): Failed (Waiting) blackhole Interface shared (10.255.102.133): Normal blackhole Interface inside (10.255.102.133): Normal (Waiting) blackhole Interface shared (10.255.102.133): Normal
We got a replacement ASA 5580 from Cisco. We were not aware of PAK, Is there any other possible to generate Activation key? Can we generate PAK or Activation Key using SO (service order) number?
I have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
I have two firewalls in 2 different locations. They act as primary and secondary for my WAN connectivity. I would want a way to synchronize access-lists in both without manually replicating.(access list, NAT and Route)FW model cisco 5580
We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below?
We are going to setup a L2L VPN with a vendor and they asked us to NAT a couple IP addresses for remote access to a couple of servers on our inside network. Our device is an ASA 5580 with version 8.1 and we have a handfull of public IP addresses for use if needed. The vendor's remote network is a public IP address but for this posting I will use 192.168.10.0. Our inside servers are 10.100.10.20 and 10.100.10.30. Because 10.100.10 is in use with another customer they asked us to NAT 10.77.97.20 and 10.77.97.30 to the two inside servers.
I have got new cisco ASA 5580 running 7.2(4) on it when i am trying to configured Virtual interface on vlan 400 in Gi0/0.400 to LBASE.now the problem is from my MZ zone 10.242.107.17 to Lbase virtual interface 10.242.103.1 iam not able to ping.
This is the situation I got to firewalls with failover and I need to upgrade the license so I can get more context (right now I have 5 context and I need 10) so I was looking at the procedure and I'm not sure If I need to restart the device or not. I was looking at this procedure:
Upgrading the License for a Failover using ASDM (No Reload Required) Use the following procedure using ASDM if your new license does not require you to reload. This procedure ensures that there is no downtime.
•1. On the active unit, choose Configuration > Device Management > High Availability > Failover > Setup, and uncheck the Enable Failover check box. Now click Apply. The standby unit remains in a pseudo-standby state. Deactivating failover on the active unit prevents the standby unit from attempting to become active during the period when the licenses do not match. •
2. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the active unit serial number. Now click Update Activation Key.•
3. Log into the standby unit by double-clicking its address in the Device List. If the device is not in the Device List, click Add to add the device. You might be prompted for credentials to log in.
4. Choose Configuration > Device Management > Licensing > Activation Key, and enter the new activation key that you obtained with the standby unit serial number. Now click Update Activation Key.
5. Log into the active unit again by double-clicking its address in the Device List. Choose Configuration > Device Management > High Availability > Failover > Setup, and re-check the Enable Failover check box.
6. Click Apply. This completes the procedure.link: [URL]
But then I checked on the cisco web page that there are some license that need to reload I see this:
All models
#Downgrading any license (for example, going from 10 contexts to 2 contexts).#Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
[URL]
So I just want to know if I'm UPGRADING from 5 to 10 context the reload applies to my situation or not?
I have a asa5580 with multiple interfaces. To replicate me databases to another site, I mainly use two interfaces on that firewall. Those interfaces have a steady pace, around 95%.
I am wondering when I should consider that the thoughput between those two interfaces is too much? Is there a good document that could explain me clearly why?
Also I want to be sure that I won't affect the normal traffic between the other interfaces. Is there a way to garantee certain traffic over others on an ASA? I don't have any router in me setup layer 3 role is perform by asa firewalls (static routes).
