Cisco VPN :: Upgrade ASA 5540 In Failover

Feb 11, 2013

I have 2 ASA 5540 in our network. I want to upgrade it from 8.0.4 to 8.4.3. I want assistance in the configuration because I know that there is a change a configuration while migrating from 8.0.4 to 8.4.3.Is there any tool available on Internet that facilitates me to convert the current configuration computable to 8.4.3.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5540 Redundant Interface Failover

May 8, 2011

I have two ASA 5540s, ver 8.4 configured in Active/Standby failover.I am also using the redundant interface feature for my Inside interface.  Gig0/0 is the active primary and Gig0/1 is standby.
 
I will activate failover monitoring of the Inside interface using the monitor inside command.
 
My question concerns the failover monitoring of the redundant interface.  If the gig0/0 connection were to fail would the Gig0/1 interface become Active, AND simultaneously result in a full device failover?
 
Or, does Gig0/1 of the Inside interface redundant pair simply become active and not change the Inside interface device failover state?  Thus NOT resulting in a device failover.

View 1 Replies View Related

Cisco VPN :: ASA 5540 Local Certificate Authority In Failover

Jul 12, 2011

i was setting up an ssl vpn on an asa 5540 (8.2) but can't set up the local ca authority
 
its an active/standby failover pair
 
i knew it wasn't enabled on active/active but i didn't realise it was also not enabled on active/passive has any one came across this or know whether it can be enabled?

View 4 Replies View Related

Cisco Security :: ASA 5540 SSM-4GE Active / Standby Failover

Aug 4, 2011

we had such kind of issue: while installing 2 SSM-4GE modules to 2 ASA 5540 (Active/Standby) the firewall is splitted. That's my step:

1) Turn off standby ASA and plug SSM-4GE module

2) Power it On After it was booted up failover relationships were broked and previously stabdby became Active appliance.

3) Turn off active ASA and plug SSM-4GE module

4) Power it On

After the it was booted up failover comes up and previously Active (on step 2) appliance became Standby. Everything is up and running now, but the issue was on step 2, I suppose becouse of distinct in hardware (when one ASA was on SSM reachest than another one). Still have no ideas why so happens and is there any way to plug SSM modules int ASA active/standby cluster without downtime.

View 2 Replies View Related

Cisco Firewall :: ASA 5540 - Active / Standby Failover Pair

Apr 13, 2011

I currently have two 5540's in an Active/Standby pair. The primary unit failed on February 12th, so the secondary ASA is now the active one. My question is this - we have made a lot of changes since February 12th and I am planning on fixing this failover issue over the weekend. Will the secondary (now active) FW sync it's config to the non-active FW, or will the failed FW sync it's out-of-date config - removing any changes that we've made in the last month or so.

View 1 Replies View Related

Cisco Firewall :: 5540 - Active / Standby ASA Failover Configuration Changes?

May 15, 2011

I have 2 ASA 5540s ver 8.3 in Active/Standby state.I am considering a future hypothetical situation where I might need to rename interfaces or reallocate redundant interface groups.  Doing so obviously has a major impact on the current primary configuration.  My goal would be to minimize or eliminate network downtime during the interface changes.
 
I am wondering if it is possible to force the secondary ASA from the standby to active state.Then temporarily disable failover on the primary unit.Make the interface changes on the primary unit Then reactivate failover on the primary unit Force the primary unit back to active and secondary unit to standby My new interface configuration would then sync from the primary to the secondary.
 
I believe this would work but must ensure that the secondary ASA can function as the active unit while the failover is disabled on the primary unit.  Is there a set length of time the secondary unit can remain active without a failover peer?
 
see issues with operating the secondary unit in this manner while making changes to the primary unit?

View 1 Replies View Related

Cisco Firewall :: ASA 5540 Upgrade From 7.1 To 8.4

Jul 16, 2012

i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2  --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
 
[URL] 
 
I need to use this feature for only three or maximum four users in company then would i really need to do  memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
 
ASA-ISB-HQ# sh version  
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA 5540 - NAT Not Working After Upgrade

Apr 26, 2011

Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
 
Here's the lowdown:
 
Our public IP for our IronPorts ends in .167.  That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
 
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts.  Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
 
After the code upgrade, the nat won't work.  No email sent or received.  Nothing but Deny's on the ASA with flags reading either "SYN" or "RST".  IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN  on interface outside
 
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.

View 6 Replies View Related

Cisco Firewall :: Reasons To Upgrade ASA 5540

Apr 29, 2012

I have two Cisco ASA 5540, these ASA running ver 7.2. and used mainly as VPN gateways.My question is simple, Apart from the extra AnyConnect client functionality and the higher encryption, is there any specific security benefits (related to the VPN use) for upgrading to ver. 8.x ?

View 4 Replies View Related

Cisco Firewall :: 5540 / 5510 - Memory Upgrade

Jul 6, 2011

We want to run ASA 8.4.x on an old ASA5540. We need to upgrade its memory to 2 GB with the following memory upgrade: ASA5540-MEM-2GB=
 
I suspect that we will completely remove the existing 1 GB of memory and replace it with 2 GB. If this is the case, can I use this 1 GB of memory removed from the ASA5540 and put it in a ASA5510 instead of buying a ASA5510-MEM-1GB= for the ASA5510? 

View 2 Replies View Related

Cisco Firewall :: ASA 5540 - Firmware Upgrade Requirement?

Apr 8, 2013

We have a old Cisco ASA5540 firewall running on firmware version 7.0 and also a Firewall Service Module (FSWM) running on firmware version 2.3.
 
My question is if I would like to upgrade the Cisco ASA5540 firmware version to 7.1 above and the FWSM firewall version to 3.1 above, any requirement on the memory size or hardware to perform the firmware upgrade activity, do I require to do some memory or hardware module upgrade activty first before the firmware upgrade ?
 
Any restriction, shortcoming and  pre-requites to do before the firmware upgrade activity ?

View 2 Replies View Related

Cisco Firewall :: Getting Failover Working Again After Upgrade From 8.2.2 To 8.4.2

Sep 6, 2011

When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover.  8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
 
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
  
Here's a show failover on the primary:
 
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 55xx Memory Upgrade And Failover?

Sep 16, 2010

I need to add memory to my ASA 55xx's (running 8.2(2)), some of which are config'd active/active or active/standby. The docs say that ram must be identical, which makes sense for production. My question is this: can I upgrade the standby units first, make them active, and then upgrade their mate? Or must I schedule downtime to take the pair down for the upgrade?

View 4 Replies View Related

Cisco Firewall :: Upgrade IOS On Failover Pair Of ASA 5580's?

Dec 6, 2012

Preparing to upgrade the IOS on a failover pair of ASA 5580's and was wandering what is gonna happen after I've upgraded the IOS on the standby unit and rebooted. How is the active unit going to react when it sees an IOS mismatch prior to me making the standby the primary and upgrading it's IOS ?

View 2 Replies View Related

Cisco Firewall :: Upgrade ASA 5550 Failover Pair From 8.2 To 8.4 Without Zero-downtime

Jun 28, 2011

Since the "zero-downtime upgrade" is not supported, I would like to validate the process I put together for upgrading a failover pair of asa5550 with the characteristics below. Specifically I am concerned with the role of the standby during the upgrade. This is my setup:
 
.- single context mode
.- active/standby
.- current firmware asa821-k8.bin / asdm-621.bin
.- role: firewall and VPN concentrator for segmented server farm network. Dynamic/static/exemption NAT heavily used.
 
My target is asa842-k8.bin / asdm-645.bin and I am doing a two step upgrade (8.2(1) -> 8.3(1) -> 8.4(2)) to avoid the "unidirectional" attribute and CSCtf89372 bug issues. This is a short version of what I have in mind:
 
.- Verify stability of failover pair and make adequate backups before beginning.
.- plug into the console of active, ssh into active and standby.
.- vpn/act(config)# no failover            ( disable failover from active )

[Code]....

After reboot, point to 8.4(2) and reload again.  Same concern regarding the standby unit.
 
I understand there might be configuration tweaks needed to the NAT configuration. After second reboot test connectivity and if successful, on active "failover", "write standby" and "failover reload-standby". Otherwise "downgrade" and back to the drawing board.

View 6 Replies View Related

Cisco Firewall :: Zero-downtime DRAM Upgrade Of Failover Pair Of 5510 ASAs

Apr 12, 2011

I need to upgrade the active/standby failover pair of 5510 ASA's to have1 Gig DRAM each, and I am trying to plan out the upgrade process. I'm looking for a zero downtime upgrade process.
 
I know that the failover pair has to have the same amount of memory, so how do I perform a zero-downtime upgrade process?Can I power off the standby unit and upgrade it's memory first? Or will it cause a memory mismatch between the active and standby units when it is powered on?

View 2 Replies View Related

Cisco Wireless :: 1242 - Cannot Upgrade AP To LWAP Using Upgrade Tool On Windows 7

Sep 29, 2011

I have two Windows 7 computers and neither one will successfully upgrade a 1242 AP to LWAP.  However, I go to a coworker's XP machine and run the tool without issues.  On Windows 7 I keep receiving the error message of ACL or Firewall is blocking.  I have added rules and then even tried disabling the firewalls completely on both computers and still no success. 

View 7 Replies View Related

Cisco VPN :: 5540 - License Key From 1 ASA To Another

Dec 3, 2012

Can I bind SSL license key from 1 ASA to another , we recently got 5540 and i want to use my SSL 5510 license on the new firewall

View 1 Replies View Related

Cisco VPN :: 5540 - VoIP Over VPN

May 21, 2013

I have a Cisco ASA 5540 running 8.2(5). When I dial a phone on the other of the the VPN the first time I get a blank after it rings(i.e when the voice mail get activated if someone picks the phone up), however works the second and consequent times i dial.

A little background. Two sites A and B connected via IPsec Tunnel. No problems in communication except for the VoIP issue. A Phone in on site A(172.17.168.x) and other on site B(192.168.103.x). Site A and Site B is connected via an IPsec tunnel on the Cisco ASA. First call fails. Second call works. Result of a packet trace is also the same. The UDP packet get drops when tried for the first time but subsequent ones pass.
 
First time
 
ASA5520# packet-tracer input inside udp 172.17.168.95 10000 192.168.3.103 10000 
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
[code].......

View 0 Replies View Related

Cisco VPN :: One Way With ASA 5540 And 800 Router

Apr 4, 2012

I have a site to site vpn to set up between an asa 5540 and an 800 router
 
i only want the vpn to be initiated from the asa with the remote 800 listening for inbound connections
 
i know i can set the connection type on the asa as originate-only but i can find a command equivalent to answer-only for the remote 800
 
Is it sufficient to simply configure the asa as originate-only for this crypto map

View 3 Replies View Related

Cisco Wireless :: 5500 AP Upgrade Lic Upgrade On Controller

Jun 19, 2012

I am facing a problem to install a ap upgrade lic file on controller 5500. Iam getting the following error:

% Error: License file transfer failed - Error from server: File not found
 
I have confusion here that when I configure this command from GUI

tftp://172.32.45.22/cmm/standard.lic
 
What i should use for /cmm/  ????
 
Let say i have lic. file is on desktop of tftp server computer and I say in this command
 
tftp://10.12.70.35/??/license file .lic

View 6 Replies View Related

Cisco VPN :: ASA 5540 Procedure After Setting Up One To One Nat

Mar 17, 2011

We have ASA 5540.  After setting up one-to-one nat, do I need to do anything else? static (Inside,Outside) public ip address private ip address netmask 255.255.255.255.

View 4 Replies View Related

Cisco VPN :: 5540 VPN Web Page Not Opening

Jul 14, 2012

I have a ASA 5540 on which VPN is configured (Both SSL through Browser and Anyconnect) , everything was working fine but suddenly the webpage has stopped working and gives the page cannot be displayed error , moreover anyconnect client also fails to connect to the ip.

View 7 Replies View Related

Cisco VPN :: 5540 - How To Configure AnyConnect ACL's

Apr 29, 2012

I am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group.  

View 2 Replies View Related

Cisco VPN :: Migrate All Configs To New ASA 5540

Mar 21, 2011

We setup both site-to-site VPN and Remote Access VPN client on VPN 3005 Concentrator.  We want to migrate all the configs to the new ASA 5540.  Do you recommend that we migrate all the configurations for VPN client first before setting up the site-to-site VPN on the ASA or it does not make any difference? 

View 5 Replies View Related

Cisco VPN :: ASA 5540 - SSL And VPN License Count

Aug 14, 2012

Any method to determine the maximum number of concurrently used SSL VPN licenses (sessions) on an ASA5540 over a period of time?  For instance, over a week, the MAXIMUM number of concurrent users that were utilizing SSL licenses on the box.  We are trying to determine current license capacity of the device.
 
We are running 8.2(5) on the ASA itself, and have 6.47 ASDM deployed.

View 1 Replies View Related

Cisco VPN :: ASA 5540 - Display Passwords

Jul 19, 2011

We have two ASA's 5540, running IOS 8.2(4).  Is there a command to find out the password that we setup for VPN Load balancing?  I recall there was a command that you type under CLI and it will display all passwords. 

View 3 Replies View Related

Cisco VPN :: PAT Outbound On 5540 For Traffic?

Feb 28, 2011

We're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.
 
The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to alleviate their concerns, to PAT all of our connections outbound to a single IP address.
 
How is this done in 8.3(2)?  We use ASDM to configure the 5540.  For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.

View 5 Replies View Related

Cisco VPN :: Telnet Through WebVPN In ASA 5540?

Nov 24, 2011

I've configured in an ASA5540 (8.4) access to a server in my LAN using telnet with webVPN. I've installed the ssh/telnet plug-in in the ASA and SSH access to the servers works fine but when I try telnet access I always get this error:
 
Could not connect to: "ip server" 23
Reason: java.io.IOException: Connection failed
 
It happen with any server I try. I'm not trying to access to the ASA, just servers inside my LAN that I can access with anyconnect correctly. There is a Cisco bug (CSCsq89467) saying that not configuring any Web-acl in the ASA solve the problem. Telnet always show the same error.

View 1 Replies View Related

Cisco VPN :: Profile Of Connection With ASA 5540

Jun 6, 2011

I have a problem with one of our IPSec site-to-site vpns.

-we use ASA5540 and the remote site uses a software based FW (steelgate borderware). -there are some old ACLs on our FW that have the remote site's IP address as an incoming node having TCP.... access to some servers on our LAN (why they didn't use static/dynamic NAT for clients of both end to have TCP connection???)
 
-when I try to set up the vpn the name entry of the remote site (which is optional) changes with IP address of the peer in vpn profile and it confuses the vpn, so the IKE phase1 won't establish. the name entry is because of those ACLs that have been entered in the past.
 
Q- How to stop ASA creating names via ASDM when adding ACLs?
 
Imagine the other site's network people are the most inflexible IT guys to do any changes in terms of using static or dynamic nat for their clients to have access to ours, so I can replace their FW IP address in ACL with other NAT addresses.

View 1 Replies View Related

Cisco VPN :: 5540 - L2L ESP Error 402116

May 9, 2012

I have one established IPSec tunnel between the host at the far end. When they try to eatablise a second IPSec tunnel to our seconf IP we get this error
 
May  9 18:51:51 odc-np-gw %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x47995CC7, sequence number= 0xCF) from 23.24.138.185 (user= 23.24.138.185) to 205.144.144.4.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 205.144.158.29, its source as 23.24.138.189, and its protocol as icmp.  The SA specifies its local proxy as 205.144.158.30/255.255.255.255/ip/0 and its remote_proxy as 23.24.138.189/255.255.255.255/ip/0.
 
23.24.138.185 is the far end peer
205.144.144.4 is the local peer
23.24.138.189 is the remote configured protected host
205.144.158.29 is the local configured protected host
205.144.158.30 is the working local configured protected host
 
we have a Cisco 5540 on the far end also.

View 8 Replies View Related

Cisco Firewall :: 5540 - ASA 8.2 No Nat-Control

Nov 19, 2011

ASA5540# sh run nat-control
no nat-control
 
this means higher security can talk to lower security without NAT rules
 
Question 1) - if I want higher security zone to to talk to lower security with NAT rules. I would use statements like below. Am I correct?
 
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
 
global (dmz) 1 interface
global (inside) 1 interface
 
Is this correct? So in this case I am kindly of like overriding the no nat-control statement ...right?
 
Question 2) - Now I have no nat-control enabled. Would the below statements (nat 0) be of any use for NAT exemption??
 
nat (dmz) 0 access-list dmz-nonat
nat (inside) 0 access-list dbase-nonat
 
And do I have to have a global statement for NAT 0 ...like below?
 
global (dmz) 0 access-list dmz-nonat
global (apps) 0 access-list dbase-

View 2 Replies View Related

Cisco Firewall :: Cannot Log In To ASA 5540 ASDM After Configuration IPS

Jun 10, 2012

I Have Cisco 5540 with AIP-SSM-40, recently i config AIP-SSM-40 to capture all traffic from all interface any to any with promiscous mode and if card fail traffic still flow throuh asa, but after that i can't login to cisco ASDM, the error is "Un Able To Launch Device Manager From xx.xx.xx.xx"               

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved