I would like to know does MSE 3350 supports HA mode,I have 2 M|SE 3350 appliance and I want to configure one as primary and second as redundent for the primary,I am not finding any documentation for the same in the cisco website.
View 2 RepliesDoes the MIR feature on the MSE 3350 requires the Context-Aware Service to work? I read that the system uses location, signal strength and coverage data in conjunction with monitor mode APs at each exit to trigger the roam. I just don't know if MIR does this on it's own or needs to get location from Context-Aware service.
View 2 Replies View RelatedI am getting a hard time in order to understand the real difference between the two types of context aware licenses for the MSE:
1 . AIR-CAS-1KC-K9 - Context Aware License For 1K Clients and Tags (RSSI based)
2. AIR-CAS-1KT-K9 - Context Aware License For 1K Tags(RSSI, Chokeponts and TDOA)
For a regular network without any devices with tags such as RFID, I understand I do not need to get the .2, only .1, even though the .1 also is shared with clients at 1K of each. Also, the .2 does not say clients, only tags and advanced features as TDOA. Going through the Q&A it does not clearly says the difference, when to use one or the other.
I have two ASA 5510 in an Active/Active failover configuration; On the first ASA I have a license for five security contexts, on the second one I have the default two. On the pair I configured seven security contexts and everything works as expected; so far so good. Let's suppose now that the first ASA (the one with the license for 5 contexts) goes up in smoke; all the contexts migrate to the surviving firewall and life is still good. But what happens if, for some reason, I need to reboot the second ASA before the first one is repaired? My guess is that it will come up with just its own license for two contexts and that I will not be able to operate all my virtual firewalls.
View 2 Replies View RelatedI got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
I know most QoS capabilities aren't available in multiple context mode, but I need to do some really simple policing on one of my contexts. I just want to apply a hard 20Mbps cap on an interface. I've seen a few places that suggest that basic policing is possible in multiple context mode, but apparently not by the normal commands.
View 5 Replies View RelatedWe have a pair of cisco Asa 5520 currently running multiple context mode. We wish to change to single context mode for following reasonWe will migrate infrastructure to hosted vendor . I was thinking of configuring site to site . Current Asa we pal to kee since wireless sits in our DMz and we have net screen that hosts tunnel for erp1. Is context change required for running site to site2. Is it a good idea for creating site to site on to make sure wireless network and oracle traffic goes through managed firewall ?
View 22 Replies View RelatedI've got an ASA which has a number of contexts. They all share the same external interface, and in the interest of saving addresses I'm wondering if the standby address for each context is really necessary. I know that in active/passive the standby address is what allows the two to communicate and monitor that particular interface, however, in active/active I don't see the point as the context is either going to be on one or the other.
View 2 Replies View RelatedWe already know that ASA 9.0 supports site-to-site VPN in multiple context mode. But remote access VPN isn't supported. Obviously, SSL-VPN is a very important feature for most multi-tenant deployment scenarios where each context acts as a border firewall towards the Internet for each tenant. The alternative to terminate all tenant remote-access VPNs in one context means that each tenant would have to be routable from the ASA, which of course isn't a reasonable requirement in most cases.
So, what I'd like to do is to deploy an ASA cluster, and provide remote access VPNs for each tenant, where the connectivity for each remote access group can be addressed with whatever IP address space, and that goes into it's own VRF in the back-end.
As far as I can tell, this isn't doable with the ASA, since multiple context mode prohibits the use of remote access VPN, and I can't think of any other work-around than either having individual firewalls running in single context mode for each tenant, or demand that all tenants are interoperable routing-wise and configure a separate ip address pool in a single context mode for each tenant.
Essentially, there's no good way to implement this with multiple virtual firewalls, using cisco firewalls?
Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.?I am havin 5585-x and asa version 8.4?
View 8 Replies View RelatedI have two ACE working on active-standby mode, I have one context configured on bridge mode, with two vlans, the client (vlan 100) and server (vlan 101) sides.I need to balance another service for two servers (different from the ones on the first context ) on the vlan 101, so as the documentation says i can't configure the same vlan on another context because it is already configured on the 1st context as bridge.so my question is the only way i could balance this service is to configure it on the same context??. or there is another way?.These are the design limitations that i have to do this:
1.- I can't change the servers IP address.
2.- The VIP which will answer the clients request is on the same IP network segment as the servers, for example: server1: 192.168.100.125, server2: 192. 168. 100.126, VIP: 192.168.100.124
I am running a ASA 5510 in multiple context mode. IOS 6.4(2), ASDM 6.4(5)106.
In older ios/asdm versions it was possible to backup the configuration using ASDM.
In 6.4(5)106 i am missing this feature (see attachment)
Is it possible to backup a multiple context firewall using ASDM and above mentioned software versions?
configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
IP Details are below.....:
interface Ethernet0/0
nameif outside
security-level 0
[Code].....
I am desiging a topology with two Cat 6509 and Two ACE Module, one ACE per Catalyst. I am thinking to use bridge mode for the customer contexts, I would like to know if the Bridged mode is an Assymetric topology.
The server gateway is the ip address of the ACE or the Router?
Im looking for some clarification regarding running a Cisco ASA in transparent mode with multiple contexts. To give you an insight into the network design we have the following -
Collapsed Core/Aggregation Layer running Cisco 3750s. The 2 Cisco 3750s are using SVIs with HSRP for default gateways per customer with a total of 8 customers. Each customer is segregated into seperate VLANs with Cisco 2960 switches used in the Access layer. Each customer has 2 Cisco 2960 switches with redundant uplinks to the Core/Aggregation layer. Customers are spanning tree loadbalanced between core/aggregation switches.
What i need to now do is add two transparent firewalls into the mix in either an active/active or active/standby setup. I need the firewalls to support all 8 customers, therefore I am guessing they need to run in multiple context mode. Having read into this it has left me somewhat confused as to how to integrate them into the above setup as a bump in the wire so to speak.
I have a pair of ASA 5520s in active/standby failover mode, single context. I'll be migrating to multiple context mode later this week. Do I need to break failover first? Or if I don't need to, should I? Or can I do this while maintaining failover? Can either of these scenarios will work (or fail). I'll be remote, doing my work via SSH, but have somebody local who can console in if needed.
Migration option #1
Log into active/primary ASA
Configure Multiple Context mode
Reboot both devices
Login to active/primary ASA
[code]....
On ASA 5515 it shows it is in transparent mode and it has multi context.As in transparent ASA we know it has single Management IP address.This ASA is connected to one switch on two ports gi2 and gi3.One port carries vlan say 800 to the ASA.Other port carries vlan 500 from the ASA to switch But when i log onto ASA and do sh run it shows no VLan info there.
View 3 Replies View RelatedI have 2xASA5510 with securityPlus license.i have configured 3 context and Active/Active Failover.Everything works fine. But also want to use rometeAccessVPN but couldn't fine anything for VPN. does it support VPN in multiple mode?
View 3 Replies View RelatedWe have a 5585X running in multi context mode, and we are getting log entries for scanning threat detection, such as:
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 2 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3116
Threat detection is not supported in multi context mode so I cannot tune the thresholds, is there any way that I can get rid of this outside of messing about with logging levels/message IDs?
Is it possible to use 1 or 2 of the 4 gigabit ethernet ports from one ACE straight into the other ACE for redundancy? So ACE_01 gig0/4 to ACE_02 gig0/4.If so, is it a case of just having the layer 3 config instead of trunking etc..Also - is it possible to create a context within the same vlan as the Admin context?
View 4 Replies View RelatedOn my production environment I have a firewall with already two contexts defined (15% of CPU used) and I want to add a new one.
This context is going to use the same interfaces as the others contexts. When I will enable the context, can I have some sort of repercussion on these two context ?
Any info on performing this upgrade. The release notes that I have looked over make it sound like if I want to do the data migration that I must first upgrade the MSE to version 7.0.201.204 and then go to 7.0.220.0. This is only what I have come up with, this isn't clearly stated from what I have read. How to performe this upgrade with the data migration?
[URL]
I had upgraded the MSE to 7.0.202. Release code. The Upgrade along with the 4 database zips went smooth.But the MSE status shows following
View 2 Replies View RelatedIs it possible for end user to repalce the System Battary with new on, The Server is 4 Years old.
View 1 Replies View RelatedI have a dell vostro 3350. I use it with both Windows and Linux OS (Mint, Ubuntu).
Recently I faced an issue with my motherboard (I guess it was a matter of short-circuit) so I called the Dell assistance and they quickly came out and substitute my motherboard. After that intervention, my wi-fi and figerprint reading stopped working at all. So I called again Delle assistance and they substituted both the wi-fi and the fingerprint reader. Everything seemed to work fine... since my PC went in hibernate mode.
In fact now the wi-fi card is disabled (not even seen by the OS) after the PC goes in sleep/hibernate mode or even if it is turned off and than on again. I need to turn off and on the PC at least one more time the PC in order to make the wi-fi card found (and working) again.
I checked with all the three OS I have in my PC so I guess the issue isn't related to the drivers. On the other hand, it looks like the wi-fi works totally fine... when it works. It is quite a systematic effect and not related to bumps or mechanical sullicitations, so I guess it is not a matter of wrongly-connected card either..
I have a scenario where I may have to run VRFs on a router that is currently facing an ISP as a BGP peer. peering two BGP peers, one of which is VRF aware (and hence configured within the address-family ipv4 vrf X subsection) and the other is not? (the BGP aware and internet facing segment will go into its own VRF where previously this router was only in that VRF and hence had no awareness).Are there any caveats or restrictions? Does the presence of the VRF throw the ISP peer?
View 3 Replies View RelatedAre the RV042 and RV082 routers SIP AWARE?I haven't had any luck finding documentation stating such.
View 2 Replies View RelatedI need to upgrade my location appliance. I am currently running a 2710, WCS version 6.0.196.0 and 21 4402 controllers on 6.0.182.0. There are 11 sites spread accross Canada and the Northern US. There are going to be a minimum of 4 more this year. The majority of my sites are outdoors and use 1522's. I have some indoor sites on 1242's, the biggest being an office building with 32 radios.The problem I have is I've hit the limit on clients that can be tracked on the 2710. For the record, I don't run rogue detection on all radios. I spread it out so that I don't get too many overlaps. I am looking at moving to the 3350 but see that the WIPS software does not include 1522's. Does that mean I lose my ability to detect disassociation floods etc if I go to the new platform? Or, does the context aware software still provide some notification.
View 5 Replies View RelatedDoes Cisco MSE 3350 comes with two NICs. I want to configure them as a team bound to one IP address and send each to a separate 6509 switchport all in the name of redundancy and failover.
View 2 Replies View RelatedI installed Ad-Aware Pro 30 day trial. I enabled safe browsing but it doesn't allow me to open some websites. Ok, perhaps thats the point of safe-browsing but I need to enter those sites. So, I decided to disable it, but I don't know how. I clicked "off" on Ad-Aware's "Home" window, but the sites still not working. Theres a possibility that the websites I'm trying to enter are not going to work after I disable safe-browsing because there's something wrong with internet(I'll open another topic for that). But still, I'd like to see Firefox's "cannot found" window, not Ad-Aware's.
View 9 Replies View Relatedwe have installed the MSE 3350 with the lates Context Aware Sup Service from AeroscoutBut the Service still terminated because of unexpected null node message (see below)
View 7 Replies View RelatedI have a Cisco SG200 26 Port Switch, 2 Cisco WAP4410N Access points, and a VLAN aware Router. I have created 4 VLAN's. For the sake of this conversation lets call them.
98 - Intel Vpro
99 - Management
100 - General
101 - Guest
The Access points are capable of doing V LAN tagging so I plan on having them tag a guest network as V LAN 101. That can get sent to the V LAN aware router and out. No problem. I have some devices, or management pages that I don't want accessible from the general network. (Intel V pro KVM, Remote Management Cards, AP Config Menus, Switch config menu...) . I need to be able to take a V LAN unaware device, plug it into port 1, and have it communicate with V LAN 98, 99 and 100.
I work at a hospital and one of our department uses specialized software created by Varian Medical Systems. It has been brought to my attention that one of those applications has trouble opening during the day. I had the users demonstrate the issue and from what they explained to they are supposed to be able to open the application, log in, and be presented with a list of radiology images to choose from. Unfortunately, during the day this fails often and they have to try 3 or 4 times before it actually works. It behaves differently after 4 pm, and seems to work after the 1st or 2nd time at that time of the day. According to what I've been told this has been an issue as long as they can remember.
Varian has told me that they have done a number of things on their side to rule out their software and they think it is a network issue. We used Solar winds Engineer's Tool set (specifically the Network Performance Monitor) to monitor their switch and it is reporting no errors and the utilization graphs show that the ports involved have very little utilization. The most heavily utilized port is hovering between 10 and 5 person (Fa0/40). I've included a network diagram, but basically we have 1 10/100 Cisco 3350 switch (c3550-ipservices-mz.122-25.SEB4.bin), 4 clients, and 2 servers involved. They all are connected to the same switch at A-Full/A-100mbps. Although the Network Performance Monitor doesn't show any errors or over utilizaton of the ports in the the CLI I do see 35 output buffer failures and 35 under runs on the port connected to one of the servers (Fa0/40). They were a little higher and I cleared them about two weeks ago and then rebooted the switch, because I found that it could alleviate these types of errors.
They say the software use ports 5000, 55000, 55010, and 55020. We tried a packet capture, but I didn't have enough experience/knowledge to get anything useful out of it. I also checked the event logs on the clients and servers and nothing there indicates a issue in the software. They want us to replace the switch with a gigabit switch, but we have a REALLY limited budget and I would rather not if it isn't necessary. What I could try in order to rule out the network?