Cisco :: Monitor ASA Firewall Fail Over Events?

Nov 10, 2011

How do you monitor ASA firewall fail over events?

We had a firewall fail over, didn't know it, the configs were out of sync and the customer went down we want to avoid this is the future.

View 10 Replies


ADVERTISEMENT

Cisco :: LMS 4.2 Fault Monitor - Device Name And Frequency Of Events

Aug 26, 2012

I've just installed LMS 4.2, like it a lot so far. In the Fault Monitor, the Device Name column shows the device's IP address rather than the host name.  We need for it to show the host name, for ease of troubleshooting; most folks don't have the IP addresses memorized. Likewise, when an email is sent out for an event, the managed device field also shows up as the device's IP address.
 
The devices were all discovered with their IP addresses rather than a host name...should LMS have automatically found their host names?  Regardless, I manually updated all of the device's host names, yet they still display as an IP address in the fault monitor. 
 
Also, it appears I need to figure out some way to throttle alerts.  One particular device will report an event (ie a temperature out of range) dozens of times in a polling period...several per second, even though it's the same alert. 

View 2 Replies View Related

Cisco AAA/Identity/Nac :: C2960 Doit1x Monitor Mode / Client Fail Authentication

Mar 21, 2013

I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
 
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - 106001 Syslog Events For Internal Hosts?

Jul 26, 2011

I've just taken over a new network with a Cisco ASA5520. Everything is working fine, except I am being bombarded with 106001 alerts from a few internal hosts to one specific internal host. The description in general is "Inbound TCP connection denied from 10.1.0.1 to 10.1.0.5 - both of those are valid internal hosts and the TCP ports are also valid. I tried looking at the log and getting it me to tell me which rule was causing these alerts, but it just came back with 'It's not possible for these type of alerts'
 
- How is it possible for the ASA to even pick up on this when, in theory, the source host wouldn't be going near the ASA since it's on the same subnet?

- What might be causing this?

- How can I turn it off!! (I guess that'd be fixed by point 2)

View 4 Replies View Related

Cisco WAN :: 2960 Should One Server Fail Other Will Act As Fail Over

Feb 22, 2012

We have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.

View 3 Replies View Related

Cisco Firewall :: Fail Over Asa5510 Can Allow SSL VPN Connections

Sep 18, 2012

We have a second ASA 5510 that is suppose to be a hot standby.  I need to find out that, as a hot standby, does it have to have the same licenses as the ASA that it backs up.  We purchased 50 SSL VPN licenses for that unit.  If it fails over, we need to make sure the failover asa can allow SSL VPN connections. 

View 3 Replies View Related

Cisco Firewall :: Asa 5510- 2 IP's Outbound Fail-over With RTR Inbound Possible?

Jan 30, 2012

I know I can use the RTR statement to determine when the primary ISP circuit goes down via this technote: url...My question can I assign static Nats on the backup ISP connection to the same inside servers in the dmz.?Example 10.1.1.11 is mapped to ISP1 ExternaIP of 65.217.77.11. Can it 10.1.1.11 also be mapped to ISP2's 208.217.77.11?This way I can get my DNS changed and my inbound traffic to servers in my DMZ on the asa 5510 running 8.0.3 code can continue to receive Inbound traffic.

View 1 Replies View Related

Cisco Firewall :: ASA5510 Version 8.4 Using 2 ISPs As Fail Over

Aug 9, 2011

I have a Cisco ASA 5510 and I am trying to set it up to be able to have it failover to the 2nd ISP connection if the 1st one ever went down.  I think I need a nat statement that the "backup" connection will use when the 1st connection goes down, but I am unsure what the nat statement is supposed to be.  I have added the commands that I am pretty sure that I need to add for the "backup" ISP connection.  Attached are those commands, the interfaces that are set up, and the objects that are set up in the ASA.

View 2 Replies View Related

Cisco Firewall :: Fail Context From One FWSM Over To Other 6500

Oct 23, 2012

Firstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?

View 7 Replies View Related

Cisco Firewall :: Move ASA 5520 Fail Over Interface

Jun 21, 2011

I am currently using g0/3 for failover between my two ASA5520's.  I would like to move that to the management interface to free up g0/3 for a second DMZ segment.  are there any implications to doing this live other than i would only have a single ASA during the move?

View 1 Replies View Related

Cisco Firewall :: 5540 - Remote VPN Authentication Fail?

Mar 15, 2011

wht would be change on configuration of remote access VPN on asa 5540.
  
4|Mar 16 2011|15:26:01|713903|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9, Error: Unable to remove PeerTblEntry3|Mar 16 2011|15:26:01|713902|||Group = tesTGroup, Username = GSDc2gsIdc, IP = 5.1.9.9,

[Code].....

View 3 Replies View Related

Cisco Firewall :: FW ASA Fail Ssh Or Telnet Using SSL VPN AnyConnect 5510

Jul 7, 2011

I have a vpn ssl remote access with a fw asa 5510 version 8.02. When users use any connect vpn ssl they in the Lan can access to the servers,but they can not access using ssh or telnet to inside fw asa.

aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30

View 1 Replies View Related

Cisco Firewall :: Upgrade IOS On ASA5510 Fail Over Pair

Aug 17, 2011

I am a bit unclear as to the upgrade path I should take - I have 2 ASA 5510s in active/standby running 8.0(4)34 and would like to upgrade to 8.2.5.  Do I need to first upgrade to 8.0.(5) before upgrading to 8.2.5, or can I just jump straight to 8.2.5?

View 4 Replies View Related

Cisco Firewall :: ASA5515X Fail Over Design Options

Feb 11, 2013

Client has a 5515X and two ISP connections and a 2911 router to use for ISP connections. The 2911 as configured only has three ports. They nat a lot of stuff to public ips. What are my options for designing ISP failover?

View 2 Replies View Related

Cisco Firewall :: PIX 520 Not Getting Into Monitor Mode

Mar 2, 2013

I have cisco pix 520 Firewall and I forgot my firewall password but now I want to reset so I have to get into monitor mode but when I press escape key my firewall is not get into monitor mode. so now how can I get into monitor mode or Are there any Other way to reset the firewall....

View 4 Replies View Related

Cisco Firewall :: Active / Standby Fail Over Config On ASA5510

Apr 10, 2011

I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing? [code]

View 7 Replies View Related

Cisco Firewall :: 2921 Enable WCCP - SSH Connections Fail

Feb 22, 2012

I have a IOS firewall on a 2921 router, zone-based config. The remote and main sites have Cisco WAAS , running 4.4.1 software. I am using WCCP redirection on the WAAS/router combination. If I leave it off the firewall passes SSH correctly to the devices on the other side of the firewall. If I enable WCCP the SSH connections fail. The SSH to the router itself is fine, I am not using the self zone for router protection. I had seen a few posts on WAAS but the only one mentioning a config statement in the firewall was on 4.0 WAAS and the command is no longer on the IOS firewall. Is this supposed to work transparently or am I missing a config?

View 2 Replies View Related

Cisco Firewall :: ASA5510 Memory Upgrade 256MB To 1GB Fail?

Nov 7, 2011

I tried last night to upgrade the memory in my old 5510. It's about 5 years old and has the single memory socket. I followed the instruction included in the kit:
 
Mfr. Part#: ASA5510-MEM-1GB
 
I did wear an ESD wrist strap (genuine Cisco at that!) and ensured the memory was fully seated, the handles locked in.Upon restarting the ASA, for over 15 minutes, it stayed in mode: Power LED steady, Status LED flashing, other LEDs off. No response to attempts to SSL via Putty. I powered it off, verified the memory was indeed fully seated, and re-installed the original 256 MB module. It powered up normally in less than 5 minutes. Is there anything else to try before returning the memory? Tonight, I can try the same new memoy module and see if it works.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Dual ISP Active / Standby Fail Over

Apr 2, 2013

I have a dual ISP, 1 primary and 1 secondary terminated on fa0 and fa2 on our ASA respectively. ASA was configured so that, when the primary fails, the secondary kicks in.  [code]
 
It was until yesterday that we experienced downtime on the primary ISP that the secondary doesn't do the fail-over. I have to manually configure the device to use the secondary ISP. Currently, I'm looking at maybe this has something to do with the licensing.We are currently using a Base License, should we be upgrading to Security Plus?

View 10 Replies View Related

Cisco Firewall :: ASA 5520 - Fail Over Cluster Software Upgrade

Jul 21, 2011

last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
 
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
 
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
 
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
 
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
 
"Multiple sessions per tunnel are not supported"
 
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units.
And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.

View 7 Replies View Related

Cisco Firewall :: 5520 ASA To Monitor The Ha Status

Apr 15, 2012

We have a Cisco ASA 5520 in HA (Active - Standby). We monitor the CPU,Memory Utilization and Active Session via SNMP polling.And SNMP trap for linkup ,linkdown and Cold start.Our requirement is to monitor the HA status and whenever there is a change in the HA - Failover we have to get a snmp trap.What are the configuration need to be done on the cisco asa.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Failover With IP SLA Monitor?

Nov 28, 2011

Can I run Cisco ASA failover with dual ISP run active/standby configuration and SLA monitor to monitor the primary ISP gateway and failover to the secondary gateway but not failover to the failover firewall unless an actual event occurred that required a ASA failover?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 SLA Monitor Setup?

Jul 24, 2012

I have 2 outside connections one of which works as a backup connection. I am trying to setup SLA monitor so that when primary fails, the secondary connection takes over. However I never get connected to the primary connection after reboot, the backup connection is active after reboot.

View 2 Replies View Related

Cisco Firewall :: How To Load IOS From ROM Monitor In ASA 5540

Jul 20, 2011

I was looking in the CISCO webpage how to load an IOS from a tftp server but i got some questions:
 
I got the information from this webpage: [URL]
 
rommon #1> ADDRESS=10.132.44.177 <---- Which IP address? the one that I got on my firewall?

View 3 Replies View Related

Cisco Firewall :: 6500 Setup In Active / Standby Fail Over Configuration

Feb 29, 2012

I have been having an annoying issue for the past few weeks with my ASA setup. We are using the ASA as our Remote Access Gateway and originally had it setup in a Active/Standby failover configuration using 2 x 5520 ASA's.The original setup of the devices was that the 2 x ASA were setup in a failover configuration, with both of them connecting back to the internal network via a 6500 device. Because of using failover I created a VLAN on the 6500 and put the two ports that connect the ASA's into that VLAN. I then configured the VLAN interface to be the EIGRP interface for the neighbour relationship to the ASA's.
 
The problem I am seeing is that the EIGRP neighbour relationship between the Active ASA and the 6500 keeps flapping. It occurs abour 4-5 times every day at randmon intervals. Sometimes the neighbour relationship will stay up for 6-7 hours, other times it flaps every 1-2 hours. I initially thought it was due to the failover configuration so I removed one of the ASA's and removed all of the failover configuration, but the EIGRP neighbour flapping problem still exisits. [code] Since removing the failvoer configuration I am thinking it could be a physical cable problem?

View 4 Replies View Related

Cisco Firewall :: When Upgrading Fail-over Pair Last Week Had To Upgrade ASA5510

Aug 14, 2012

[code] I would like to the ASA5510 Base license upgrade to Security Plus license. But after the upgrade is still the license of the Base.I think I was wrong option selected in the process of upgrading, how should I do to be successful upgrade

View 2 Replies View Related

Cisco Firewall :: FWSM 4.1 How To Send Mail Messages When Fail Over Occurs

Feb 16, 2012

We are using FWSM with software version 4.1(6) with failover and multi contexts.We need to generate and send mail notifications when failover occurs.

With this configuration we are receiving syslog only! [code]

View 2 Replies View Related

Cisco Firewall :: 5510 - Connections Routing Between Two Internal ASAs Fail

May 19, 2012

We have a site with two inbound circuits, one for internet and one for our MPLS.  Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall.  For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts.  OSPF is the routing protocol between all the routers and ASA's and routing is working.  In fact, ICMP is working as well.  From an inside host (172.16.0.81), we can ping anything on the MPLS network.  But when I try to use telnet (for example), the connection fails.  If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
  
Both ASAs are running 8.4(3), and have the following commands:
 
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside

[Code]....

And from the MPLS nodes, I can see a tcp request is made. 

View 6 Replies View Related

Cisco AAA / Identity / Nac :: Webauth Url Redirection Fail With Firewall Between Host And Switch

Feb 27, 2013

Web auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface.  Aaron at Cisco live london kinda hinted about maybe Cisco working on this ?  We can't disable stateful inspection. Is there any other solutions or workarounds ?
 
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth.

However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."

View 1 Replies View Related

Cisco Firewall :: ASA 5505 SSL / HTTPS / ASDM Won't Work / Cipher Fail

Nov 21, 2010

Does my device not support enough encryption to get ASDM/SSL/HTTP working?
 
First time I've ever seen this...: 
 
%ASA-7-609001: Built local-host inside:192.168.1.10 %ASA-7-609001: Built local-host identity:192.168.1.1 %ASA-6-302013: Built inbound TCP connection 13 for inside:192.168.1.10/61194 (192.168.1.10/61194) to identity:192.168.1.1/443 (192.168.1.1/443) %ASA-6-725001: Starting SSL handshake with client inside:192.168.1.10/61194 for TLSv1 session. %ASA-7-725010: Device supports the following 1 cipher(s). %ASA-7-725011: Cipher[1] : DES-CBC-SHA %ASA-7-725008: SSL client inside:192.168.1.10/61194 proposes the following 11 cipher(s). %ASA-7-725011: Cipher[1] : DHE-DSS-AES256-SHA %ASA-7-725011: Cipher[2] : AES256-SHA %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA %ASA-7-725011: Cipher[6] : RC4-MD5 %ASA-7-725011: Cipher[7] : RC4-SHA %ASA-7-725011: Cipher[8] : AES128-SHA %ASA-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA %ASA-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA %ASA-7-725011: Cipher[11] : DES-CBC3-SHA %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher %ASA-6-302014: Teardown TCP connection 13 for inside:192.168.1.10/61194 to identity:192.168.1.1/443 duration 0:00:00 bytes 7 TCP Reset by appliance %ASA-7-609002: Teardown local-host inside:192.168.1.10 duration 0:00:00 %ASA-7-609002: Teardown local-host identity:192.168.1.1 duration 0:00:00

View 7 Replies View Related

Cisco WAN :: No Logging Events In ASR 1000

Apr 26, 2012

I configured the logging parameters on my Cisco asr 1000 , but nothing was sent to my terminal monitor
  
logging on
logging buffered debugging
logging buffered 5

[Code].....

View 7 Replies View Related

Cisco :: PURGE Log Files And Events With Csm 4.1

Apr 7, 2013

i'am using csm 4.1 and i have configured the keep audit log for 30 days and the entries becomes older than the number of days specified in the keep audit log without deleting, i don't understand why this happend and how can i make shur that the purge is done. if the purge is automaticaly or i have to delete the oldest entries by my self.

View 3 Replies View Related

Cisco :: LMS 4.2 Duplicate Events With Different Component Name

Apr 16, 2012

We have LMS 4.2 installed and added devices;Now if for example a device is not reachable we get two messages with same failure ;only the component name is different  

-     one event with "dns" in component name
-     one with "dns(ip)"  in component name
 dns == hostname

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved