09-19-2011 11:32 AM - edited 03-11-2019 02:26 PM
Event Date/Time : Wednesday, September 28 · 9:00am - 10:00am pacific time. For your local timezones, see http://bit.ly/oby74n
Location: Facebook Fan Page ( http://www.facebook.com/CiscoSupportCommunity )
ASA Troubleshooting, NAT, ACL, Failover, Upgrade, Management, Routing, Crashes, Performance, MPF and other feature related topics.
What is a Facebook Forum?
Facebook forums are online conversations, held at a pre-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.
On the day of the event, go to http://www.facebook.com/CiscoSupportCommunity. Once you go to our Facebook fan page, be sure and click "Like" to become a member of our Facebook community! We'll post a welcome message at the beginning of the event. All subsequent conversations will be posted as comments to this main thread. You can post your questions as comments to this thread as well.
To RSVP for this event, please go to http://www.facebook.com/event.php?eid=221127497944388
10-11-2011 11:53 AM
Here's a condensed summary of the event.
If you have a static ip then this link should help you in configuring static one to one on an ASA.
https://supportforums.cisco.com/docs/DOC-2053
Additionally, see this link if you have ASA 8.3 or 8.4 because NAT configuration is a little different in version 8.3 and above. https://supportforums.cisco.com/docs/DOC-12324
If you do not have a static ip or if you want to use the same ip as the interface ip, then you need to pat it to a specific port on the interface.
static (inside,outside) tcp interface
where 192.168.1.1 is your internal ip
This one is difficult to answer because I only cover 6 to 7 hours out of 24 hours, but in general we see issues related to NAT, Failover and Upgrade. Also what I have seen is many times customers are not really sure if firewall is the cause of the problem or if something else in the network is causing it. So as we go ahead I will give out some tips to troubleshoot so that you can find out and isolate the location of the problem
For me the top 3 tools would be packet tracer, packet capture and logs. If you use these you should be able to solve most of the problems yourself.
This requires deep investigation, but in general what you can do is generate traffic and try to ping the other end and that see if that brings up the tunnel. If that does not help you will have to enable debugs and see what is going on. Also you can enable captures and see if you are sending out traffic to the other end
Keepalives are enabled by default. With respect to DPD, make sure that both ends support DPD's.
As a follow up to the above question, what debugs should we enable to troubleshoot vpn scenarios ?
Here are some debugs which will help in troubleshooting ipsec vpn related issues.
debug crypto isakmp 255
debug crypto ipsec 255
If you have more than one tunnel you can enable specific debugs by providing a condition and here is the command to enable conditional debugs
debug crypto condition peer x.x.x.x
where x.x.x.x is the peer ip
I wrote a document a while back and this explains how to use packet capture. This also has some scenarios where packet capture is useful. Take a look at https://supportforums.cisco.com/docs/DOC-17814
Logs are everything. If the firewall is dropping a packet, 9 out of 10 times it will show up in the logs.
You can either send logs to a syslog server or send it to the buffer on the ASA itself.
The link below should help you configure the ASA for sending logs to the syslog server, but in general this is what you need -
1.Enable Logging
2.Specify the ip of the syslog server
3. Define the level of messages that you want to send to the syslog server
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/monitor_syslog.html#wp1382850"
Yes. This is really important for some administrators because they do not want to see everything and are interested in only viewing specific log messages. What you need to do is just define a logging-list and specify your criteria to filter out syslog id's and you can send only specific log messages.
Nat syntax has changed a little bit from 8.3 .Here is a nice little doc and some videos that explains the differences in NAT syntax between 8.2 and 8.3
https://supportforums.cisco.com/docs/DOC-9129#comment-3934
https://supportforums.cisco.com/videos/2383
https://supportforums.cisco.com/videos/2428
https://supportforums.cisco.com/videos/1014
No. It really does not matter. Primary and secondary are just labels. What matters is which is active and it is perfectly fine if secondary is active for a long time.
You will need downtime only if it is a major upgrade, for minor upgrades (which do not result in breaking of failover) you don’t need a downtime. But in general it is always a good idea to do upgrades or downgrades in a maintenance window (just to play safe).
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1057338
The ASA is capable of converting the NAT rules but having said that this is a best effort conversion which means there is always a possibility that something might be broken after an upgrade to 8.3 or later from 8.2 and below. That is why we always suggest a maintenance window for this activity and the span of window could vary from network to network
Cisco Smart Call Home is an award-winning, embedded support feature available on a broad range of Cisco products. This proactive support capability is provided at no additional cost when you have an active SMARTnet Service, SP Base, Unified Computing Support Service, or Mission Critical Support Service contract for the designated products.
Smart Call Home offers:
Visibility into your network through diagnostic reports on Call Home enabled devices
Real-time trouble shooting, alerts, and remediation advice
Automatic generation of Cisco service requests to Cisco technical engineers
Secure, reliable data transport
Personalized web-based portal to review Call Home messages, detailed diagnostics, recommendations, and inventory
You can read more about this and also look at the configuration here -> http://www.cisco.com/en/US/products/ps7334/serv_home.html
Just select the product and you will get a configuration example, this is also available in config guide on each product"
Here are some key findings from a third party research company that Cisco hired. You can find the entire report at http://connections.cisco.com/clearspace_community/docs/DOC-12311
The Cisco ASA 5520 performed more than six times better in throughput than the competitive solutions in real-world multi-function threat mitigation
• The Cisco ASA 5520 delivered over three times more 3DES-encrypted VPN throughput than competitors when tested using real-world traffic
• The Cisco ASA 5520 scored 100 percent overall threat-detection success; competitors averaged only 30 to 40 percent
• The Cisco ASA 5520 demonstrated the highest connection-establishment rate, surpassing the closest competitor by more than four times, in real-world, multi-function, threat-mitigation performance comparisons
You can catch the entire discussion on Facebook at
http://www.facebook.com/CiscoSupportCommunity/posts/10150389947391412
You can catch the summary on Facebook Notes at
http://www.facebook.com/note.php?note_id=264432483595362
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: