Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

Unanswered Question
Jun 29th, 2012

Read the bioWith Prashanth Goutham R.

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 

Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.

Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.

Remember to use the rating system to let Prashanth know if you have received an adequate response. 

 

Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (5 ratings)
john.ventura73 Tue, 07/03/2012 - 21:13

Hello Prashanth,

I have a quick question for you. Why it is recommended to have a switch in-between the Firewall pairs and not connect them directly though its going to work fine anyway?

thanks a lot,

- John

pgoutham Wed, 07/04/2012 - 00:10

Hello John,

I believe you are talking about the Failover Lan Interface connectivity which can be of two types:

--- Back to Back.

--- With Intermediary Switch

I would say the second option is better as its easy to segment and isolate faults on a Production Network. Consider the below scenario:

Your firewalls are connected back to back with a crossover cable and you have a live firewall and you start experiencing failover related issues on your FO lan port. What would you do to determine if its a cable or a Firewall Interface issue and if an Interface issue which Interface? Cause if one Interface goes down it pulls down the Peer interface as well to line protocol down. This is tricky you would need to manually test all the components seperately using another directly connected device to see which component is faulty or replace all units to restore services.

In case of the second option we can clearly eliminate as the switch is inbetween. I think its also explained in the configuration guide here:


When  you use a crossover cable for the LAN failover link, if the LAN  interface fails, the link is brought down on both peers. This condition  may hamper troubleshooting efforts because you cannot easily determine  which interface failed and caused the link to come down. 

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

Hope that helps. Have a good day !

ROBERTO TACCON Wed, 07/04/2012 - 10:20

Hello Prashanth,

please can you check/confirm if using a Cisco ASA Active/Standby clustering enviroment the SELF SIGNED GENERATED certificate used for SSL VPN remote access are replicated or NOT on the STANDBY unit ?

On the following doc there's indicate "the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated but testing on lab with version 8.4.4 the result is different: the self signed certificate of the active asa is replicated on the standby.

https://supportforums.cisco.com/docs/DOC-12969

Q. Are digital certificates replicated in a  Active/Standby configuration?

A. Yes. Third-party digital certificates (ie. from Entrust, Verisign, Microdoft,etc)  that are installed on the Active ASA are replicated to the Standby ASA in an active/standby config.

However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated.

pgoutham Wed, 07/04/2012 - 13:00

Hello Roberto,

The document is absolutely right the Certificates on the ASA get replicated with Bulk replication only and these are 3rd party certificates only and not the locally generated certificates which i have checked in previous versions. However i have not played around much on 8.4.4 which was just released and i dont have a reason to believe that it works differently on 8.4.4, i can check this up for you once i get into office in the morning.

Can you let me know the license you are on Active/Active or Active/Standby Failover ? Also what are the steps you took to test this and how sure are you that this was not exported to the other firewall ? Just to add i would assume the purpose of Self signed Certificate to be unique to each of the ASA's.

thanks,

Prashanth

ROBERTO TACCON Wed, 07/04/2012 - 13:32

Hello Prashanth,

maybe I've not fully understood, please can you indicate me again why the "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is correct ?

If the previous sentence is correct why on the following test enviroment both cisco asa active and standby have the same SSL self signed certificate ?

Enviroment:

a cluster of Cisco ASA is Active/Standby firewalls with the SSL AnyConnect certificate auto generated named “SELFSIGNEDCERT” and used for the remote SSL vpn

ON THE ACTIVE:

pri/act/asa# sh run | i SELFSIGNEDCERT

crypto ca trustpoint SELFSIGNEDCERT

keypair SELFSIGNEDCERTKEY

crypto ca certificate chain SELFSIGNEDCERT

ssl trust-point SELFSIGNEDCERT outside vpnlb-ip

ssl trust-point SELFSIGNEDCERT outside

pri/act/asa#

pri/act/asa#sh crypto ca certificates SELFSIGNEDCERT

Certificate

  Status: Available

  Certificate Serial Number: 5406334f

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Subject Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Validity Date:

    start date: 20:42:41 UTC Feb 20 2012

    end   date: 20:42:41 UTC Feb 17 2022

  Associated Trustpoints: SELFSIGNEDCERT

pri/act/asa#

ON THE STANDBY:

sec/stby/asa# sh crypto ca certificates SELFSIGNEDCERT

Certificate

  Status: Available

  Certificate Serial Number: 5406334f

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Subject Name:

    hostname=asa.cisco.com

    cn=*.cisco.com

  Validity Date:

    start date: 20:42:41 UTC Feb 20 2012

    end   date: 20:42:41 UTC Feb 17 2022

  Associated Trustpoints: SELFSIGNEDCERT

sec/stby/asa#

And again if the sentence "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is  correct:

Qs:

1) If I activate the standby unit with “failover  active” need to do something for the SSL certificate (needed to copy it from the other unit)  ?!?!

2) If the active firewall unit FAIL is it necessary to reinstall the AUTO GENERATED  SSL certificate on the Standby unit ?!?!

pgoutham Thu, 07/05/2012 - 05:05

Hello Roberto,

I tried out the configuration on 8.4.4 and observed the same issue as what you have noticed, look below :

CiscoASA(config-ca-trustpoint)# fqdn sslvpn.cisco.com

CiscoASA(config-ca-trustpoint)# subject-name CN=sslvpn.cisco.com

CiscoASA(config-ca-trustpoint)# crypto key generate rsa label sslvpnkeypair

INFO: The name for the keys will be: sslvpnkeypair

Keypair generation process begin. Please wait...

CiscoASA(config)# crypto ca trustpoint SELFSIGNEDCERT

CiscoASA(config-ca-trustpoint)# keypair sslvpnkeypair

CiscoASA(config)# crypto ca enroll SELFSIGNEDCERT noconfirm

% The fully-qualified domain name in the certificate will be: sslvpn.cisco.com

When i try to view it i see the below output on both Active and Standby Firewalls replicated without doing even a write standby:

CiscoASA(config)# show cry ca cert

Certificate

  Status: Available

  Certificate Serial Number: c5d1f44f

  Certificate Usage: General Purpose

  Public Key Type: RSA (1024 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    hostname=sslvpn.cisco.com

    cn=sslvpn.cisco.com

  Subject Name:

    hostname=sslvpn.cisco.com

    cn=sslvpn.cisco.com

  Validity Date:

    start date: 16:29:09 GMT Jul 5 2012

    end   date: 16:29:09 GMT Jul 3 2022

  Associated Trustpoints: SELFSIGNEDCERT

This is exactly matching the output you had provided, however what we both did not figure out earlier is that this is an Identity certificate and not a CA certificate. A typical CA certificate looks like this:

CiscoASA(config)# show crypto ca certificate

CA Certificate

  Status: Available

  Certificate Serial Number: 344ed55720d5edec49f42fce37db2b6d

  Certificate Usage: General Purpose

  Public Key Type: RSA (2048 bits)

  Signature Algorithm: SHA1 with RSA Encryption

  Issuer Name:

    cn=thawte Primary Root CA

    ou=(c) 2006 thawte\, Inc. - For authorized use only

    ou=Certification Services Division

    o=thawte\, Inc.

    c=US

  Subject Name:

    cn=thawte Primary Root CA

    ou=(c) 2006 thawte\, Inc. - For authorized use only

    ou=Certification Services Division

    o=thawte\, Inc.

    c=US

  Validity Date:

    start date: 00:00:00 UTC Nov 17 2006

    end   date: 23:59:59 UTC Jul 16 2036

  Associated Trustpoints: abc

Hence going back to the document you had pointed out, its only speaking about the Local CA Generated certificates and not all locally generated Certificates (identity). Refer to the 8.4 Configuration guide as well which shows that the locally generated

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html

Note Standby Failover does not replicate the following files and configuration components:

AnyConnect images

CSD images

ASA images

AnyConnect profiles

Local Certificate Authorities (CA)

ASDM images

Hope that clarifies the document's wordings

johnramz@gmail.com_2 Fri, 07/06/2012 - 08:09

Prashanth Goutham R.

I have set up 4 IPsec VPNs in a ASA 5520. The maximum bandwidth-BW- provided by our ISP is 3 MBPS.

Let's suppose that I want to assign/allocate BW to each IPSEc tunnel as follows:

Tunnel 1: 500 KBps

Tunnel 2: 700 KBps

Tunnel 3: 300 KBps

Tunnel 4: 600 Kbps

1- What is the configuration to make that possible?

2- Does it make any difference if this configuration fo BW assignment is also added on the other VPN peer?

Thanks

John

pgoutham Fri, 07/06/2012 - 11:45

Hello John,

This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.

access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0

access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0

access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0

access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0

    class-map Tunnel_Policy1

     match access-list tunnel_one

  class-map Tunnel_Policy2

     match access-list tunnel_two

  class-map Tunnel_Policy3

     match access-list tunnel_three

  class-map Tunnel_Policy4

     match access-list tunnel_four

  policy-map tunnel_traffic_limit

     class Tunnel_Policy1

      police output 4096000

  policy-map tunnel_traffic_limit

     class Tunnel_Policy2

      police output 5734400

  policy-map tunnel_traffic_limit

     class Tunnel_Policy3

      police output 2457600

   policy-map tunnel_traffic_limit

     class Tunnel_Policy4

      police output 4915200

service-policy tunnel_traffic_limit interface outside

You might want to watch out for the following changes in values:

HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400

WARNING: police rate 5734400 not supported. Rate is changed to 5734000    

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#

HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600

WARNING: police rate 2457600 not supported. Rate is changed to 2457500

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit

HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4

HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200

WARNING: police rate 4915200 not supported. Rate is changed to 4915000

I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/

The Final outputs of the configured values were :

    Class-map: Tunnel_Policy1

      Output police Interface outside:

        cir 4096000 bps, bc 128000 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

    Class-map: Tunnel_Policy2

      Output police Interface outside:

        cir 5734000 bps, bc 179187 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

    Class-map: Tunnel_Policy3

      Output police Interface outside:

        cir 2457500 bps, bc 76796 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

    Class-map: Tunnel_Policy4

      Output police Interface outside:

        cir 4915000 bps, bc 153593 bytes

        conformed 0 packets, 0 bytes; actions:  transmit

        exceeded 0 packets, 0 bytes; actions:  drop

        conformed 0 bps, exceed 0 bps

Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html


Hope that helps..

johnramz@gmail.com_2 Fri, 07/06/2012 - 12:11

Prashanth Goutham R.

Thanks for your detailed reply and for allowing this out-of-scope question. Honestly, when I read "ASA" in the subject I ignored the rest.

Two more questions:

1- Which SHOW command you used at the end to verify the bandwidth?

2- If one peer is policing traffic and the other one is not, the one with the smallest bandwidth would set the size limit in the connection ? I am also implying that the Traffic policing does not need to be configured on both ends, correct?

Thanks again

John

pgoutham Fri, 07/06/2012 - 17:12

John,

1- Which SHOW command you used at the end to verify the bandwidth?

--- Command used is show service-policy police

2-  If one peer is policing traffic and the other one is not, the one with  the smallest bandwidth would set the size limit in the connection ?

I am  also implying that the Traffic policing does not need to be configured  on both ends, correct?

--- Policing at one end should help control the limits.

radhagaurav1214 Sat, 07/07/2012 - 01:11

Hi this is good opportunity to get good concept..

my Question is..

I am not able to get CA certificate by microsoft CA server.

pgoutham Mon, 07/09/2012 - 23:30

Hello Gaurav,

Apologies for the delayed response, this is a Failover discussion series on Cisco Firewalls, however ill help you to get started on the Certificate issue.

I am not really sure about what is the actual problem. Based on the fact that you have mentioned the ASA is unable to enroll with Microsoft CA server i would first enable the following debugs:

debug crypto ca 255
debug crypto ca transactions 255

I would actually start with researching on what error messages you had received while you tried to enroll and what was the procedure you used to enroll from the ASA perspective, i would also suggest that you take a packet capture to see if the CA server and the ASA are able to communicate without any network level issues.

johnramz@gmail.com_2 Mon, 07/09/2012 - 06:32

Prashanth Goutham R.

Thank you very much for answering my questions. Very appreciated.I hope other users did benefit from your detailed/tested replies.

John

johantuneld Mon, 07/09/2012 - 07:18

Hello Prashanth,

I've setup a ASA 5505 with 3 servers behind it. Riunning Exchange 2007 and RD Gateway behind NAT.

Port  443 is opened to allow Outlook Anywhere so the Domain users can access  mail from outside the office without setting up a VPN tunnel. Also I use  the RD Gateway so the users can access their worksations in the LAN and  also the TS server (remote desktop)

This  was working with the old firewall (D-Link Netdefend) but now the users  get prompted with user/password popup from Outlook. The RD Gateway has  also stopped working only telling the users "Logon Attempt Failed".

That means that Outlook failed to access the server using NTLM auth. and need to use "basic auth" instead.

So my question:

Does the ASA 5505 allow NTLM Passthrough? If not, what will I need to buy ?

pgoutham Tue, 07/10/2012 - 01:15

Hello Johan,

This forum is specifically for the Failover Discussion on Cisco Firewalls, however to answer your question, Yes ASA supports NTLM Passthrough:

The ASA supports the following Single Sign On (SSO) methods:

  • Kerberos Constrained Delegation (KCD)
  • Computer Associates Siteminder (Netegrity)
  • RSA Access Manager (ClearTrust)
  • Security Assertion Markup Language (SAML v1.1)
  • Basic/NTLM/FTP/CIFS authentication pass-through
  • Forms-based authentication pass-through;HTTP-POST via variable substitution (macros)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html

Do let me know what troubleshooting you have done so far... Hope that helps.

johantuneld Tue, 07/10/2012 - 01:38

Hmm...

As I can read on the provided URL those auth methods is supported on the "Single sign-on (SSO) for clientless SSL VPN users" section...

And I am not talking about building any VPN solution.

But can that be the issue? That the ASA is picking up the NTLM for the VPN? Not possible to disable the VPN feature somehow?

Troubleshoting done:

With D-Lnk it works. With Cisco it doesn't.

(Both devices redirects the TCP 443 to the internal IP of the server. Nothing else done)

ROBERTO TACCON Tue, 07/10/2012 - 02:08

Hello Jonan,

you indicate "Port  443 is opened " the Cisco ASA do NOT inspect this particular SSL port.

Have you check the output of the following cli command:

packet-tracer input outside tcp "internetsourceipaddress" 44444 "exchangeserveripaddress" 443 detailed

show service-policy flow tcp host "internetsourceipaddress" host "exchangeserveripaddress" eq 443

show service-policy

Regards

pgoutham Tue, 07/10/2012 - 05:11

Hello Johan,

I misunderstood what you had mentioned. yes this is just for the VPN solution, however if your requirement is not a VPN solution then this can be treated just as normal data traffic, so make sure you have your basics set right like acl's etc. Also try to get the syslog and packet captures when the test is being done :

1. Apply packet captures on the Inside and Outside Interfaces on your firewall as shown :

access-list ACL_CAP permit ip host host

access-list ACL_CAP permit ip host host  

capture capin access-list ACL_CAP interface inside circular-buffer  

capture capout access-list ACL_CAP interface outside circular-buffer

2. Execute the following command once before and after your exchange server test where your ntlm packets are logged :

show service-policy

3. Also if you have http inspection enabled try disabling the same and try to test again.

4. Mention the ASA version running as well as provide me the NTLM version configured for your authentication.

Zubair.Sayed_2 Tue, 07/10/2012 - 05:21

Hello Prashant.

We have 2 Cisco ASA-5520 configured as a FO pair.

We have the interfaces configured as Inside, Outside and QA.

Recently what happened was one of the switches in the QA environment failed which resulted in the firewall showing the interface as "Failed - Waiting", thereafter the firewalls switches from Primary - Active to Secondary Active, and Primary Failed....

How do I remove the QA interface from FO or monitoring on the ASA's?

I dont want to monitor the QA interface because we use this for testing we usually reboot devices etc and dont want this to cause any issues to production traffic.

Regards

Zubair

clark-white Tue, 07/10/2012 - 12:32

Hello Prashant,

Ihave 2 Question for you,which are a piece of cake for u i hope,

  • In FWSM traffic flowing from lower security level to higher level requires access-list and NAT and also from higher security level to lower security level  then what is the use of security level in FWSM.
  • I have a strange issue i configured int vlan 2 on FWSM and gave the security level 90 with nameif Management,and ip add,this is the management vlan for all the layer 2 switches the DG on the layer 2 switches is the core switch ip add which  in the same managment vlan, when i try to ping the managment ip add of the Core switch or try to telnet the core switch from another vlan i m not able to do either. i have permited ip any any from all all the vlan.
Zubair.Sayed_2 Wed, 07/11/2012 - 06:20

Hi.

Thanks for the response.

I understand that by disabling monitoring on that interface we will be at risk and no FO will take place but for this QA environment we dont require this.

We somehow did experience a brief outage when the Primary firewall failed over and Secondary firewall took over. When issuing a show failover on the firewall I saw the Primary firewall state change to Primary - Failed and Secondary was Secondary/Standby Ready.

I shut the QA interface down and the firewall states changed to Primary - Standby and Secondary - Ready. I then proceeded to issue the failover active command on the Primary firewall to normalise the firewalls.

What I would like to find out now is that I do not want to interupt services again so when I unshut the QA interfaces will this have any effect on the firewalls?

I will ensure to issue the no monitor-interface QA as you mentioned.

Regards

Zubair

pgoutham Wed, 07/11/2012 - 11:40

Hello Clark,

i'll answer both your questions though its not in the failover topic we are discussing:

  • In FWSM traffic flowing from lower security level to higher  level requires access-list and NAT and also from higher security level  to lower security level  then what is the use of security level in FWSM.

The  Security Levels are more than anything the architecture of how the ASA/FWSM  Firewalls treat the traffic flows. Each Interface is assigned a Security  Value ranging from 0 - 100 which is least secure to the most secure  interfaces connecting to your firewall. This is basically a level of  trust that you build where in you can categorize the Firewall flows as  Inbound or Outbound. Inbound flow is any flow where the traffic is  flowing from a least security interface to a Higher security Interface  and Outbound flow is just the vice versa. This in turn ties up with  several functions and features of the ASA/FWSM which depend on how the employ  this feature. I would suggest you read more about the feature in Cisco ASA/FWSM Configuration guide to get an understanding on the same.

  • I  have a strange issue i configured int vlan 2 on FWSM and gave the  security level 90 with nameif Management,and ip add,this is the  management vlan for all the layer 2 switches the DG on the layer 2  switches is the core switch ip add which  in the same managment vlan,  when i try to ping the managment ip add of the Core switch or try to  telnet the core switch from another vlan i m not able to do either. i  have permited ip any any from all all the vlan.

---  You have mentioned that you have vlan 2 on your fwsm which means you  have enabled the vlan 2 in your firewall vlan group on the switch  configuration.

---  However the ping is not working, so make sure the switch vlan 2 ip  address is in the same subnet as the firewall vlan 2 ip address which  was configured.

--- show arp should give you the arp entry for the firewall interface on the switch  and vice versa on the switch as well, if you dont the arp entry, try to  remove the vlan 2 from firewall vlan group and reenable it.

--- In the firewall make sure that you have the permit icmp interface any so that icmp pings are not dropped even to allow return icmp pings.

--- Check the syslogs on the firewall to see what is going on.

Message was edited by: Prashanth Goutham R.

pgoutham Tue, 07/10/2012 - 23:20

Hello Zubair,

Even though you had a failover, i do not think you had an outage because of this as i assume you would have had Stateful Failover enabled which is the norm today with all of Cisco Firewalls. I realize the Firewall did what it had to do and nothing abnormal. I find your question confusing though as it says:

" How do I remove the QA interface from FO or monitoring on the ASA's?

and then you also go on to ask:

"How do I remove the QA interface from FO or monitoring on the ASA's?"

I can tell you that the first option is unavailable and defeats the purpose of Failover on ASA in the first place, however if your question is just about disabling Interface Monitoring on ASA then please do this :

ASADMZ(config)# no monitor-interface QA

What you would achieve by doing this is : http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079057

Hope that helps.

nkarthikeyan Wed, 07/11/2012 - 03:49

Hi Prashanth,

Can we use same failover interface for both LAN as well as stateful failover?.

r.berndt@swg-dr... Tue, 07/10/2012 - 04:51

Hello Prashanth Goutham R.,

we've trouble with our ASA 5510. Since some days our ASA 5510 looks like a Catalyst CE500-24LC in a new installed Cisco Network Assistant. Also in the Webinterface. Here are some pics about this fact.

In the last year we had a firm which have supported our network. But now we have to do it by ourself.

Our ASA 5510 manages some VPNs to our branch offices and mobile devices.

One of these VPNs to mobile devices is closed since last Saturday.

I can't find a mistake because of this case.

What could be wrong here?

With kind regards

Ruediger

OK... I've find a second IP of the ASA 5510 (.180). The connection is possible over this IP and a ASDM-Tool.

But what please is with the "virtual switch" on IP .254? Both have the same hostname (FECSW01).

On the connected ports of the switch are MACs registered, which are real on the other switches.

We have only 4 physical cisco switches. Till now the 5th switch is a phenomen for us.

Why the Cisco Network Assistant is not able to show the ASA 5510 on IP .180?

pgoutham Tue, 07/10/2012 - 22:43

Hello Ruediger,

I am not very familiar with Cisco network Assistanct  and this is not a topic which is supported in this ATE series. However  can you please let me know which version of the CNA you have running as i  only notice the CNA 5.0 and above have support for the ASA Firewalls:

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps5931/product_data_sheet0900aecd8068820a.html

Only both these firewall models seem to be supported:


• Cisco PIX® 515E Security Appliance

• Cisco ASA 5505 and ASA 5510 Adaptive Security Appliances

I would suggest you do this :

--- Read the release notes of the CNA version you have installed and check if it lists the model and version of ASA you have as a supported model.

--- Make sure the IP address you use for the CNA is the Active Firewall's Interface and its reachable from the CNA.

--- Make sure than port 443 or whichever port you have configured for CNA to be free and available when connecting to it.

Take a look at CNA document here and make sure that the Firewall has these ports allowed to the CNA IP:

Communication Protocols

Network Assistant uses HTTPS and HTTP to communicate with community  members. It first tries to use HTTPS when using CDP to discover  neighboring devices and when devices are added manually. If HTTPS fails,  it tries again with HTTP.

The HTTPS port is fixed at 443; the HTTP port defaults to 80. You can  specify a different HTTP port when you create a community. Afterward,  you use the HTTP Port window to change the HTTP port. The port settings  for both HTTPS and HTTP must be the same for all the members of a  community.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_network_assistant/version5_4_1/quick/guide/English/creatcom.html#wpxref35998

Discovering and Adding Devices

Follow these steps to compile a list of candidate devices and to add them to a community:

1. Start Network Assistant, and select Connect to a new community in the Connect window. Click Connect.

2. In the Create Community window, enter a name for the community.

3. Click the Advanced button if you want to set an HTTP port other than 80, the default port. Enter the HTTP port number that you want to use. Click OK.

4. Enter the IP address for the starting device, and click Discover Neighbors.

5. In the Devices Found list, select candidate devices that you want to remove.

a. To remove more than one candidate, press Ctrl and make your choices, or press Shift and choose the first and last device in a range.

b. Click Remove.

6. Click Add All To Community to add the remaining devices in the list to the community.


http://www.cisco.com/en/US/docs/net_mgmt/cisco_network_assistant/version5_4_1/quick/guide/English/creatcom.html#wpxref35998

Hope that Helps...

r.berndt@swg-dr... Wed, 07/11/2012 - 06:44

Hello Prashanth Goutham R.,

thanks for the information. I use the actual version 5.6 of the CNA and I want to connect to a ASA 5510 Firewall.

With the Java-ASDM-Tool I get a connection to the ASA 5510 over Port 443 on IP .180.

I'm now also on the server whose IP address is registered in the ASA 5510.

But the test to connect the ASA with the CNA breaks up with "Unable to connect."

The steps about you wrote, I've done also yesterday.

I will look for more details in the settings of the ASA 5510 and cisco community.

thanks and regards

Ruediger

pgoutham Wed, 07/11/2012 - 11:58

Reudinger,

Taking into consideration that you have already checked the relavent release notes and also made sure that basic connectivity as well as reachability between the firewall and the CNA is available and working, Can you please do the following to make sure that the HTTP Server functionality on the ASA is working ok ?

no http server enable 443

--- Check the connectivity from CNA

http server enable 443

--- Check the connetivity from CNA again

This should help to fix the issue, Hope that helps..

pgoutham Wed, 07/11/2012 - 04:54

Hello Karthik,

Yes we can use the same Physical Interface for both the Failover Lan and State links, it should not be a problem. However this has to be planned well, for example you have 8 interfaces (6 Gig + 2 FA) and you make the FA Interface the Failover + State Link, i would say its a bad design and you are in for frequent failovers.

--- Always make sure that your Failover + State Interfaces are having equal to the highest capacity interfaces especially when you have http replication enabled i would suggest that you try to have seperate Fail & State links configured.

--- Also i would advice not to use the onboard GE interfaces as they are not as powerful as the module interfaces, meaning it is not multi threaded and only one Core is used to pull data off those interfaces.

--- Make sure if you have a 5580 or higher to use the command show io-bridge to make sure that the distribution between the 2 io-slots are equal.

What i've mentioned above is from my experience on what i see working best, but also consider what is mentioned on the ASA Configuration guide about the same:

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should  use the fastest Ethernet interface available. If you experience  performance problems on that interface, consider dedicating a separate  interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the adaptive security appliances:

Cisco ASA 5510

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

Cisco ASA 5520/5540/5550

Stateful link speed should match the fastest data link.

Cisco ASA 5580/5585

Use  only non-management 1 Gigabit ports for the stateful link because  management ports have lower performance and cannot meet the performance  requirement for stateful failover.

For optimum performance when using long distance LAN failover, the  latency for the failover link should be less than 10 milliseconds and no  more than 250 milliseconds. If latency is more than10 milliseconds,  some performance degradation occurs due to retransmission of failover  messages.

All platforms support sharing of failover heartbeat and stateful link,  but we recommend using a separate heartbeat link on systems with high  Stateful Failover traffic.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

Hope that helps.

nkarthikeyan Wed, 07/11/2012 - 06:30

Thanks Prashanth.... This clarifies me and gave me some good idea on the Failover interface settings and few more options on the performance of the failover and its dependencies.... valuable info.....

clark-white Thu, 07/12/2012 - 14:39

Hello Prashant,

Thanks  for being kind and answering me.

The 1st query was regarding the FWSM and not for the ASA, In ASA i have no doubts for the security-level.

---  You have mentioned that you have vlan 2 on your fwsm which means  you  have enabled the vlan 2 in your firewall vlan group on the switch   configuration.

YES

---   However the ping is not working, so make sure the switch vlan 2 ip   address is in the same subnet as the firewall vlan 2 ip address which   was configured.

YES

--- show arp should give you the arp entry for the firewall interface on the switch   and vice versa on the switch as well, if you dont the arp entry, try  to  remove the vlan 2 from firewall vlan group and reenable it.

I will check and update u

--- In the firewall make sure that you have the permit icmp interface any so that icmp pings are not dropped even to allow return icmp pings.

it is done already,

--- Check the syslogs on the firewall to see what is going on.

Nothing Seen for this issue

I have 1 more query, without ICMP permit any MGMT command it does'nt allow me to telnet MGMT interface !! WHY ???

pgoutham Fri, 07/13/2012 - 01:13

Hello Clark,

The 1st query was regarding the FWSM and not for the ASA, In ASA i have no doubts for the security-level.

My Response holds true for both FWSM as well as ASA in response to your first question on the Security Levels, i just edited my previous post to accomodate FWSM as well in my response.

--- Check the syslogs on the firewall to see what is going on.

Nothing Seen for this issue

There should be something in the syslogs. I am sure there should be an event logged or turn on your logging to Notifications if its set to a lower level.

I have 1 more query, without ICMP permit any MGMT command it does'nt allow me to telnet MGMT interface !! WHY ???

I dont really think it has any relavence to telnetting to the ASA Firewall, you do not need any access-list permitting access at all infact and you just need to configure management access as shown below :

ssh source_IP_address mask source_interface

telnet source_IP_address mask source_interface

My advice to you is always enable logging when you are confused about a particular aspect or functionality in the firewall atleast to notifications level as this is what gives us an understanding of how the firewall thinks for itself on looking at a particular packet. This is the way it talks to you.

Hope that answers your questions...

maucorpat Wed, 07/25/2012 - 09:23

Hello,

we are trying to design a sandwich ASA with contexts mode.

we have a couple ASA 5505 with licences for context and failover.

we are thinking on Active-Pasive and two context:

internet --- ASA1andASA2 in failover Context 1 ---- DMZ  --- ASA1andASA2 in failover with NAT context 2  ---- LAN.

with 3 interfaces physic is possible? (beacuse probably is necesary to use one for failover and one for management)

no problem for use NAT on context 2?

no problems for use static routes?

can you give us your advice?. also if possible some link were we can found information about the configuration?.

kind regards.

steelman12 Tue, 07/31/2012 - 08:52

I have a problem.

My dedicated server has hardware firewall ASA5505.

I have to read mysql data of the server,but firewall don't accept that.

I am going to change firewall configuration of cisco firewall using ssh.

But I don't know how to do.

Can you tell me mysql accept command?

thnkx.

vishal.amrutiya Tue, 09/11/2012 - 02:09

Hi Prasanth,

We have Cisco ASA5550 running code : asa825-k8.bin.

We have access to our firewall via TACACS only and local username/password incase if TACACS fails.

Recently our audit team found that there is default password is still on firewall, How do I remove default password from Cisco ASA 5550.

Kind Regards,

Vishal

mamer28983 Sat, 12/08/2012 - 05:08

HI expert,

Would you please help me in this issue I have ASA 5510 and I need to block URL to be applied to specific users not using the IP address. I integrate ASA with my active directory now it’s (ASA) detecting the users from my domain but he is not applied the rules on the users.

It’s only working using the IP address using trend micro content security

Any help in this issue.

Please contact me on my email:

mamer@vseegypt.com

mamer1983@hotmail.com

Thanks

bhupendrajain Thu, 12/27/2012 - 23:43

Hi Prashanth

we have cisco asa 5550 firewall running on ios 8.2

i have add two new interface on firewall,  but it show failled on sh failover output

Last Failover at: 22:50:59 IST Dec 4 2012
        This host: Secondary - Active
                Active time: 2043566 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6672): Normal
                  Interface outside (180.x.x.x): Normal
                  Interface management (192.168.1.1): No Link (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1d7): Normal
                  Interface TATA-INTERNET (115.x.x.226): Normal
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Primary - Failed
                Active time: 0 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6686): Normal
                  Interface outside (180.x.x.x) Normal
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1ff): Failed (Waiting)
                  Interface TATA-INTERNET (115.x.x.227): Normal (Waiting)
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

Thanks

Bhupendra Jain

Actions

Login or Register to take actions

This Discussion

Posted June 29, 2012 at 10:22 AM
Stats:
Replies:40 Avg. Rating:5
Views:9434 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446