cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10022
Views
64
Helpful
37
Replies

Ask the Expert: Troubleshooting Adaptive Security Appliances (ASA), Private Internet Exchange (PIX) and Firewall Service Modules (FWSM)

ciscomoderator
Community Manager
Community Manager

Kureli SankarWith Kureli Sankar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask any questions about adaptive security appliances (ASAs), Private Internet Exchange (PIX), and firewall services modules (FWSMs) with Cisco Expert Kureli Sankar. This is a continuation of the live Webcast. 

Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco ASA, FWSM, Cisco Security Manager, the Content Security and Control module, and the zone-based firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate-level networking courses. Sankar holds a degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security (#35505) certification.

Remember to use the rating system to let Kureli know if you have received an adequate response. 

Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event.  This event lasts through January 25, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

Webcast related links:

37 Replies 37

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I posted this problem some time ago and though if you would have any additional ideas as to whats causing this problem then any advice would be welcome

Heres my original post with a lot of information

https://supportforums.cisco.com/thread/2158473

To summarize the situation for this post

  • ASA 5585-X Firewalls running Multiple Context Mode in several different 8.4(x) softwares
  • Enabling TCP Syslog with missmatched TCP port with the server stops all traffic through the Context without the use of "logging permit-hostdown"  beforehand (Expected now that I know about it)
  • To enable traffic to pass through the Context again there was no other solution other than to "reboot" the context by removing it and configuring it again.

This made me doubt the whole TCP Syslog setup even though naturally my first error was not to use the "logging permit-hostdown" configuration before I enabled TCP Syslog.

Surely though its not supposed to keep blocking the traffic even after the TCP Syslog server became reachable?

I would like to get TCP Syslog enabled in all our environments but to be honest am a bit paranoid if I might run into more problems which would cause problematic situations for our more critical environments.

- Jouni

Jouni,

Glad that you attended the webcast.  I hope it was educational for many of our forum readers and customers.

The request to stop processing if the firewall cannot log requirement was put in by our DoD. Hard set requirement, I know. If we CANNOT LOG who is doing what through the firewall, then, we simply DO NOT want to build those connections.  I know, we get burned by this problem off and on.

Well, if your enterprise is extremely strict then, you do not want to add the "logging permit-hostdown" command.  Wait for the help desk to receive the calls and fix the syslog server to get traffic flowing again.

Once the syslog server becomes available the firewall should automatically start building connections through it without the need for "logging permit-hostdown".  Allow me some time and I shall test this out in our lab and get back to you.

-Kureli

Jouni,

Tested on ASA running 9.0.1(2) image

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-5-111008: User 'cisco' executed the 'logging host inside 192.168.2.2 6/1469' command.

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-5-111010: User 'cisco', running 'CLI' from IP 192.168.2.2, executed 'logging host inside 192.168.2.2 6/1469'

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766400 for inside:192.168.2.2/1469 (192.168.2.2/1469) to identity:192.168.2.1/41310 (192.168.2.1/41310)

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-414003: TCP Syslog Server inside:192.168.2.2/1469 not responding, New connections are denied based on logging permit-hostdown policy

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766400 for inside:192.168.2.2/1469 to identity:192.168.2.1/41310 duration 0:00:00 bytes 0 TCP Reset-O

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766073 for inside:192.168.2.2/1468 to identity:192.168.2.1/60777 duration 0:09:28 bytes 242437 TCP FINs

Jan 15 2013 03:15:03 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:04 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:04 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:09 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-6-302016: Teardown UDP connection 2766335 for Corp_NET_12345:76.14.0.98/514 to inside:192.168.2.2/1105 duration 0:02:01 bytes 1200

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:76.14.0.98 duration 0:02:01

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766401 for inside:192.168.2.2/1469 (192.168.2.2/1469) to identity:192.168.2.1/31690 (192.168.2.1/31690)

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

logging host inside 192.168.2.2 6/1468

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-6-414008: New connections are now allowed due to change of logging permit-hostdown policy.

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-5-111008: User 'cisco' executed the 'logging host inside 192.168.2.2 6/1468' command.

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-5-111010: User 'cisco', running 'CLI' from IP 192.168.2.2, executed 'logging host inside 192.168.2.2 6/1468'

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766406 for inside:192.168.2.2/1468 (192.168.2.2/1468) to identity:192.168.2.1/42911 (192.168.2.1/42911)

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-3-414003: TCP Syslog Server inside:192.168.2.2/1468 not responding, New connections are denied based on logging permit-hostdown policy

Jan 15 2013 03:15:26 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766406 for inside:192.168.2.2/1468 to identity:192.168.2.1/42911 duration 0:00:00 bytes 0 TCP Reset-O

Jan 15 2013 03:15:26 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:26 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:29 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:29 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766230 for Corp_NET_12345:172.18.109.166/8014 to inside:192.168.2.2/3720 duration 0:05:19 bytes 624 TCP Reset-I

Jan 15 2013 03:15:29 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:172.18.109.166 duration 0:05:19

Jan 15 2013 03:15:30 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609001: Built local-host identity:172.16.1.6

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609001: Built local-host Corp_NET_12345:70.39.176.3

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766407 for Corp_NET_12345:70.39.176.3/8080 (70.39.176.3/8080) to identity:172.16.1.6/20244 (172.16.1.6/20244)

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-6-775005: Scansafe: Primary server Corp_NET_12345:70.39.176.3 is now reachable

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766407 for Corp_NET_12345:70.39.176.3/8080 to identity:172.16.1.6/20244 duration 0:00:00 bytes 0 TCP FINs

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609002: Teardown local-host identity:172.16.1.6 duration 0:00:00

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:70.39.176.3 duration 0:00:00

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:32 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:34 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:34 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:34 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:35 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:35 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766408 for inside:192.168.2.2/1468 (192.168.2.2/1468) to identity:192.168.2.1/60034 (192.168.2.1/60034)

Jan 15 2013 03:15:35 14.36.109.35 : %ASA-6-414007: TCP syslog server connection restored.  New connections allowed.

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-7-609001: Built local-host Corp_NET_12345:172.18.109.166

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766409 for Corp_NET_12345:172.18.109.166/8014 (172.18.109.166/8014) to inside:192.168.2.2/3816 (172.16.1.5/3816)

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766409 for Corp_NET_12345:172.18.109.166/8014 to inside:192.168.2.2/3816 duration 0:00:00 bytes 2729 TCP FINs

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:172.18.109.166 duration 0:00:00

So, without the "logging permit-hostdown" command in the config.

I changed the syslog tcp port to some incorrect port at

Jan 15 2013 03:15:00 14.36.109.35 : 'logging host inside 192.168.2.2 6/1469'

conns were denied and I fixed the port at

Jan 15 2013 03:15:25 14.36.109.35 : logging host inside 192.168.2.2 6/1468

Jan 15 2013 03:15:35 14.36.109.35 : and the TCP syslog server connection restored log at

So, it took about 10 seconds for connections to start automatically building.  As you can see during this time TO the box connections were built without any problem.

-Kureli

Hi,

To completely test this situation I guess you would have to try it either in 8.4(1)9 or 8.4(2) for ASA 5585-X where I witnessed it.

I ran into the problem in a device with 8.4(1)9 (Software that corrected a bug in Active FTP for 5585-X SSP-20 and other multicore platforms) and I tested the situation in another ASA 5585-X with 8.4(2) and ran into the same problem

I simply wasnt able to get the connections working again.

Is your test ASA in single or multiple mode? If in single, could it have something to do with this? I have only tested this in a multiple mode ASA 5585-X SSP20

- Jouni

Agree.  5585 platform and multiple context testing will take a bit longer to accomplish.

The point I was trying to make is the fact though not documented in the command reference, as soon the the syslog server becomes available, we SHOULD start building new "THROUGH" the box connections without the need for any additional command.

I will let you know on the 5585 multiple context 8.2.x code a bit later.

-Kureli

How about load balance script of asa - x series ? Could be advices ?

Siriphan,

Could you please elaborate a little? What scripts are these? What is the purpose?

Thanks,

Kureli

Milan Rai
Level 1
Level 1

I tried my best to attend the Webcast but i was not................I send mail regarding my problem but it was not solved???? dont know why i was not able to attend...????

Just i would like to know is about the IPS......support on through ASA.......

Do we have this option ??? or we need to go for other vendor.........If i am going for ASA as my firewall........Then why dont i have the option for IPS service?????

If i didn't knew that we do have those support please describe me on very simple words.....

Thank You

Milan

Milan,

So sorry that you couldn't attend.  The audio recording along with the slide deck will be made available soon. You can watch/listen at your own time.  I will let our forum admins know about the trouble that you had.

IPS module is supported in the ASA platform. What model are you thinking about?

Check this data sheet:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Pls. see under.

Table 10.

Characteristics of Cisco ASA 5500 Series AIP SSM and SSC Models

-Kureli

Hello Milan,

Thanks for trying to join the live webcast. Seems like the recomendation we sent when we responded to your email did not work. Not to worry, the webcast recording is available at https://supportforums.cisco.com/videos/5258. You can also find the document with all the technical questions from the session at https://supportforums.cisco.com/docs/DOC-29454. If you are interested in downloading the PDF version of the slides, you can find them at https://supportforums.cisco.com/docs/DOC-29170.

I hope this helps.

Kindest Regards,

Monica Lluis

Community Lead

CCIE Emeritus

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

melepruma
Level 1
Level 1

Does the New ASA module for the 6500 support ture active-active cluster operation (same VLAN active on both ASA modules in the two chassis in VSS configuration) on SUP 720?

active/active failover setup is certainly possible.  Is this what you mean?

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/ha_active_active.html#wp1074591

The requirement for act/act failover is multiple context mode.

-Kureli

erichild2
Level 1
Level 1

Good Day,

An issue we seem to be facing with our ASA 5520 8.4(2) is with previously working site2site VPNs no longer working properly.

The tunnels seem to have remained up but to get full data traveling in both directions we have had to

add an outside interface Access Rule.

The only change known is we created a new s2s vpn and it wouldn't work until the Outside Access rule was created.

Not sure if it is a cause or a product of the issue.

Is this something anyone has seen.

Thank You,

Eric

Eric,

I have not seen this problem.  Do you have "sysopt connection permit-vpn" command in the config?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517364

Pls. add that and let me know if the outside acl is still required.

-Kureli



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: