06-14-2016 01:25 AM - edited 03-12-2019 06:02 AM
Hello!
We have, to me at least, a strange problem. We have two ASA5525-X in active/standby. Only a few of the interfaces (7 out of 30) are picked up by the SFR module (the same on both units). My experience is that only traffic entering and leaving on interfaces known to SFR are handled properly. All other traffic times out. The ASA's are in production (but obviously without Firepower).
Any idea on how to fix this?
asa# sh version | i System System image file is "disk0:/asa952-smp-k8.bin"
asa# sh run | i interface interface GigabitEthernet0/0 interface GigabitEthernet0/1 interface GigabitEthernet0/2 interface GigabitEthernet0/3 interface GigabitEthernet0/4 interface GigabitEthernet0/5 interface GigabitEthernet0/6 interface GigabitEthernet0/7 interface Management0/0 interface Port-channel1 interface Port-channel1.2 interface Port-channel1.3 interface Port-channel1.4 interface Port-channel1.5 interface Port-channel1.6 interface Port-channel1.7 interface Port-channel1.8 interface Port-channel1.9 interface Port-channel1.10 interface Port-channel1.12 interface Port-channel1.14 interface Port-channel1.16 interface Port-channel1.18 interface Port-channel1.102 interface Port-channel1.104 interface Port-channel1.106 interface Port-channel1.108 interface Port-channel1.112 interface Port-channel1.114 interface Port-channel1.200 interface Port-channel1.204 interface Port-channel1.205 interface Port-channel1.206 interface Port-channel1.207 interface Port-channel1.208 interface Port-channel1.209 interface Port-channel1.253 interface Port-channel1.254 interface Port-channel1.999 |
> show version ----------------[ sfr1 ]----------------- Model : ASA5525 (72) Version 6.0.0.1 (Build 26)
> show interfaces -------------------[ 10.002 ]------------------- Physical Interface : Port-channel1.2 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A -------------[ 10.003 ]-------------- Physical Interface : Port-channel1.3 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ------------------[ 10.004 ]------------------- Physical Interface : Port-channel1.4 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A -----------------[ 10.005 ]----------------- Physical Interface : Port-channel1.5 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A -----------------[ 10.001 ]----------------- Physical Interface : Port-channel1 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------[ 10.006 ]---------------- Physical Interface : Port-channel1.6 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------[ 10.209 ]--------------- Physical Interface : Port-channel1.209 Type : ASA Security Zone : None Status : Enabled Load Balancing Mode : N/A ---------------------[ cplane ]---------------------
|
Thank you for your time.
Regards,
Erik Qvam
Solved! Go to Solution.
06-14-2016 01:54 AM
Hi
What's the ASA version? there is an existing bug which is fixed in 9.5(2.6) and above.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut40770
Rate if helps.
Yogesh
06-14-2016 01:54 AM
Hi
What's the ASA version? there is an existing bug which is fixed in 9.5(2.6) and above.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut40770
Rate if helps.
Yogesh
06-14-2016 02:52 AM
Hi,
We run 9.5(2) which is a known fixed release according to the release notes http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#id_25667
But we meet the conditions for CSCut40770 (I shortened the interface-names for confidentiality reasons for this post), so I will try a higher SW version, or optionally the suggested workaround.
I'll return with a status after the next maintenance window.
/erik
06-16-2016 04:10 AM
I can confirm that the suggested workaround in CSCut40770 enabled SFR detection of all ASA interfaces.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: