cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1116
Views
0
Helpful
3
Replies

SFR not detecting all ASA interfaces

Erik Qvam
Level 1
Level 1

Hello!

We have, to me at least, a strange problem. We have two ASA5525-X in active/standby. Only a few of the interfaces (7 out of 30) are picked up by the SFR module (the same on both units). My experience is that only traffic entering and leaving on interfaces known to SFR are handled properly. All other traffic times out. The ASA's are in production (but obviously without Firepower).

Any idea on how to fix this?

 

asa# sh version | i System

System image file is "disk0:/asa952-smp-k8.bin"

 

asa# sh run | i interface

interface GigabitEthernet0/0

interface GigabitEthernet0/1

interface GigabitEthernet0/2

interface GigabitEthernet0/3

interface GigabitEthernet0/4

interface GigabitEthernet0/5

interface GigabitEthernet0/6

interface GigabitEthernet0/7

interface Management0/0

interface Port-channel1

interface Port-channel1.2

interface Port-channel1.3

interface Port-channel1.4

interface Port-channel1.5

interface Port-channel1.6

interface Port-channel1.7

interface Port-channel1.8

interface Port-channel1.9

interface Port-channel1.10

interface Port-channel1.12

interface Port-channel1.14

interface Port-channel1.16

interface Port-channel1.18

interface Port-channel1.102

interface Port-channel1.104

interface Port-channel1.106

interface Port-channel1.108

interface Port-channel1.112

interface Port-channel1.114

interface Port-channel1.200

interface Port-channel1.204

interface Port-channel1.205

interface Port-channel1.206

interface Port-channel1.207

interface Port-channel1.208

interface Port-channel1.209

interface Port-channel1.253

interface Port-channel1.254

interface Port-channel1.999

> show version

----------------[ sfr1 ]-----------------

Model      : ASA5525 (72) Version 6.0.0.1 (Build 26)

 

> show interfaces

-------------------[ 10.002 ]-------------------

Physical Interface        : Port-channel1.2

Type                      : ASA

Security Zone             : None

Status                    : Enabled

Load Balancing Mode       : N/A

-------------[ 10.003 ]--------------

Physical Interface        : Port-channel1.3

Type                      : ASA

Security Zone             : None

Status                    : Enabled

Load Balancing Mode       : N/A

------------------[ 10.004 ]-------------------

Physical Interface        : Port-channel1.4

Type                      : ASA

Security Zone             : None

Status                    : Enabled

Load Balancing Mode       : N/A

-----------------[ 10.005 ]-----------------

Physical Interface        : Port-channel1.5

Type                      : ASA

Security Zone             : None

Status                    : Enabled

Load Balancing Mode       : N/A

-----------------[ 10.001 ]-----------------

Physical Interface        : Port-channel1

Type                      : ASA

Security Zone             : None

Status                    : Enabled

Load Balancing Mode       : N/A

---------------[ 10.006 ]----------------

Physical Interface        : Port-channel1.6

Type                      : ASA

Security Zone             : None

Status                    : Enabled

Load Balancing Mode       : N/A

---------------[ 10.209 ]---------------

Physical Interface        : Port-channel1.209

Type                      : ASA

Security Zone             : None

Status                    : Enabled

Load Balancing Mode       : N/A

---------------------[ cplane ]---------------------

 

Thank you for your time.

Regards,

Erik Qvam

1 Accepted Solution

Accepted Solutions

yogdhanu
Cisco Employee
Cisco Employee

Hi

What's the ASA version? there is an existing bug which is fixed in 9.5(2.6) and above.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut40770

Rate if helps.

Yogesh

View solution in original post

3 Replies 3

yogdhanu
Cisco Employee
Cisco Employee

Hi

What's the ASA version? there is an existing bug which is fixed in 9.5(2.6) and above.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut40770

Rate if helps.

Yogesh

Hi,

We run 9.5(2) which is a known fixed release according to the release notes http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#id_25667

But we meet the conditions for CSCut40770 (I shortened the interface-names for confidentiality reasons for this post), so I will try a higher SW version, or optionally the suggested workaround.

I'll return with a status after the next maintenance window.

/erik

I can confirm that the suggested workaround in CSCut40770 enabled SFR detection of all ASA interfaces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: