02-19-2010 01:41 PM - edited 03-11-2019 10:12 AM
After I upgraded to 8.05 from 8.04 I lost my ability to monitor and access an interface on my ASA from devices behind the same interface to be monitored. ASA interface NAC-wifi-dmz2 [10.10.2.10] needs to be monitored by 10.12.1.106 via snmp, icmp, & ssh. Server 10.12.1.106 can be reached via 10.10.2.1 and can be ping by ASA interface NAC-wifi-dmz2:
*************************************************************************************
interface Ethernet0/0.402
vlan 402
nameif NAC-wifi-dmz2
security-level 0
ip address 10.10.2.10 255.255.255.0 standby 10.10.2.11
*************************************************************************************
chASA01# ping NAC-wifi-dmz2 10.12.1.106
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.12.1.106, timeout is 2 seconds:
!!!!!
**************************************************************************************
chASA01# sh route NAC-wifi-dmz2 10.12.1.106
Gateway of last resort is 64.125.212.1 to network 0.0.0.0
C 10.10.2.0 255.255.255.0 is directly connected, NAC-wifi-dmz2
S 10.0.0.0 255.0.0.0 [1/0] via 10.10.2.1, NAC-wifi-dmz2
S 10.12.1.106 255.255.255.255 [1/0] via 10.10.2.1, NAC-wifi-dmz2
**************************************************************************************
chASA01# sh run | in snmp
snmp-server host NAC-wifi-dmz2 10.12.1.106 community *****
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
**************************************************************************************
chASA01# sh run | in ssh
ssh 10.12.1.0 255.255.255.0 NAC-wifi-dmz2
ssh 10.12.1.106 255.255.255.255 NAC-wifi-dmz2
ssh timeout 5
**************************************************************************************
chASA01# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any NAC-wifi-dmz2
icmp permit host 10.12.1.106 echo-reply NAC-wifi-dmz2
*************************************************************************************
chASA01(config)# sh run access-group
access-group 105 in interface NAC-wifi-dmz2
*************************************************************************************
chASA01(config)# sh run | in access-list 105
access-list 105 extended permit tcp any any
access-list 105 extended permit icmp any any
access-list 105 extended permit udp any any
access-list 105 extended permit gre any any
access-list 105 extended permit esp any any
*************************************************************************************
When I try to connect via snmp, ping & ssh from 10.12.1.106 I get this messages:
%ASA-2-106006: Deny inbound UDP from 10.12.1.106/58078 to 10.10.2.10/161 on interface NAC-wifi-dmz2
%ASA-2-106001: Inbound TCP connection denied from 10.12.1.106/39112 to 10.10.2.10/22 flags SYN on interface NAC-wifi-dmz2
%ASA-3-106014: Deny inbound icmp src NAC-wifi-dmz2:10.12.1.106 dst NAC-wifi-dmz2:10.10.2.10 (type 8, code 0)
Can someone help me figure out what the problem here is?
02-19-2010 04:57 PM
does "sh fail" status show ok?
Are you able to ping the standby IP 10.10.2.11 ?
remove this icmp permit host 10.12.1.106 echo-reply NAC-wifi-dmz2 and try the ping again. That line only lets the firewall ping the host and not the other way around.
-KS
02-19-2010 07:25 PM
I can ping the standby IP:
-bash-2.05b# ping 10.10.2.11
PING 10.10.2.11 (10.10.2.11): 56 data bytes
64 bytes from 10.10.2.11: icmp_seq=0 ttl=253 time=1.756 ms
64 bytes from 10.10.2.11: icmp_seq=1 ttl=253 time=1.362 ms
64 bytes from 10.10.2.11: icmp_seq=2 ttl=253 time=1.418 ms
^C
--- 10.10.2.11 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.362/1.455/1.756/0.138 ms
-bash-2.05b# ping 10.10.2.10
PING 10.10.2.10 (10.10.2.10): 56 data bytes
^C
--- 10.10.2.10 ping statistics ---
9 packets transmitted, 0 packets received, 100% packet loss
And the failover information looks fine:
chASA01# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: wireless-state-int Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 9 of 250 maximum
failover replication http
Version: Ours 8.0(5), Mate 8.0(5)
Last Failover at: 21:10:07 EST Feb 13 2010
This host: Primary - Active
Active time: 521780 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(5)) status (Up Sys)
Interface NAC-wifi-dmz2 (10.10.2.10): Normal
Interface management (10.10.1.15): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(5)) status (Up Sys)
Interface NAC-wifi-dmz2 (10.10.2.11): Normal
Interface management (10.10.1.16): Normal
slot 1: empty
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide