Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Q&A from "Troubleshooting ASA Firewalls - Understanding Firewall Architecture, Troubleshooting CPU Issues, Understanding Fail over and CSC-SSM vs ASA-NGFW (CX)"

 

 

This is the Q&A from "Troubleshooting ASA Firewalls - Understanding Firewall Architecture, Troubleshooting CPU Issues, Understanding Fail over and CSC-SSM vs ASA-NGFW (CX)"

 

Q. How does data flow through the ASA when we use an ASA-SSM module?

A. An ASA-SSM could either be the 4-port expansion module or the CSC or AIP SSM module. If it is the 4-port SSM module, then that will still be processed by the ASA's CPU but the CPU uplink is restricted to 1Gbps. Traffic destined to the AIP or CSC module will be redirected by the ASA over the backplane to the module and returned back to the ASA by the module if allowed.

 

Q.What is OID?

A. OID is object identifier. Basically you can think of it like a code that a device recognizes in order to give some information to the snmp server. You can lookup SNMP OIDs here: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?.

 

Q. What happens in case of the failover Cable going faulty? Will both firewalls go active? How to avoid these situations?

A. If the failover link goes down failover is disabled. You will need to fix this condition asap. You can check this link for more triggers and what happens in different failover events:

PIX/ASA Active/Standby Failover Configuration Example - Failover Triggers

 

Q. If I do not configure a standby IP on a sub-interface (secondary box), will it show up as "waiting" in the output of "show failover"?

A. If you do not have a standby ip that interface can not be monitored. If it is configured to be monitored, it will show up as "waiting".

 

Q. Is there any maximum size for configuration?

A. We do not have any maximum size as such for ASA's. It depends on the amount of RAM installed.

 

Q. For configuring the failover between two devices, that devices s/w configuration and h/w configuration should be same. If i have different h/w configuration can i configure the failover?

A. The hardware config should be the same with an expection to flash, the flash should be sufficient enough to accommodate all images (asa image, asdm, anyconnect etc). This link explains the same http://www.cisco.com/en/US/docs/security/asa/asa84/configurati  

Q.Can you share link address which explains how firewall will analyze the packets when it hits?

A. Here's a good link on ASA packet processing:  

Cisco ASA 5500-X Series Next-Generation Firewalls - Packet Flow through Cisco ASA Firewall

 

Q. If any traffic is redirected towards Standby ASA will it process the traffic or discard it?

A. Yes it will drop any user traffic destined to it.  

 

Related Information:

Session Video

Session Presentation

Technical Services Virtual Boot Camp Series