10-02-2014 10:48 PM
hi all,
i'm currently configuring and troubleshooting a S2S VPN between ASAs.
i can't seem to reload the ASA5525-X.
the command reload quick noconfirm (perhaps when i issued from yesterday) disconnected my telnet session and i saw replies on my continuous ping and was able to telnet afterwards.
is there any other reload command to reboot this firewall? can this be a bug?
# debug crypto ikev1 255
# Oct 02 22:37:49 [IKEv1]IP = 202.x.x.x, Reboot Underway... dropping new P1 packet.
Oct 02 22:37:57 [IKEv1]IP = 202.x.x.x, Reboot Underway... dropping new P1 packet.
Oct 02 22:38:05 [IKEv1]IP = 202.x.x.x, Reboot Underway... dropping new P1 packet.
# reload
Proceed with reload? [confirm]
# <<< STILL CONNECTED
# sh reload
Shutting down the system right now.
# reload noconfirm
# reload in ? << STILL CONNECTED
# reload
System config has been modified. Save? [Y]es/[N]o:
Cryptochecksum: c6bd3ee7 cc75760d 6ecf8bd4 d0fe71a2
8505 bytes copied in 0.650 secs
Proceed with reload? [confirm]
# <<< STILL CONNECTED
# reload quick noconfirm <<< MY TELNET DISCONNECTED, CAN STILL PING INSIDE IP
# sh ve
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
Solved! Go to Solution.
10-03-2014 12:43 AM
I have never tried it before. I just know some people who have. Yes you will get the CLI prompt afterwards. What the command does is force the appliance to crash causing it to reboot. Of course it is never good to force a crash so use this as a last resort.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/c4.html#wp2127586
If you are going to upgrade the IOS but stay within the 9.1 version then I would recommend upgrading to the latest maintenance release which I believe is 9.1(5).
--
Please remember to select a correct answer and rate helpful posts
10-03-2014 01:59 AM
Cisco will almost alway (with a few exceptions) recommend the latest maintenance release.
Yes you can upgrade directly to the 9.1(5) versio.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/upgrade/upgrade91.html#pgfId-52459
--
Please remember to select a correct answer and rate helpful posts
10-02-2014 11:18 PM
The reload quick command reloads the ASA without shutting down processes gracefully. So, your telnet or SSH connection will be disconnected imidiately upon issuing this command.
--
Please remember to select a correct answer and rate helpful posts
10-02-2014 11:39 PM
hi marius,
yes, my telnet got disconnected put i can still ping to the ASA.
i'm trying to remotely reboot the ASA but i can't.
any other commands available or a physical hard reset is needed?
10-02-2014 11:51 PM
Can you try the commands while SSH'ed into the ASA? do you still get the same result?
So, the commands reload, reload in <minutes>, reload at <time> and reload quick do not work?
As a last resort you can force the ASA to create a crash dump which will also force the ASA to reload...I would try to either reload the ASA while using SSH or get someone locally at the site to reload the ASA before using this command. It will not harm your ASA but it is better to reload the ASA properly than having to force it.
crashinfo force watchdog
--
Please remember to select a correct answer and rate helpful posts
10-03-2014 12:32 AM
hi marius,
SSH is not an option. yes, reload in x and reload at x doesn't work.
is the command crashinfo force watchdog safe?
will i still get a CLI prompt afterwards? have u tried this before?
10-03-2014 12:43 AM
I have never tried it before. I just know some people who have. Yes you will get the CLI prompt afterwards. What the command does is force the appliance to crash causing it to reboot. Of course it is never good to force a crash so use this as a last resort.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/c4.html#wp2127586
If you are going to upgrade the IOS but stay within the 9.1 version then I would recommend upgrading to the latest maintenance release which I believe is 9.1(5).
--
Please remember to select a correct answer and rate helpful posts
10-03-2014 01:05 AM
hi marius,
the said command works and was able to reboot.
i still can't view the correct show and debug crypto output although my VPN works as per ping from routers behind the ASAs.
perhaps an upgrade is required.
# sh reload
No reload is scheduled.
# sh ve
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
Compiled on Thu 09-May-13 16:20 PDT by builders
System image file is "disk0:/asa912-smp-k8.bin"
Config file at boot was "startup-config"
ASA01 up 1 min 49 secs
10-03-2014 01:10 AM
What are you seeing in the show and debug commands that are not correct?
--
Please remember to select a correct answer and rate helpful posts
10-03-2014 01:33 AM
IKE phase 1 shows nothing although i can see output on both show conn and show xlate.
# debug crypto ikev1 255 <<< JUST DID A PING ON ROUTERS BEHIND, NOTHING
# sh crypto isa sa
There are no IKEv1 SAs
There are no IKEv2 SAs
# sh conn
5 in use, 12 most used
GRE outside RTRA-PE01-Lo2:0 inside RTRB-PE01-INSIDE:0, idle 0:00:59, bytes 520, flags
UDP outside 10.20.251.100:389 inside 10.102.5.138:65375, idle 0:00:42, bytes 160, flags -
GRE outside RTRA-PE01-Lo2:0 inside RTRB-PE01-INSIDE:0, idle 0:00:59, bytes 520, flags
10-03-2014 01:36 AM
This does sound like a bug, though I have not been able to find anything that matches exactly what you are describing. the closest I have come to it is this:
https://tools.cisco.com/bugsearch/bug/CSCui63322
Perhaps an upgrade will solve the issue. remember to have a rollback plan in case things don't go as planned.
--
Please remember to select a correct answer and rate helpful posts
10-03-2014 01:43 AM
hi marius,
you recommend ASA code 9.1(5), is it stable?
have u personally used this on your ASAs?
10-03-2014 01:48 AM
I personally am running 9.1(4) on most of my customer's ASAs. I have not encountered any bugs and do not need any new features which is why I have not upgraded.
The latest maintenance releases will normally be the most stabel as these are the ones that have the most bug fixes applied. It is most often the new minor releases that will have the most bugs (9.1, 9.2, 9.3...etc.)
--
Please remember to select a correct answer and rate helpful posts
10-03-2014 01:56 AM
hi marius,
cisco suggested 9.1(5) vs the 9.1(4) on their download site.
can i upgrade directly from my current code 9.1(2) to 9.1(5)?
10-03-2014 01:59 AM
Cisco will almost alway (with a few exceptions) recommend the latest maintenance release.
Yes you can upgrade directly to the 9.1(5) versio.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/upgrade/upgrade91.html#pgfId-52459
--
Please remember to select a correct answer and rate helpful posts
10-06-2014 09:10 PM
hi marius,
just performed an upgrade to 9.1(5) and solved the reload and S2S/crypto output issue i was having. just to also add, the i remembered the software bug showed some weird static routes that i didn't put when i did a show run route command.
# sh ve
Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(3)
Compiled on Thu 27-Mar-14 10:19 PDT by builders
System image file is "disk0:/asa915-smp-k8.bin"
Config file at boot was "startup-config"
ASA01 up 1 hour 36 mins
# sh flash | i .bin
110 38191104 Apr 29 2014 14:51:00 asa912-smp-k8.bin
111 18097844 Apr 29 2014 14:52:20 asdm-713.bin
123 37822464 Oct 06 2014 19:21:33 asa915-smp-k8.bin
# sh run boot
boot system disk0:/asa915-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
# sh crypto isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide