topic Re: Ask the Expert:Configuring, Troubleshooting & Best Practices in Network Security

Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

ciscomoderator — Thu, 13 Feb 2020 20:58:26 GMT

With Prashanth Goutham R.

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.

Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.

Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.

Remember to use the rating system to let Prashanth know if you have received an adequate response.

Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Ask the Expert:Configuring, Troubleshooting & Best Practices on

John Ventura — Wed, 04 Jul 2012 04:13:16 GMT

Hello Prashanth,

I have a quick question for you. Why it is recommended to have a switch in-between the Firewall pairs and not connect them directly though its going to work fine anyway?

thanks a lot,

- John

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

pgoutham — Wed, 04 Jul 2012 07:10:44 GMT

Hello John,

I believe you are talking about the Failover Lan Interface connectivity which can be of two types:

--- Back to Back.

--- With Intermediary Switch

I would say the second option is better as its easy to segment and isolate faults on a Production Network. Consider the below scenario:

Your firewalls are connected back to back with a crossover cable and you have a live firewall and you start experiencing failover related issues on your FO lan port. What would you do to determine if its a cable or a Firewall Interface issue and if an Interface issue which Interface? Cause if one Interface goes down it pulls down the Peer interface as well to line protocol down. This is tricky you would need to manually test all the components seperately using another directly connected device to see which component is faulty or replace all units to restore services.

In case of the second option we can clearly eliminate as the switch is inbetween. I think its also explained in the configuration guide here:

When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

Hope that helps. Have a good day !

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

ROBERTO TACCON — Wed, 04 Jul 2012 17:20:50 GMT

Hello Prashanth,

please can you check/confirm if using a Cisco ASA Active/Standby clustering enviroment the SELF SIGNED GENERATED certificate used for SSL VPN remote access are replicated or NOT on the STANDBY unit ?

On the following doc there's indicate "the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated but testing on lab with version 8.4.4 the result is different: the self signed certificate of the active asa is replicated on the standby.

https://supportforums.cisco.com/docs/DOC-12969

Q. Are digital certificates replicated in a Active/Standby configuration?

A. Yes. Third-party digital certificates (ie. from Entrust, Verisign, Microdoft,etc) that are installed on the Active ASA are replicated to the Standby ASA in an active/standby config.

However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated.

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

pgoutham — Wed, 04 Jul 2012 20:00:44 GMT

Hello Roberto,

The document is absolutely right the Certificates on the ASA get replicated with Bulk replication only and these are 3rd party certificates only and not the locally generated certificates which i have checked in previous versions. However i have not played around much on 8.4.4 which was just released and i dont have a reason to believe that it works differently on 8.4.4, i can check this up for you once i get into office in the morning.

Can you let me know the license you are on Active/Active or Active/Standby Failover ? Also what are the steps you took to test this and how sure are you that this was not exported to the other firewall ? Just to add i would assume the purpose of Self signed Certificate to be unique to each of the ASA's.

thanks,

Prashanth

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

ROBERTO TACCON — Wed, 04 Jul 2012 20:32:54 GMT

Hello Prashanth,

maybe I've not fully understood, please can you indicate me again why the "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is correct ?

If the previous sentence is correct why on the following test enviroment both cisco asa active and standby have the same SSL self signed certificate ?

Enviroment:

a cluster of Cisco ASA is Active/Standby firewalls with the SSL AnyConnect certificate auto generated named “SELFSIGNEDCERT” and used for the remote SSL vpn

ON THE ACTIVE:

pri/act/asa# sh run | i SELFSIGNEDCERT

crypto ca trustpoint SELFSIGNEDCERT

keypair SELFSIGNEDCERTKEY

crypto ca certificate chain SELFSIGNEDCERT

ssl trust-point SELFSIGNEDCERT outside vpnlb-ip

ssl trust-point SELFSIGNEDCERT outside

pri/act/asa#

pri/act/asa#sh crypto ca certificates SELFSIGNEDCERT

Certificate

Status: Available

Certificate Serial Number: 5406334f

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=asa.cisco.com

cn=*.cisco.com

Subject Name:

hostname=asa.cisco.com

cn=*.cisco.com

Validity Date:

start date: 20:42:41 UTC Feb 20 2012

end date: 20:42:41 UTC Feb 17 2022

Associated Trustpoints: SELFSIGNEDCERT

pri/act/asa#

ON THE STANDBY:

sec/stby/asa# sh crypto ca certificates SELFSIGNEDCERT

Certificate

Status: Available

Certificate Serial Number: 5406334f

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=asa.cisco.com

cn=*.cisco.com

Subject Name:

hostname=asa.cisco.com

cn=*.cisco.com

Validity Date:

start date: 20:42:41 UTC Feb 20 2012

end date: 20:42:41 UTC Feb 17 2022

Associated Trustpoints: SELFSIGNEDCERT

sec/stby/asa#

And again if the sentence "However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated." is correct:

Qs:

1) If I activate the standby unit with “failover active” need to do something for the SSL certificate (needed to copy it from the other unit) ?!?!

2) If the active firewall unit FAIL is it necessary to reinstall the AUTO GENERATED SSL certificate on the Standby unit ?!?!

Ask the Expert:Configuring, Troubleshooting & Best Practices on

John Ventura — Thu, 05 Jul 2012 04:43:21 GMT

Thanks Prashanth for detailed info.

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

pgoutham — Thu, 05 Jul 2012 12:05:13 GMT

Hello Roberto,

I tried out the configuration on 8.4.4 and observed the same issue as what you have noticed, look below :

CiscoASA(config-ca-trustpoint)# fqdn sslvpn.cisco.com

CiscoASA(config-ca-trustpoint)# subject-name CN=sslvpn.cisco.com

CiscoASA(config-ca-trustpoint)# crypto key generate rsa label sslvpnkeypair

INFO: The name for the keys will be: sslvpnkeypair

Keypair generation process begin. Please wait...

CiscoASA(config)# crypto ca trustpoint SELFSIGNEDCERT

CiscoASA(config-ca-trustpoint)# keypair sslvpnkeypair

CiscoASA(config)# crypto ca enroll SELFSIGNEDCERT noconfirm

% The fully-qualified domain name in the certificate will be: sslvpn.cisco.com

When i try to view it i see the below output on both Active and Standby Firewalls replicated without doing even a write standby:

CiscoASA(config)# show cry ca cert

Certificate

Status: Available

Certificate Serial Number: c5d1f44f

Certificate Usage: General Purpose

Public Key Type: RSA (1024 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

hostname=sslvpn.cisco.com

cn=sslvpn.cisco.com

Subject Name:

hostname=sslvpn.cisco.com

cn=sslvpn.cisco.com

Validity Date:

start date: 16:29:09 GMT Jul 5 2012

end date: 16:29:09 GMT Jul 3 2022

Associated Trustpoints: SELFSIGNEDCERT

This is exactly matching the output you had provided, however what we both did not figure out earlier is that this is an Identity certificate and not a CA certificate. A typical CA certificate looks like this:

CiscoASA(config)# show crypto ca certificate

CA Certificate

Status: Available

Certificate Serial Number: 344ed55720d5edec49f42fce37db2b6d

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

cn=thawte Primary Root CA

ou=Certification Services Division

o=thawte\, Inc.

c=US

Subject Name:

cn=thawte Primary Root CA

ou=Certification Services Division

o=thawte\, Inc.

c=US

Validity Date:

start date: 00:00:00 UTC Nov 17 2006

end date: 23:59:59 UTC Jul 16 2036

Associated Trustpoints: abc

Hence going back to the document you had pointed out, its only speaking about the Local CA Generated certificates and not all locally generated Certificates (identity). Refer to the 8.4 Configuration guide as well which shows that the locally generated

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_standby.html

Note Standby Failover does not replicate the following files and configuration components:

•AnyConnect images

•CSD images

•ASA images

•AnyConnect profiles

•Local Certificate Authorities (CA)

•ASDM images

Hope that clarifies the document's wordings

Ask the Expert:Configuring, Troubleshooting & Best Practices on

ROBERTO TACCON — Thu, 05 Jul 2012 12:38:47 GMT

Thanks for the info.

Roberto Taccon

Ask the Expert:Configuring, Troubleshooting & Best Practices on

johnramz — Fri, 06 Jul 2012 15:09:20 GMT

Prashanth Goutham R.

I have set up 4 IPsec VPNs in a ASA 5520. The maximum bandwidth-BW- provided by our ISP is 3 MBPS.

Let's suppose that I want to assign/allocate BW to each IPSEc tunnel as follows:

Tunnel 1: 500 KBps

Tunnel 2: 700 KBps

Tunnel 3: 300 KBps

Tunnel 4: 600 Kbps

1- What is the configuration to make that possible?

2- Does it make any difference if this configuration fo BW assignment is also added on the other VPN peer?

Thanks

John

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

pgoutham — Fri, 06 Jul 2012 18:45:30 GMT

Hello John,

This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.

access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0
access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0
access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0
access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0
    class-map Tunnel_Policy1
     match access-list tunnel_one
   class-map Tunnel_Policy2
     match access-list tunnel_two
   class-map Tunnel_Policy3
     match access-list tunnel_three
   class-map Tunnel_Policy4
     match access-list tunnel_four
  policy-map tunnel_traffic_limit
     class Tunnel_Policy1
      police output 4096000
   policy-map tunnel_traffic_limit
     class Tunnel_Policy2
      police output 5734400
   policy-map tunnel_traffic_limit
     class Tunnel_Policy3
      police output 2457600
    policy-map tunnel_traffic_limit
     class Tunnel_Policy4
      police output 4915200
service-policy tunnel_traffic_limit interface outside

You might want to watch out for the following changes in values:

HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400
WARNING: police rate 5734400 not supported. Rate is changed to 5734000     
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600
WARNING: police rate 2457600 not supported. Rate is changed to 2457500
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limit
HTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4
HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200
WARNING: police rate 4915200 not supported. Rate is changed to 4915000
I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/

The Final outputs of the configured values were :

Class-map: Tunnel_Policy1

Output police Interface outside:

cir 4096000 bps, bc 128000 bytes

conformed 0 packets, 0 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Class-map: Tunnel_Policy2

Output police Interface outside:

cir 5734000 bps, bc 179187 bytes

conformed 0 packets, 0 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Class-map: Tunnel_Policy3

Output police Interface outside:

cir 2457500 bps, bc 76796 bytes

conformed 0 packets, 0 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Class-map: Tunnel_Policy4

Output police Interface outside:

cir 4915000 bps, bc 153593 bytes

conformed 0 packets, 0 bytes; actions: transmit

exceeded 0 packets, 0 bytes; actions: drop

conformed 0 bps, exceed 0 bps

Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html

Hope that helps..

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

johnramz — Fri, 06 Jul 2012 19:11:12 GMT

Prashanth Goutham R.

Thanks for your detailed reply and for allowing this out-of-scope question. Honestly, when I read "ASA" in the subject I ignored the rest.

Two more questions:

1- Which SHOW command you used at the end to verify the bandwidth?

2- If one peer is policing traffic and the other one is not, the one with the smallest bandwidth would set the size limit in the connection ? I am also implying that the Traffic policing does not need to be configured on both ends, correct?

Thanks again

John

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

pgoutham — Sat, 07 Jul 2012 00:12:56 GMT

John,

1- Which SHOW command you used at the end to verify the bandwidth?

--- Command used is show service-policy police

2- If one peer is policing traffic and the other one is not, the one with the smallest bandwidth would set the size limit in the connection ?

I am also implying that the Traffic policing does not need to be configured on both ends, correct?

--- Policing at one end should help control the limits.

Ask the Expert:Configuring, Troubleshooting & Best Practices on

gaurav bhardwaj — Sat, 07 Jul 2012 08:11:38 GMT

Hi this is good opportunity to get good concept..

my Question is..

I am not able to get CA certificate by microsoft CA server.

Ask the Expert:Configuring, Troubleshooting & Best Practices on

johnramz — Mon, 09 Jul 2012 13:32:23 GMT

Prashanth Goutham R.

Thank you very much for answering my questions. Very appreciated.I hope other users did benefit from your detailed/tested replies.

John

Ask the Expert:Configuring, Troubleshooting & Best Practices on

johantuneld — Mon, 09 Jul 2012 14:18:16 GMT

Hello Prashanth,

I've setup a ASA 5505 with 3 servers behind it. Riunning Exchange 2007 and RD Gateway behind NAT.

Port 443 is opened to allow Outlook Anywhere so the Domain users can access mail from outside the office without setting up a VPN tunnel. Also I use the RD Gateway so the users can access their worksations in the LAN and also the TS server (remote desktop)

This was working with the old firewall (D-Link Netdefend) but now the users get prompted with user/password popup from Outlook. The RD Gateway has also stopped working only telling the users "Logon Attempt Failed".

That means that Outlook failed to access the server using NTLM auth. and need to use "basic auth" instead.

So my question:

Does the ASA 5505 allow NTLM Passthrough? If not, what will I need to buy ?

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

pgoutham — Tue, 10 Jul 2012 06:30:35 GMT

Hello Gaurav,

Apologies for the delayed response, this is a Failover discussion series on Cisco Firewalls, however ill help you to get started on the Certificate issue.

I am not really sure about what is the actual problem. Based on the fact that you have mentioned the ASA is unable to enroll with Microsoft CA server i would first enable the following debugs:

debug crypto ca 255
debug crypto ca transactions 255

I would actually start with researching on what error messages you had received while you tried to enroll and what was the procedure you used to enroll from the ASA perspective, i would also suggest that you take a packet capture to see if the CA server and the ASA are able to communicate without any network level issues.

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

pgoutham — Tue, 10 Jul 2012 08:15:33 GMT

Hello Johan,

This forum is specifically for the Failover Discussion on Cisco Firewalls, however to answer your question, Yes ASA supports NTLM Passthrough:

The ASA supports the following Single Sign On (SSO) methods: 
 Kerberos Constrained Delegation (KCD) 
 Computer Associates Siteminder (Netegrity) 
 RSA Access Manager (ClearTrust) 
 Security Assertion Markup Language (SAML v1.1) 
 Basic/NTLM/FTP/CIFS authentication pass-through 
 Forms-based authentication pass-through;HTTP-POST via variable substitution (macros) 

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html

Do let me know what troubleshooting you have done so far... Hope that helps.

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

johantuneld — Tue, 10 Jul 2012 08:38:13 GMT

Hmm...

As I can read on the provided URL those auth methods is supported on the "Single sign-on (SSO) for clientless SSL VPN users" section...

And I am not talking about building any VPN solution.

But can that be the issue? That the ASA is picking up the NTLM for the VPN? Not possible to disable the VPN feature somehow?

Troubleshoting done:

With D-Lnk it works. With Cisco it doesn't.

(Both devices redirects the TCP 443 to the internal IP of the server. Nothing else done)

Re: Ask the Expert:Configuring, Troubleshooting & Best Practices

ROBERTO TACCON — Tue, 10 Jul 2012 09:08:25 GMT

Hello Jonan,

you indicate "Port 443 is opened " the Cisco ASA do NOT inspect this particular SSL port.

Have you check the output of the following cli command:

packet-tracer input outside tcp "internetsourceipaddress" 44444 "exchangeserveripaddress" 443 detailed

show service-policy flow tcp host "internetsourceipaddress" host "exchangeserveripaddress" eq 443

show service-policy

Regards