topic Re: switch ASA outside interface connection in Network Security

switch ASA outside interface connection

gnaveen — Mon, 11 Mar 2019 20:05:10 GMT

Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.

We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.

What best practice should we be aware of to do this?

What commands should we be familar ourself with?

Though this will be doine in our maintenace window.

All the transaltions/connections will be dropped in our production environment so we are kind of scared.

Appreciate if someone has some suggestions as how we can do this with minimum downtime.

-NG

Re: switch ASA outside interface connection

JORGE RODRIGUEZ — Fri, 11 Mar 2011 23:00:57 GMT

Hi NG,

You are correct about the 2 Gig capable ports e0/0 and e0/1 after license upgrade, most likely the far end port can only do handle up to 100mb.

When you and teh ISP upgrade to Gig cable switches I suggest to use auto for the speed and duplex at both ends, this way you can see the actual bandwidth/speed when issuing show interfaces on the firewall.

What best practice should we be aware of to do this?

There is no realy a best practice when doing these chnages other than using common sense ,

The usual stuff , never do these chnages during production hours. Coordinate with your ISP and have a resource handy from their end when making chnages on the port settings ISP side . There will always be a quick hiccup when changing speed duplex but if you and the ISP make the changes right away at the same time you probably will not even feel the network disconnects 3 to 4 seconds at the most.

on your side you can simply go to the interface and issue those commands

What commands should we be familar ourself with?

interface Ethernet0/0

speed auto

duplex auto

interface Ethernet0/1

speed auto

duplex auto

show interfaces

Regards

Re: switch ASA outside interface connection

gnaveen — Sat, 12 Mar 2011 00:51:19 GMT

Thanks Jorge! My real concern is if there any way to avoid this hicchup. As what I understand during the network disconnect all the "Connections" will essentially disconect. Only the "translations" still might be able to stand the hicchups.

Re: switch ASA outside interface connection

gnaveen — Sun, 13 Mar 2011 17:03:34 GMT

Assuming, that it takes 10 minutes for this ordeal where the ISP brings down our ASA outside Ethernet0/0 connection.

Do you think changing the UDP connection timeout from the default 2 min to 10 min can avoid this hiccup?

This is what is configured right now on the ASA

!
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
!

ASA5510#show conn detail
UDP outside:74.210.112.106/1061 WEB:10.39.128.10/1191,
flags -, idle 0s, uptime 17h5m, timeout 2m0s, bytes 618455
TCP outside:10.41.1.123/1203 inside:10.39.1.91/1151,
flags UIO, idle 23s, uptime 17h7m, timeout 1h0m, bytes 137721