Solved: A correction, I get a

Mikael Gustafsson · ‎04-14-2014

Hi,

I have a communication problem from the ASA CX boot image and can not install the SW because of that.

I'm following the quick setup guide: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp51233

On the CX I can't ping the network or the DefGW. But when I ping from the network and (of course) the DefGW I get a reply from the CX module.

I'm a bit lost so what could be blocking the traffic for the CX module? Anything in ASA as of this being a SW module?

Running ASA 5525-X 9.1(4) and ASA CX 9.2.1.2-77 boot image.

Ping from CX (172.16.1.113)

asa-cx-02-boot>ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1): 56 data bytes

--- 172.16.1.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

Ping from DefGW. (172.16.1.1)

Core#ping 172.16.1.113
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.113, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

Any help appreciated.

Cheers

Marvin Rhoads · ‎04-15-2014

Physically are you using the M0/0 interface? That is what your CX management connection will bind to and it must be used.

If you also have a management address configured on M0/0 is the ASA, it must be in the same subnet (but on a different IP address).

View solution in original post

Mikael Gustafsson · ‎04-15-2014

A correction,

I get a response on ICMP from the DefGW because of a IP conflict.

Now when I try, with a new IP address, it behaves same on both boxes, no response in or out from CX. (have a pair)

I have restarted the boot image with a partition twice but with the same result.

Is there any form for troubleshooting I can do on the ASA? Any asp drop or debug output to look for?

Cheers

Marvin Rhoads · ‎04-15-2014

Physically are you using the M0/0 interface? That is what your CX management connection will bind to and it must be used.

If you also have a management address configured on M0/0 is the ASA, it must be in the same subnet (but on a different IP address).

Mikael Gustafsson · ‎04-15-2014

No the ASA is not using M0/0 but Inside for management... But now when I read this again I see that I need to use the M0/0 for CX. I misunderstood that one, I thought that I could use Inside but it actually say M0/0 for ASA CX and Inside for ASA.

Easy to miss :-)

Thanks!

If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you remove the ASA-configured name from the Management 0/0 interface, you can still configure the ASA CX IP address for that interface. Because the ASA CX module is essentially a separate device from the ASA, you can configure the ASA CX management address to be on the same network as the inside interface.

Marvin Rhoads · ‎04-15-2014

Yes, that is confusing at first. Especially so since it contrasts from the behavior of the ASA. It's sort of a hybrid of the behavior of a CSC module (always use a dedicated hardware port) and that of a base ASA (Management port available but use is optional).

It took me three readings of the setup document to follow the language and I had the benefit of a deep dive training with hands-on lab to drill the need into my head. :)

Thanks for the rating - glad it helped.

ASA CX install problem