cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17595
Views
25
Helpful
40
Replies

Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

ciscomoderator
Community Manager
Community Manager

Read the bioWith Prashanth Goutham R.

 

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 

 

Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.

 

Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.

Remember to use the rating system to let Prashanth know if you have received an adequate response. 

 

Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

 
40 Replies 40

Prashanth Goutham R.

Thank you very much for answering my questions. Very appreciated.I hope other users did benefit from your detailed/tested replies.

John

johantuneld
Level 1
Level 1

Hello Prashanth,

I've setup a ASA 5505 with 3 servers behind it. Riunning Exchange 2007 and RD Gateway behind NAT.

Port  443 is opened to allow Outlook Anywhere so the Domain users can access  mail from outside the office without setting up a VPN tunnel. Also I use  the RD Gateway so the users can access their worksations in the LAN and  also the TS server (remote desktop)

This  was working with the old firewall (D-Link Netdefend) but now the users  get prompted with user/password popup from Outlook. The RD Gateway has  also stopped working only telling the users "Logon Attempt Failed".

That means that Outlook failed to access the server using NTLM auth. and need to use "basic auth" instead.

So my question:

Does the ASA 5505 allow NTLM Passthrough? If not, what will I need to buy ?

Hello Johan,

This forum is specifically for the Failover Discussion on Cisco Firewalls, however to answer your question, Yes ASA supports NTLM Passthrough:

The ASA supports the following Single Sign On (SSO) methods:

  • Kerberos Constrained Delegation (KCD)
  • Computer Associates Siteminder (Netegrity)
  • RSA Access Manager (ClearTrust)
  • Security Assertion Markup Language (SAML v1.1)
  • Basic/NTLM/FTP/CIFS authentication pass-through
  • Forms-based authentication pass-through;HTTP-POST via variable substitution (macros)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html

Do let me know what troubleshooting you have done so far... Hope that helps.

Hmm...

As I can read on the provided URL those auth methods is supported on the "Single sign-on (SSO) for clientless SSL VPN users" section...

And I am not talking about building any VPN solution.

But can that be the issue? That the ASA is picking up the NTLM for the VPN? Not possible to disable the VPN feature somehow?

Troubleshoting done:

With D-Lnk it works. With Cisco it doesn't.

(Both devices redirects the TCP 443 to the internal IP of the server. Nothing else done)

Hello Jonan,

you indicate "Port  443 is opened " the Cisco ASA do NOT inspect this particular SSL port.

Have you check the output of the following cli command:

packet-tracer input outside tcp "internetsourceipaddress" 44444 "exchangeserveripaddress" 443 detailed

show service-policy flow tcp host "internetsourceipaddress" host "exchangeserveripaddress" eq 443

show service-policy

Regards

Hello Johan,

I misunderstood what you had mentioned. yes this is just for the VPN solution, however if your requirement is not a VPN solution then this can be treated just as normal data traffic, so make sure you have your basics set right like acl's etc. Also try to get the syslog and packet captures when the test is being done :

1. Apply packet captures on the Inside and Outside Interfaces on your firewall as shown :

access-list ACL_CAP permit ip host host

access-list ACL_CAP permit ip host host  

capture capin access-list ACL_CAP interface inside circular-buffer  

capture capout access-list ACL_CAP interface outside circular-buffer

2. Execute the following command once before and after your exchange server test where your ntlm packets are logged :

show service-policy

3. Also if you have http inspection enabled try disabling the same and try to test again.

4. Mention the ASA version running as well as provide me the NTLM version configured for your authentication.

r.berndt
Level 1
Level 1

Hello Prashanth Goutham R.,

we've trouble with our ASA 5510. Since some days our ASA 5510 looks like a Catalyst CE500-24LC in a new installed Cisco Network Assistant. Also in the Webinterface. Here are some pics about this fact.

In the last year we had a firm which have supported our network. But now we have to do it by ourself.

Our ASA 5510 manages some VPNs to our branch offices and mobile devices.

One of these VPNs to mobile devices is closed since last Saturday.

I can't find a mistake because of this case.

What could be wrong here?

With kind regards

Ruediger

OK... I've find a second IP of the ASA 5510 (.180). The connection is possible over this IP and a ASDM-Tool.

But what please is with the "virtual switch" on IP .254? Both have the same hostname (FECSW01).

On the connected ports of the switch are MACs registered, which are real on the other switches.

We have only 4 physical cisco switches. Till now the 5th switch is a phenomen for us.

Why the Cisco Network Assistant is not able to show the ASA 5510 on IP .180?

Hello Ruediger,

I am not very familiar with Cisco network Assistanct  and this is not a topic which is supported in this ATE series. However  can you please let me know which version of the CNA you have running as i  only notice the CNA 5.0 and above have support for the ASA Firewalls:

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps5931/product_data_sheet0900aecd8068820a.html

Only both these firewall models seem to be supported:


• Cisco PIX® 515E Security Appliance

• Cisco ASA 5505 and ASA 5510 Adaptive Security Appliances

I would suggest you do this :

--- Read the release notes of the CNA version you have installed and check if it lists the model and version of ASA you have as a supported model.

--- Make sure the IP address you use for the CNA is the Active Firewall's Interface and its reachable from the CNA.

--- Make sure than port 443 or whichever port you have configured for CNA to be free and available when connecting to it.

Take a look at CNA document here and make sure that the Firewall has these ports allowed to the CNA IP:

Communication Protocols

Network Assistant uses HTTPS and HTTP to communicate with community  members. It first tries to use HTTPS when using CDP to discover  neighboring devices and when devices are added manually. If HTTPS fails,  it tries again with HTTP.

The HTTPS port is fixed at 443; the HTTP port defaults to 80. You can  specify a different HTTP port when you create a community. Afterward,  you use the HTTP Port window to change the HTTP port. The port settings  for both HTTPS and HTTP must be the same for all the members of a  community.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_network_assistant/version5_4_1/quick/guide/English/creatcom.html#wpxref35998

Discovering and Adding Devices

Follow these steps to compile a list of candidate devices and to add them to a community:

1. Start Network Assistant, and select Connect to a new community in the Connect window. Click Connect.

2. In the Create Community window, enter a name for the community.

3. Click the Advanced button if you want to set an HTTP port other than 80, the default port. Enter the HTTP port number that you want to use. Click OK.

4. Enter the IP address for the starting device, and click Discover Neighbors.

5. In the Devices Found list, select candidate devices that you want to remove.

a. To remove more than one candidate, press Ctrl and make your choices, or press Shift and choose the first and last device in a range.

b. Click Remove.

6. Click Add All To Community to add the remaining devices in the list to the community.


http://www.cisco.com/en/US/docs/net_mgmt/cisco_network_assistant/version5_4_1/quick/guide/English/creatcom.html#wpxref35998

Hope that Helps...

Hello Prashanth Goutham R.,

thanks for the information. I use the actual version 5.6 of the CNA and I want to connect to a ASA 5510 Firewall.

With the Java-ASDM-Tool I get a connection to the ASA 5510 over Port 443 on IP .180.

I'm now also on the server whose IP address is registered in the ASA 5510.

But the test to connect the ASA with the CNA breaks up with "Unable to connect."

The steps about you wrote, I've done also yesterday.

I will look for more details in the settings of the ASA 5510 and cisco community.

thanks and regards

Ruediger

Reudinger,

Taking into consideration that you have already checked the relavent release notes and also made sure that basic connectivity as well as reachability between the firewall and the CNA is available and working, Can you please do the following to make sure that the HTTP Server functionality on the ASA is working ok ?

no http server enable 443

--- Check the connectivity from CNA

http server enable 443

--- Check the connetivity from CNA again

This should help to fix the issue, Hope that helps..

Zubair.Sayed_2
Level 1
Level 1

Hello Prashant.

We have 2 Cisco ASA-5520 configured as a FO pair.

We have the interfaces configured as Inside, Outside and QA.

Recently what happened was one of the switches in the QA environment failed which resulted in the firewall showing the interface as "Failed - Waiting", thereafter the firewalls switches from Primary - Active to Secondary Active, and Primary Failed....

How do I remove the QA interface from FO or monitoring on the ASA's?

I dont want to monitor the QA interface because we use this for testing we usually reboot devices etc and dont want this to cause any issues to production traffic.

Regards

Zubair

Hello Prashant,

Ihave 2 Question for you,which are a piece of cake for u i hope,

  • In FWSM traffic flowing from lower security level to higher level requires access-list and NAT and also from higher security level to lower security level  then what is the use of security level in FWSM.
  • I have a strange issue i configured int vlan 2 on FWSM and gave the security level 90 with nameif Management,and ip add,this is the management vlan for all the layer 2 switches the DG on the layer 2 switches is the core switch ip add which  in the same managment vlan, when i try to ping the managment ip add of the Core switch or try to telnet the core switch from another vlan i m not able to do either. i have permited ip any any from all all the vlan.

Hi.

Thanks for the response.

I understand that by disabling monitoring on that interface we will be at risk and no FO will take place but for this QA environment we dont require this.

We somehow did experience a brief outage when the Primary firewall failed over and Secondary firewall took over. When issuing a show failover on the firewall I saw the Primary firewall state change to Primary - Failed and Secondary was Secondary/Standby Ready.

I shut the QA interface down and the firewall states changed to Primary - Standby and Secondary - Ready. I then proceeded to issue the failover active command on the Primary firewall to normalise the firewalls.

What I would like to find out now is that I do not want to interupt services again so when I unshut the QA interfaces will this have any effect on the firewalls?

I will ensure to issue the no monitor-interface QA as you mentioned.

Regards

Zubair

Hello Clark,

i'll answer both your questions though its not in the failover topic we are discussing:

  • In FWSM traffic flowing from lower security level to higher  level requires access-list and NAT and also from higher security level  to lower security level  then what is the use of security level in FWSM.

The  Security Levels are more than anything the architecture of how the ASA/FWSM  Firewalls treat the traffic flows. Each Interface is assigned a Security  Value ranging from 0 - 100 which is least secure to the most secure  interfaces connecting to your firewall. This is basically a level of  trust that you build where in you can categorize the Firewall flows as  Inbound or Outbound. Inbound flow is any flow where the traffic is  flowing from a least security interface to a Higher security Interface  and Outbound flow is just the vice versa. This in turn ties up with  several functions and features of the ASA/FWSM which depend on how the employ  this feature. I would suggest you read more about the feature in Cisco ASA/FWSM Configuration guide to get an understanding on the same.

  • I  have a strange issue i configured int vlan 2 on FWSM and gave the  security level 90 with nameif Management,and ip add,this is the  management vlan for all the layer 2 switches the DG on the layer 2  switches is the core switch ip add which  in the same managment vlan,  when i try to ping the managment ip add of the Core switch or try to  telnet the core switch from another vlan i m not able to do either. i  have permited ip any any from all all the vlan.

---  You have mentioned that you have vlan 2 on your fwsm which means you  have enabled the vlan 2 in your firewall vlan group on the switch  configuration.

---  However the ping is not working, so make sure the switch vlan 2 ip  address is in the same subnet as the firewall vlan 2 ip address which  was configured.

--- show arp should give you the arp entry for the firewall interface on the switch  and vice versa on the switch as well, if you dont the arp entry, try to  remove the vlan 2 from firewall vlan group and reenable it.

--- In the firewall make sure that you have the permit icmp interface any so that icmp pings are not dropped even to allow return icmp pings.

--- Check the syslogs on the firewall to see what is going on.

Message was edited by: Prashanth Goutham R.

Hello Zubair,

Even though you had a failover, i do not think you had an outage because of this as i assume you would have had Stateful Failover enabled which is the norm today with all of Cisco Firewalls. I realize the Firewall did what it had to do and nothing abnormal. I find your question confusing though as it says:

" How do I remove the QA interface from FO or monitoring on the ASA's?

and then you also go on to ask:

"How do I remove the QA interface from FO or monitoring on the ASA's?"

I can tell you that the first option is unavailable and defeats the purpose of Failover on ASA in the first place, however if your question is just about disabling Interface Monitoring on ASA then please do this :

ASADMZ(config)# no monitor-interface QA

What you would achieve by doing this is : http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079057

Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: