04-14-2014 07:37 AM - edited 03-11-2019 09:04 PM
Hi,
I have a communication problem from the ASA CX boot image and can not install the SW because of that.
I'm following the quick setup guide: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html#wp51233
On the CX I can't ping the network or the DefGW. But when I ping from the network and (of course) the DefGW I get a reply from the CX module.
I'm a bit lost so what could be blocking the traffic for the CX module? Anything in ASA as of this being a SW module?
Running ASA 5525-X 9.1(4) and ASA CX 9.2.1.2-77 boot image.
Ping from CX (172.16.1.113)
asa-cx-02-boot>ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1): 56 data bytes
--- 172.16.1.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
Ping from DefGW. (172.16.1.1)
Core#ping 172.16.1.113
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.113, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
Any help appreciated.
Cheers
Solved! Go to Solution.
04-15-2014 12:19 PM
Physically are you using the M0/0 interface? That is what your CX management connection will bind to and it must be used.
If you also have a management address configured on M0/0 is the ASA, it must be in the same subnet (but on a different IP address).
04-15-2014 11:56 AM
A correction,
I get a response on ICMP from the DefGW because of a IP conflict.
Now when I try, with a new IP address, it behaves same on both boxes, no response in or out from CX. (have a pair)
I have restarted the boot image with a partition twice but with the same result.
Is there any form for troubleshooting I can do on the ASA? Any asp drop or debug output to look for?
Cheers
04-15-2014 12:19 PM
Physically are you using the M0/0 interface? That is what your CX management connection will bind to and it must be used.
If you also have a management address configured on M0/0 is the ASA, it must be in the same subnet (but on a different IP address).
04-15-2014 12:29 PM
No the ASA is not using M0/0 but Inside for management... But now when I read this again I see that I need to use the M0/0 for CX. I misunderstood that one, I thought that I could use Inside but it actually say M0/0 for ASA CX and Inside for ASA.
Easy to miss :-)
Thanks!
If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you remove the ASA-configured name from the Management 0/0 interface, you can still configure the ASA CX IP address for that interface. Because the ASA CX module is essentially a separate device from the ASA, you can configure the ASA CX management address to be on the same network as the inside interface.
04-15-2014 02:43 PM
Yes, that is confusing at first. Especially so since it contrasts from the behavior of the ASA. It's sort of a hybrid of the behavior of a CSC module (always use a dedicated hardware port) and that of a base ASA (Management port available but use is optional).
It took me three readings of the setup document to follow the language and I had the benefit of a deep dive training with hands-on lab to drill the need into my head. :)
Thanks for the rating - glad it helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide