Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover - Page 3

ciscomoderator · ‎06-29-2012

With Prashanth Goutham R.

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham.

Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.

Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.

Remember to use the rating system to let Prashanth know if you have received an adequate response.

Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

nkarthikeyan · ‎07-11-2012

Hi Prashanth,

Can we use same failover interface for both LAN as well as stateful failover?.

pgoutham · ‎07-11-2012

Hello Karthik,

Yes we can use the same Physical Interface for both the Failover Lan and State links, it should not be a problem. However this has to be planned well, for example you have 8 interfaces (6 Gig + 2 FA) and you make the FA Interface the Failover + State Link, i would say its a bad design and you are in for frequent failovers.

--- Always make sure that your Failover + State Interfaces are having equal to the highest capacity interfaces especially when you have http replication enabled i would suggest that you try to have seperate Fail & State links configured.

--- Also i would advice not to use the onboard GE interfaces as they are not as powerful as the module interfaces, meaning it is not multi threaded and only one Core is used to pull data off those interfaces.

--- Make sure if you have a 5580 or higher to use the command show io-bridge to make sure that the distribution between the 2 io-slots are equal.

What i've mentioned above is from my experience on what i see working best, but also consider what is mentioned on the ASA Configuration guide about the same:

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the adaptive security appliances:

•Cisco ASA 5510

–Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

•Cisco ASA 5520/5540/5550

–Stateful link speed should match the fastest data link.

•Cisco ASA 5580/5585

–Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.

For optimum performance when using long distance LAN failover, the latency for the failover link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is more than10 milliseconds, some performance degradation occurs due to retransmission of failover messages.

All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate heartbeat link on systems with high Stateful Failover traffic.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1077536

Hope that helps.

nkarthikeyan · ‎07-11-2012

Thanks Prashanth.... This clarifies me and gave me some good idea on the Failover interface settings and few more options on the performance of the failover and its dependencies.... valuable info.....

clark-white · ‎07-12-2012

Hello Prashant,

Thanks for being kind and answering me.

The 1st query was regarding the FWSM and not for the ASA, In ASA i have no doubts for the security-level.

--- You have mentioned that you have vlan 2 on your fwsm which means you have enabled the vlan 2 in your firewall vlan group on the switch configuration.

YES

--- However the ping is not working, so make sure the switch vlan 2 ip address is in the same subnet as the firewall vlan 2 ip address which was configured.

YES

--- show arp should give you the arp entry for the firewall interface on the switch and vice versa on the switch as well, if you dont the arp entry, try to remove the vlan 2 from firewall vlan group and reenable it.

I will check and update u

--- In the firewall make sure that you have the permit icmp interface any so that icmp pings are not dropped even to allow return icmp pings.

it is done already,

--- Check the syslogs on the firewall to see what is going on.

Nothing Seen for this issue

I have 1 more query, without ICMP permit any MGMT command it does'nt allow me to telnet MGMT interface !! WHY ???

pgoutham · ‎07-13-2012

Hello Clark,

The 1st query was regarding the FWSM and not for the ASA, In ASA i have no doubts for the security-level.

My Response holds true for both FWSM as well as ASA in response to your first question on the Security Levels, i just edited my previous post to accomodate FWSM as well in my response.

--- Check the syslogs on the firewall to see what is going on.
Nothing Seen for this issue

There should be something in the syslogs. I am sure there should be an event logged or turn on your logging to Notifications if its set to a lower level.

I have 1 more query, without ICMP permit any MGMT command it does'nt allow me to telnet MGMT interface !! WHY ???

I dont really think it has any relavence to telnetting to the ASA Firewall, you do not need any access-list permitting access at all infact and you just need to configure management access as shown below :

ssh source_IP_address mask source_interface

telnet source_IP_address mask source_interface

My advice to you is always enable logging when you are confused about a particular aspect or functionality in the firewall atleast to notifications level as this is what gives us an understanding of how the firewall thinks for itself on looking at a particular packet. This is the way it talks to you.

Hope that answers your questions...

oscar cordero · ‎07-25-2012

Hello,

we are trying to design a sandwich ASA with contexts mode.

we have a couple ASA 5505 with licences for context and failover.

we are thinking on Active-Pasive and two context:

internet --- ASA1andASA2 in failover Context 1 ---- DMZ --- ASA1andASA2 in failover with NAT context 2 ---- LAN.

with 3 interfaces physic is possible? (beacuse probably is necesary to use one for failover and one for management)

no problem for use NAT on context 2?

no problems for use static routes?

can you give us your advice?. also if possible some link were we can found information about the configuration?.

kind regards.

steelman12 · ‎07-31-2012

I have a problem.

My dedicated server has hardware firewall ASA5505.

I have to read mysql data of the server,but firewall don't accept that.

I am going to change firewall configuration of cisco firewall using ssh.

But I don't know how to do.

Can you tell me mysql accept command?

thnkx.

vishal.amrutiya · ‎09-11-2012

Hi Prasanth,

We have Cisco ASA5550 running code : asa825-k8.bin.

We have access to our firewall via TACACS only and local username/password incase if TACACS fails.

Recently our audit team found that there is default password is still on firewall, How do I remove default password from Cisco ASA 5550.

Kind Regards,

Vishal

mamer28983 · ‎12-08-2012

HI expert,

Would you please help me in this issue I have ASA 5510 and I need to block URL to be applied to specific users not using the IP address. I integrate ASA with my active directory now it’s (ASA) detecting the users from my domain but he is not applied the rules on the users.

It’s only working using the IP address using trend micro content security

Any help in this issue.

Please contact me on my email:

mamer@vseegypt.com

mamer1983@hotmail.com

Thanks

bhupendrajain · ‎12-27-2012

Hi Prashanth

we have cisco asa 5550 firewall running on ios 8.2

i have add two new interface on firewall, but it show failled on sh failover output

Last Failover at: 22:50:59 IST Dec 4 2012
        This host: Secondary - Active
                Active time: 2043566 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6672): Normal
                  Interface outside (180.x.x.x): Normal
                  Interface management (192.168.1.1): No Link (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1d7): Normal
                  Interface TATA-INTERNET (115.x.x.226): Normal
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)
        Other host: Primary - Failed
                Active time: 0 (sec)
                slot 0: ASA5550 hw/sw rev (2.0/8.2(2)) status (Up Sys)
                  Interface DMZ-Inside (10.132.x.x/fe80::226:bff:fe43:6686): Normal
                  Interface outside (180.x.x.x) Normal
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                  Interface IPVSIX (0.0.0.0/fe80::225:84ff:fefd:1ff): Failed (Waiting)
                  Interface TATA-INTERNET (115.x.x.227): Normal (Waiting)
                slot 1: ASA-SSM-4GE-INC hw/sw rev (1.0/1.0(0)10) status (Up)

Stateful Failover Logical Update Statistics
Link : Unconfigured.

Thanks

Bhupendra Jain

Marvin Rhoads · ‎12-28-2012

Bhupendra,

Please start a new thread. The Ask The Expert event is closed.