cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5460
Views
0
Helpful
15
Replies

Cisco ASA 5525x SFR module not communication through ASA management 0/0

gtsesmelis
Level 1
Level 1

Hi team,

I have a failover Cisco ASA 5525x  with SFR module with ip configured working through ASA management 0/0 (is our Backup SFR)

It is connected to an access switch port.

It was working as expected and I was able to ping the IP until a week ago. For a week now I can't ping the SFR IP and is not working anymore.

I tried the following:

-> change ethernet cable with no luck.

-> reset switch port with no luck.

-> assigned on a differenet switch on the network the configuaration and connecting there but again no luck.(I have to mention that in switch mac address table I can't see the ASAs interface for SFR for some reason.)

Also the switch port delays to come up where it is connected. And if eventially does come up it doesn't communicate.

The strange think is that when i connect my laptop back to back with the ASAs interface management 0/0 i can ping the IP i have assigned to it and i'm able to connect to SFR module.

Any help will be appreciated:-)

Thanks in advance.

15 Replies 15

Aastha Bhardwaj
Cisco Employee
Cisco Employee

Hi,

I am assuming that the SFR module is up and running . You should be able to ping the SFR from the ASA , do you see the : show arp on the ASA for the SFR. Similarly on SFR , try pinging the ASA and check for arp entry .

You can try restarting the network services if you thing something has went wrong with the network services , but before that please make sure connectivity ,arp entries etc are in there .  The command to restart the networking is /etc/rc.d/init.d/network restart.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hi,

thanks for the reply.

yes the sfr is up and running but in my troubleshooting i wasn't able to ping the sfr from the asa.

On friday i will see about arp on the asa to see what is happening and i'll get back to you.

In the meantime i have a question: the command mentioned above, i have to run it from asa cli or from sfr module?

Regards

The command Aastha mentioned in on the sfr module. (Note it is a script in the Linux filesystem.)

You do have a unique IP address on the backup sfr module - correct?

Yes I have a unique IP address on teh backup sfr module but on the same network and vlan as the primary sfr.

Sounds like something external to the sfr module.

Could somebody have used the same IP address as your sfr module?

Checking the arp caches will verify that.

I'll do that on Friday and i will get back with the results.

Great. Let us know what you find.

Hi,

in the asa when doing sh arp the ip for sfr isn't included on the result.

I saw on firesight that i get the message "Module Appliance Heartbeat: Appliance is xxx not sending heartbeats"

I also tried to execute the command "/etc/rc.d/init.d/network restart" from sfr console with no luck.

Any suggestions?

On the ASA FirePOWER module you will need to drop from the sfr command line interface into the Linux shell before running any OS commands.

You do that with the command:

expert

:) 

ok thanks....i'm not very familiar on cisco firepower sfr and linux. I'll try the command to see what happens and i'll let you know.

I was able to run the command after entering experts like this:

sudo /etc/rc.d/init.d/network restart

I got the following result:

admin@Sourcefire:~$ sudo /etc/rc.d/init.d/network restart
Password:
10G[  OK  ]ng default route
10G[  OK  ]ng address on eth0
10G[  OK  ]ng IPv6
10G[  OK  ]erface
10G[  OK  ]rface eth0
10G[  OK  ]...
Configuring DNS server: [x.x.x.x y.y.y.y] [wwww.local]
10G[  OK  ]rver: [x.x.x.x, y.y.y.y] [wwww.local]
10G[  OK  ] ntp server
10G[  OK  ] address the eth0 interface...
10G[  OK  ] IPv4 default route
10G[  OK  ] hostname to Sourcefire3D
10G[  OK  ]ng IPv6
10G[  OK  ]p server
10G[  OK  ]ts file
admin@Sourcefire:~$

but I still can't ping the sfr IP. The sfr version is 5.3.1-152

Any other suggestions?

Hi ,

Just to be sure of the setup the management interface of ASA should be plugged on the same L2 switch and should also be in the same vlan and ASA inside(default g/w of SFR) is .

Once the setup is fine , you should be able to get the arp entry of SFR on the ASA .

Can you check the vlan on the switch itself.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hi,

I've checked everything you mentioned and it was ok. It was playing in the first place but suddenly stopped.

I re-imaged the sfr of the secondary ASA and it works now.

I will also proceed on updating the firepower modules on both ASA.

Thanks a lot for the help.

also when i do show managers on sfr console i get:

> show managers
Type                      : Manager
Host                      : x.x.x.x
Registration              : Completed

>

Review Cisco Networking for a $25 gift card