cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6910
Views
5
Helpful
0
Comments
Kureli Sankar
Cisco Employee
Cisco Employee

 

Introduction

Read the bio

 

This document contains the answers provided by Kureli Sankar for the questions asked during the live "Ask the Expert" Webcast session on the Topic - Troubleshooting ASA, PIX, and FWSM.

 

The series of Ask The Expert sessions is available in the Ask The Expert section of Cisco Support Community.

 

The Complete Recording of this live Webcast is present below:

 

ASA/PIX - Basic Configuration

Q.  Is ASA 5500 limited to one outside interface?

A. No, customers who are running DMZ  both public-facing and  internet-facing, and even have the inside port  internet-facing.   Basically, you could have 2 interfaces internet facing  but, only one is  default route.

Click here for the live answer.

 

Q.  Is it possible to have two (2) inside  interfaces on the same subnet on  ASA 5505/5510?

A. Meaning, inside1 and inside2?   Certainly.  On the same subnet?  No.   It has to be on a different  subnet.

Click here for the live answer

 

Q. Can reserved addresses be configured  in  the DHCP scope on the DHCP server on the ASA?

A.    Yes, you can configure those scopes from 10 to 20, and start off at 30   to 40, ignoring the small segement left out.

Click here for the live answer.

 

Q. We setup our ASAs via CLI and plan to   implement  CSM to manage the Firewall and VPNs. Are there any issues or   reasons why we  should not to use CSM?

A. No, I   don't see any  reason why not to use CSM.  People use CSM to because   many people are  are involved in making minor, access-less changes who   work on a shift  basis and don't have priviledge15 access on the   firewall.  It allows  people to make requests for changes, etc.  It  also  allows for archiving  of changes, which allows you to roll back a   config it it doesn't work.   But bear in mind, once you start managing  a  device with CSM, only make  changes from CSM. DO NOT make changes  with  CLI, only from CSM.  If you  make changes with CLI, then  implement  changes with CSM, your CLI changes  will be ignored.

Click here for the live answer.

Q. What are the different modes you can  run on the  ASA firewall and what is the most practical mode to run the ASA?

A. There are two modes you can run a firewall in:

- Routed

-  Transparent

In routed mode ASA is a hop in a network and in  Transparent mode, ASA is not a hop and works at Layer 2. A transparent  firewall can only use 2 interfaces for traffic filtering and can be  installed in an existing network with minimal changes. It completely  depends on security policy/environment as to which mode would suite the  network.

 

 

ASA/PIX - Software Versions

Q. Why should we upgrade to ASA Version 8.3 considering the learning curve with changes to the NAT rules?

A. ASA version 8.3 has new features like Smart Call Home, global ACLs, VPN and inspection enhancements that could be very useful to people. I would suggest looking at the ASA 8.3 Release Notes for all the new features. As a side note, the learning curve is something that will take time. One more advantage is that NAT will be simpler in ASA 8.3. I hope this makes sense.

 

Q. When I upgraded to 8.3, our NAT  quit working. Looking through the Release notes and Migration guide, we  didn't see any notes on this or even procedures to take before the  upgrade.  Do you have any suggestions?

A. The  Release notes say that you need to upgrade memory. But the rest of the  migration should go smoothly. Also the notes will say how to downgrade  using the downgrade command. Now if you faced issue you could be hitting  one defect we have see with ACL migration or one with overlapping nats.  I am not sure which exactly. I would suggest downgrading if there are  issues and keep a copy of the 8.3 config to talk to TAC to see if you  hit the defects I mentioned.

 

Q. I have a ASA 5510 running 7.0(6). If I  upgrade  to 8.2, will I have to update the config file for incompatibility?

A. There have been few commands which got changed/deprecated from 7.0  -> 8.2. Hence, it would be better to possibly do a step-by-step  upgrade so that command changes are done accordingly. 7.0 -> 7.1  -> 7.2 -> 8.0 -> 8.2.

 

Q. What special considerations do I need  to consider when I have to put private addresses on the outside of the  ASA? In this case, we have a subordinate campus that wants their own ASA  but we are in 10.1.1.x here for their uplink (We are the ISP).     

A. Private IP address are to save address space. They will work as other  IP addresses as long as there is the routing in place. I am not sure  exactly how you will assign private IP addresses to a campus reachable  from the internet, but you need to consider routing and also that  sometimes following RFC1918, network administrators might block private  ip addresses on their routers,firewalls etc. Otherwise the private  ranges can be used exactly as public. I hope it helps.

 

Q. I'm using an ASA 5505.  When copying a   config from tftp to startup config, is startup config merged with the   tftp config like when using a pix w/ 6.3, or is the startup config   overwritten completely?

A.  The config is   completely overwritten, only when do you copy over to the running   config, it merges.  Once you copy over the start up config, it will   completely overwrite the startup config.

Click here for the live answer.

Q. Can I copy the config from ASA5550 to  ASA5540?  Thanks.

A. Yes we can. However, keep in mind that  ASA5550 comes with a bundled 4-GE-SSM module. If these interfaces are in  use on ASA5550, but do not exist on ASA5540, configuration related to  those interfaces will be ignored.

 

Failover

Q. We have our failover going through a  switch. This  is preferred over a cable? We had a module fail that had the primary  interfaces and the failover on it, so the ASA did not fail over. We  assume to fix this, we need to move the failover to another switch blade  as the primary interfaces. Is this correct?

A. That would be correct. The firewall performs an ARP test before failing  over when the failover link goes. It will ARP out all interfaces for its  peer to see if it can elicit a response. If any response is received a  failover will not take place as to avoid an active/active scenario. With  the failover link down, the two firewalls cannot communicate their  status to each other. In your case, they probably saw each other on  another interface preventing the failover.

 

Q. Is VPN's supported in an active/active  configuration?

A.When the security appliance is  configured for security contexts (also called firewall multimode) or  Active/Active stateful failover, IPSec or SSL VPN cannot be enabled.  Therefore, these features are unavailable.

 

Q. Can you configure a two 5500 ASAs in  failover mode via the management interface to connect the two?

A. Yes. However, keep in mind that Management interfaces are FastEthernet  interfaces. If you plan to share stateful link also with failover link,  you should use fastest interface available on the unit.

 

Q. Is it possible to have a failover ASA  that does  not have the AIP - SSM installed when the primary has the AIP-SSM  installed?

A. Yes. However, if the configuration is  utilizing AIP-SSM, then this would not work.

 

Q. Shouldn't stateful failover  include routing information / OSPF negotiations if customers aren't  supposed to notice an outage during a failover event?

A. Correct. Currently, dynamic routing tables are not replicated from  active to standby unit. There is a enhancement request filed to add this  feature -- Refer the bug ID CSCsu90386 (registered customers only).

 

Q. Is there a roadmap to adding  routing tables to stateful failover? We have ASA's in statefull  failover, but that is worthless as we need to wait 20-40 seconds for  OSPF to update the routing tables on the newly active ASA when a  failover occurs.

A. Yes. This is on the roadmap.  There is a enhancement bug filed for this --Refer the Bug ID CSCsl08631 (registered customers only). You can track  the progress of this request or you can work with Accounts team to get  this feature added in future releases.

 

Q. Can we upgrade the  firmware for a pair of firewalls in HA mode without downtime?  Especially since only one of the firewalls needs to be upgraded.

A. You can use 'Zero-downtime upgrade' procedure. Please find the same on  following link:

 

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398

 

Q. What is difference between STATE  failover & LAN failover? Type of failover : like LAN , STATE ,  Serial? What is exact difference?

A. There are two  type of failover mechanisms:

-Cable based failover (Only on PIX)

-Lan  based failover

In cable based failover a serial cable is  connected between two firewalls over which failover communications  happen. In Lan based failover [fast/gig]ethernet ports of two units are  connected on which failover communications occur. Stateful failover is  an additional feature which can be utilized in cable/lan failover. This  feature allows replication of state table from Active to Standby unit.  Thus, in event of failover, user does not have to re-establish the  connection.

 

Q. Between these two commands --   failover  interface ip FAILOVER and  failover interface ip STATE -- what  is  difference between both commands?

A. One is  for  interface, the other is for stateful.  Stateful is the state that  tcp  will be updated between the two machines over the STATE link.   Sometimes  the failover and STATE links are over the same line.  When a  failover  happens, and the stateful is not defined, all the tcp and udp  sessions  have to be re-established

Click here for the live answer.

Q. For ASA5510, will it be better to use  1GE interface as failover interface or 100T interface? Which is  sufficient to become failover interface?

A. For  these connections, will you be routing the traffic out to an  intermediary device on the outside interface then back to the ASA?  Without knowing the exact requirements it is hard to say exactly how  this will be accomplished. Here is a link for intra interface  communications on the ASA. http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080734db7.shtml

 

Q. Do route tables sync in 3.1  failover?

A. No. For example, OSPF will need to re-converge  after a failover event. I hope it makes sense.

 

ASA/PIX - Support

 

Q. Does the ASA5505 and 5510 support   DMVPN  with  SR520?

A. ASA does not support DMVPN.

Click here for the live answer.

Q. Is it still a recommended feature to  keep the  number of firewall rules not in a big number?

A. You can say that it is a good recommendation. It makes the ACE search  faster so your firewall can process packets faster. most people will not  notice any difference but we have seen CPU issues in the past with huge  ACLs (~400K on an ASA). I hope it helps.

Q. To confirm, ASA doesn't do routing  protocol/BGP for multiple internet connections? Must use router or L3  switch?

A. Correct. The ASA will not do BGP. It can  do RIP, OSPF, EIGRP. The FWSM will support BGP. I hope it clarifies it.

 

ASA - QoS

 

Q. Can the ASA set QoS tags?

A. Nope. The ASA will match and police/shape/prioritize based on tags.   But it cannot set them.

 

Q. I  have a cisco 5510 and several Cisco 5505's. At each location we have a  Cisco 5505, with 2 types of traffic: staff and public.  How can I setup  QoS or prioritization for our staff so they get priority through the  VPN?

A. There is a very good example here

 

https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization

 

You  match on the staff traffic and you police the rest of your VPN. Note  that you need to police in order for prioritization to kick in. So  decide how much your VPN will take and prioritized traffic that matches  the staff. I hope it helps.

 

Q. We are using phone proxy on our ASA5520  in our  organization. Is there anything that can be done to improve call  quality?

A. The ASA does provide functionality for  QOS and priority queuing of the voice traffic. This typically only comes  into play if the interfaces are being saturated with traffic. Besides  QOS we would need to take a look at the interfaces to see if there are  any errors or indications or problems. It may be something further  upstream which is causing the quality issues. It is also important to  monitor when the problem occurs. Does it only happen during peak times?  This would be an indication of link saturation.

 

ASA/PIX - Issues

Q. I'm running ASA 5505 on my network and   my VPN tunnels drop at random times.  Some stay up for 20 days, other   fail in 15 minutes.  Do you know why I would see this activity?

A. I'm not  really sure on the answer for that one.  Usually the  lifetime of a  tunnel is defaulted to a specific number.  Sorry.

Click here for the live answer

 

Q. I'm having high latency after switching  to ASA 5505.  Any suggestions?

A. I would  suggest checking the interfaces first. Do a "sh interface | i error" on  the ASA and connected devices. If you see errors check for duplex or  speed mismatch. If not, check the load on the ASA, "sh cpu" and "sh  interface" and look if you see high cpu or overruns or underruns. Those  could relate with too much traffic. Finally, if the above don't help try  to capture packets for a slow flow in and out of the ASA to try to  eliminate where the slowness/drops are introduced. It could be a pipe  oversubscription issue also. I hope it helps.

 

Q. I have an ASA 5510 running IOS version  8.2.2 Device Manager 6.2.5.53. I have been constantly having memory  issues since upgrading to these versions. I have opened multiple TAC  cases for this issue, but have yet been able to have this issue  resolved. I run the same configuration on ASA 5520's with no issues. Are  there known memory issues with this IOS and Device Manager version when  running on a 5510?

A. There are some memory leak  issues with 8.2.2 version, however, those are *not* specific to ASA5510  platform. I think we first need to establish if what you are running  into is a memory leak issue or a high memory utilization. To track this,  you should check what is the status of free memory just after device  boots up. If free memory % is very low, then possibly its the size of  configuration (typically ACLs) which could be eating up memory. If  device boots with ample free memory %, but this gradually decreases, it  means you are running into a memory leak issue. To track what memory  leak bug you are running into needs more comprehensive data for  analysis. If possible, you can upgrade to latest CCO release available  and track from there if facing a memory leak issue.

 

Q. I've been having a problem where there  is no "no  shut" for inside or outside interfaces on our ASA 5505. Is this a  problem specific to ASA 5505?

A. Are you trying  to do "shut - no shut" under the vlan or the interface? Note that the  5505 has vlan interfaces and the physical interfaces. You should be able  to do a "shut - no shut" under the physical. Please elaborate with a  snippet if that is what you are trying to do.

 

Q. What would be considered an excessive   amount of TCP connections using the "sh local | i host|count/limit"   command you mentioned?

A.  In regards what would  be  considered "normal" is dependant on your situation.  If you were a   small company with a web server, it may have up to 40 to 50   connections.  If you were a big company/enterprise (Ebay, Paypal, etc.)   they may have thousands of connections.  It really depends on the size  of  the network along with how many users are on the network.  Another   indicator is the embryonic count.  If it's above 200-300, then there  is  clearly something wrong/malicious traffic.

Click here for the live answer.

 

Q. Can you explain the sh local  | i host | count/limit command? 

A. That  command is used for isolating specific hosts which may be generating an  abnormally high number of connections. Suppose you have a client on  inside which is infected with a virus and scanning the network. This  command will parse through the local host entries and output each host  seen as well as the total number of connections associated to that host.

 

Q. Is the "sh local | i local |  count/limit"  command version specific?

A. No. It should work in  7.2 and 8.x versions.

 

Q. I have SSH running on ASA.  Why does my  config prompt for enable password each time?  It seems that level  15/rpriv 15 works for routers, why not ASA?

A. Yup, the ASA will not get you to enable mode right away even for the  priv15 users. It was by design.

 

FWSM

Q. We are running FWSM 4.0(8) on my network. We have a scheduled failover test coming up and, occasionally in the past, failover worked but sessions would not establish after the failover until a "clear xlate" was performed. Is 4.0(8) affected by this issue - that is, will we have to "clear xlate" after each failover?

A. No, you should not have to initiate a "clear xlate" after any failover. I have not run into any known defects that require a clear xlate.  Failover should be very smooth and, if you configured a stable failover, you do not have to clear xlate and configure the sessions again.  It should be seemless.

Click here for the live answer.

 

Q. Is there a quick reference guide to differences between the 3.1x train and 4.0x train of the FWSM?

A. There isn't a quick reference guide for the main differences.  The best place to learn what changes have occurred is to look at the release notes.  Please look at the links provided in the Powerpoint (and at the bottom of this post).

Click here for the live answer.

Q. Is their a link on upgrading the FWSM firmware from 3.1(6) to 3.1(18) and how disruptive is it?

A. It's not disruptive at all.  The following link steps through this procedure.  Download the image, put it on your tftp server and copy the image onto both of the units.  Then reload the active unit so the standby unit will become the active unit.  Once the first unit is done updating, you can do the same to the other unit.  If it's just one unit, then just reload it with the image. Please not this is for maintenance release upgrades only.

 

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/swcnfg_f.html#wp1057450

 

Click here for the live answer.

 

Q. Our FWSM is running version 3.1(6) with  Device Manager 5.2(3)F , what version of code do you recommend I upgrade  to?

A. If you are planning for an upgrade,  unless there is specific features you require in a later release it is  best to stay on the current minor build (2nd number) and go to the  latest maintenance release available (3rd number). Currently we are on  3.1(18).

 

ASA-PIX-FWSM - Difference

Q. Hi , I would like to know the exact  difference between ASA & FWSM . As per my understanding I found only  throughput difference.

A. The FWSM is a  specialized firewall designed to be installed in the 6500 switching  platform. The hardware architecture has been designed to complement the  switch and allows for greater performance. The ASAs as standalone  firewalls, but support features not found on the FWSM. This includes  IPSec/SSL VPN and content filtering among others. The higher end ASAs  also have performance numbers that can compete with the FWSM.

 

Q. What's different ASA, PIX and FWSM?

A. The FWSM is a specialized firewall designed to be installed in the 6500  switching platform. The hardware architecture has been designed to  complement the switch and allows for greater performance. The ASAs as  standalone firewalls, but support features not found on the FWSM. This  includes IPSec/SSL VPN and content filtering among others. The higher  end ASAs also have performance numbers that can compete with the FWSM.  You can also install additional modules like AIP-SSM/CSC-SSM on ASA  platforms to get Intrusion prevention or Content Security. PIXes are  older platforms which much like ASA's however, do not support additional  modules like AIP-SSM/CSC-SSM.

 

Miscellaneous

Q. Recently, our company got hit with  virus and the infected PCs were sending data to the internet.  How can  we stop this immediately using the firewall, and what indicators would  we need to look in the firewall logs to identify the infected PCs?

A. We reviewed a command in the presentation: "show local | include host |  count  \ limit"  (located in the High CPU usage portion of the  presentation).  If you can run that command, it will show you individual  ip addresses inside the firewall and their udp and tcp connections they  have established onto the internet.  And you can go onto that PC and  see what's wrong with it.

Click here for the live answer.

 

Q. In which case would the server send TCP  RST?

A. A server would send a TCP RST if the  service requested by client is not active. Some applications may  generate a RESET if they want to abruptly close a connection.

 

Q.  Is there anything like the archive function found on the Cisco IOS for  the ASA? The purpose is to be able to automatically push out a config  change to a ftp server as well as automatically push the config on a  schedule.

A. There are management tools that can do  that like VMS RME/CSM and AUS. The ASA with AUS will pull configs from a  server. RME will automatically archive and manage configs and images.  Also please check the ASA command "write net" that can pull configs from  tftp server whenever you want. I hope it helps a little.

 

Q.  How do you figure out what number of embryonic connections and TCP/UDP  max connections you should allow into your DMZ?

A. It depends on your servers. Someone that has 2 servers will allow less  than someone that has 20. It also depends on what is normal for your  networks. I would suggest keeping track of "sh conn | i <server ip  address>" and deciding what is the normal profile for your servers.  And then setting your limits a little above the normal. I hope it makes  sense.

 

Q. If you will cover ASA VPN at all, does a  dynamic  access policy get 'processed' first when an ipsec user connects or does  the group policy process the access request without using the DAP?

A. We will mostly focus on troubleshooting, not so much VPN today. Maybe  later in the future. To answer your question the sequence is as follows:  the user logs in, and gets the attributes from the tunnel-group, and  group-policy, then DAP kicks in and any actions specified are then  applied. I hope it helps.

 

 

 


 

Related  Information

 


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: