12-21-2010 08:34 AM - edited 03-08-2019 06:38 PM
This document contains the answers provided by Kureli Sankar for the questions asked during the live "Ask the Expert" Webcast session on the Topic - Troubleshooting ASA, PIX, and FWSM.
The series of Ask The Expert sessions is available in the Ask The Expert section of Cisco Support Community.
The Complete Recording of this live Webcast is present below:
A. No, customers who are running DMZ both public-facing and internet-facing, and even have the inside port internet-facing. Basically, you could have 2 interfaces internet facing but, only one is default route.
Click here for the live answer.
A. Meaning, inside1 and inside2? Certainly. On the same subnet? No. It has to be on a different subnet.
Click here for the live answer
A. Yes, you can configure those scopes from 10 to 20, and start off at 30 to 40, ignoring the small segement left out.
Click here for the live answer.
A. No, I don't see any reason why not to use CSM. People use CSM to because many people are are involved in making minor, access-less changes who work on a shift basis and don't have priviledge15 access on the firewall. It allows people to make requests for changes, etc. It also allows for archiving of changes, which allows you to roll back a config it it doesn't work. But bear in mind, once you start managing a device with CSM, only make changes from CSM. DO NOT make changes with CLI, only from CSM. If you make changes with CLI, then implement changes with CSM, your CLI changes will be ignored.
Click here for the live answer.
A. There are two modes you can run a firewall in:
- Routed
- Transparent
In routed mode ASA is a hop in a network and in Transparent mode, ASA is not a hop and works at Layer 2. A transparent firewall can only use 2 interfaces for traffic filtering and can be installed in an existing network with minimal changes. It completely depends on security policy/environment as to which mode would suite the network.
A. ASA version 8.3 has new features like Smart Call Home, global ACLs, VPN and inspection enhancements that could be very useful to people. I would suggest looking at the ASA 8.3 Release Notes for all the new features. As a side note, the learning curve is something that will take time. One more advantage is that NAT will be simpler in ASA 8.3. I hope this makes sense.
A. The Release notes say that you need to upgrade memory. But the rest of the migration should go smoothly. Also the notes will say how to downgrade using the downgrade command. Now if you faced issue you could be hitting one defect we have see with ACL migration or one with overlapping nats. I am not sure which exactly. I would suggest downgrading if there are issues and keep a copy of the 8.3 config to talk to TAC to see if you hit the defects I mentioned.
A. There have been few commands which got changed/deprecated from 7.0 -> 8.2. Hence, it would be better to possibly do a step-by-step upgrade so that command changes are done accordingly. 7.0 -> 7.1 -> 7.2 -> 8.0 -> 8.2.
A. Private IP address are to save address space. They will work as other IP addresses as long as there is the routing in place. I am not sure exactly how you will assign private IP addresses to a campus reachable from the internet, but you need to consider routing and also that sometimes following RFC1918, network administrators might block private ip addresses on their routers,firewalls etc. Otherwise the private ranges can be used exactly as public. I hope it helps.
A. The config is completely overwritten, only when do you copy over to the running config, it merges. Once you copy over the start up config, it will completely overwrite the startup config.
Click here for the live answer.
A. Yes we can. However, keep in mind that ASA5550 comes with a bundled 4-GE-SSM module. If these interfaces are in use on ASA5550, but do not exist on ASA5540, configuration related to those interfaces will be ignored.
A. That would be correct. The firewall performs an ARP test before failing over when the failover link goes. It will ARP out all interfaces for its peer to see if it can elicit a response. If any response is received a failover will not take place as to avoid an active/active scenario. With the failover link down, the two firewalls cannot communicate their status to each other. In your case, they probably saw each other on another interface preventing the failover.
A.When the security appliance is configured for security contexts (also called firewall multimode) or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable.
A. Yes. However, keep in mind that Management interfaces are FastEthernet interfaces. If you plan to share stateful link also with failover link, you should use fastest interface available on the unit.
A. Yes. However, if the configuration is utilizing AIP-SSM, then this would not work.
A. Correct. Currently, dynamic routing tables are not replicated from active to standby unit. There is a enhancement request filed to add this feature -- Refer the bug ID CSCsu90386 (registered customers only).
A. Yes. This is on the roadmap. There is a enhancement bug filed for this --Refer the Bug ID CSCsl08631 (registered customers only). You can track the progress of this request or you can work with Accounts team to get this feature added in future releases.
A. You can use 'Zero-downtime upgrade' procedure. Please find the same on following link:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398
A. There are two type of failover mechanisms:
-Cable based failover (Only on PIX)
-Lan based failover
In cable based failover a serial cable is connected between two firewalls over which failover communications happen. In Lan based failover [fast/gig]ethernet ports of two units are connected on which failover communications occur. Stateful failover is an additional feature which can be utilized in cable/lan failover. This feature allows replication of state table from Active to Standby unit. Thus, in event of failover, user does not have to re-establish the connection.
A. One is for interface, the other is for stateful. Stateful is the state that tcp will be updated between the two machines over the STATE link. Sometimes the failover and STATE links are over the same line. When a failover happens, and the stateful is not defined, all the tcp and udp sessions have to be re-established
Click here for the live answer.
A. For these connections, will you be routing the traffic out to an intermediary device on the outside interface then back to the ASA? Without knowing the exact requirements it is hard to say exactly how this will be accomplished. Here is a link for intra interface communications on the ASA. http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080734db7.shtml
A. No. For example, OSPF will need to re-converge after a failover event. I hope it makes sense.
A. ASA does not support DMVPN.
Click here for the live answer.
A. You can say that it is a good recommendation. It makes the ACE search faster so your firewall can process packets faster. most people will not notice any difference but we have seen CPU issues in the past with huge ACLs (~400K on an ASA). I hope it helps.
A. Correct. The ASA will not do BGP. It can do RIP, OSPF, EIGRP. The FWSM will support BGP. I hope it clarifies it.
A. Nope. The ASA will match and police/shape/prioritize based on tags. But it cannot set them.
A. There is a very good example here
https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization
You match on the staff traffic and you police the rest of your VPN. Note that you need to police in order for prioritization to kick in. So decide how much your VPN will take and prioritized traffic that matches the staff. I hope it helps.
A. The ASA does provide functionality for QOS and priority queuing of the voice traffic. This typically only comes into play if the interfaces are being saturated with traffic. Besides QOS we would need to take a look at the interfaces to see if there are any errors or indications or problems. It may be something further upstream which is causing the quality issues. It is also important to monitor when the problem occurs. Does it only happen during peak times? This would be an indication of link saturation.
A. I'm not really sure on the answer for that one. Usually the lifetime of a tunnel is defaulted to a specific number. Sorry.
Click here for the live answer
A. I would suggest checking the interfaces first. Do a "sh interface | i error" on the ASA and connected devices. If you see errors check for duplex or speed mismatch. If not, check the load on the ASA, "sh cpu" and "sh interface" and look if you see high cpu or overruns or underruns. Those could relate with too much traffic. Finally, if the above don't help try to capture packets for a slow flow in and out of the ASA to try to eliminate where the slowness/drops are introduced. It could be a pipe oversubscription issue also. I hope it helps.
A. There are some memory leak issues with 8.2.2 version, however, those are *not* specific to ASA5510 platform. I think we first need to establish if what you are running into is a memory leak issue or a high memory utilization. To track this, you should check what is the status of free memory just after device boots up. If free memory % is very low, then possibly its the size of configuration (typically ACLs) which could be eating up memory. If device boots with ample free memory %, but this gradually decreases, it means you are running into a memory leak issue. To track what memory leak bug you are running into needs more comprehensive data for analysis. If possible, you can upgrade to latest CCO release available and track from there if facing a memory leak issue.
A. Are you trying to do "shut - no shut" under the vlan or the interface? Note that the 5505 has vlan interfaces and the physical interfaces. You should be able to do a "shut - no shut" under the physical. Please elaborate with a snippet if that is what you are trying to do.
A. In regards what would be considered "normal" is dependant on your situation. If you were a small company with a web server, it may have up to 40 to 50 connections. If you were a big company/enterprise (Ebay, Paypal, etc.) they may have thousands of connections. It really depends on the size of the network along with how many users are on the network. Another indicator is the embryonic count. If it's above 200-300, then there is clearly something wrong/malicious traffic.
Click here for the live answer.
A. That command is used for isolating specific hosts which may be generating an abnormally high number of connections. Suppose you have a client on inside which is infected with a virus and scanning the network. This command will parse through the local host entries and output each host seen as well as the total number of connections associated to that host.
A. No. It should work in 7.2 and 8.x versions.
A. Yup, the ASA will not get you to enable mode right away even for the priv15 users. It was by design.
A. No, you should not have to initiate a "clear xlate" after any failover. I have not run into any known defects that require a clear xlate. Failover should be very smooth and, if you configured a stable failover, you do not have to clear xlate and configure the sessions again. It should be seemless.
Click here for the live answer.
A. There isn't a quick reference guide for the main differences. The best place to learn what changes have occurred is to look at the release notes. Please look at the links provided in the Powerpoint (and at the bottom of this post).
Click here for the live answer.
A. It's not disruptive at all. The following link steps through this procedure. Download the image, put it on your tftp server and copy the image onto both of the units. Then reload the active unit so the standby unit will become the active unit. Once the first unit is done updating, you can do the same to the other unit. If it's just one unit, then just reload it with the image. Please not this is for maintenance release upgrades only.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/swcnfg_f.html#wp1057450
Click here for the live answer.
A. If you are planning for an upgrade, unless there is specific features you require in a later release it is best to stay on the current minor build (2nd number) and go to the latest maintenance release available (3rd number). Currently we are on 3.1(18).
A. The FWSM is a specialized firewall designed to be installed in the 6500 switching platform. The hardware architecture has been designed to complement the switch and allows for greater performance. The ASAs as standalone firewalls, but support features not found on the FWSM. This includes IPSec/SSL VPN and content filtering among others. The higher end ASAs also have performance numbers that can compete with the FWSM.
A. The FWSM is a specialized firewall designed to be installed in the 6500 switching platform. The hardware architecture has been designed to complement the switch and allows for greater performance. The ASAs as standalone firewalls, but support features not found on the FWSM. This includes IPSec/SSL VPN and content filtering among others. The higher end ASAs also have performance numbers that can compete with the FWSM. You can also install additional modules like AIP-SSM/CSC-SSM on ASA platforms to get Intrusion prevention or Content Security. PIXes are older platforms which much like ASA's however, do not support additional modules like AIP-SSM/CSC-SSM.
A. We reviewed a command in the presentation: "show local | include host | count \ limit" (located in the High CPU usage portion of the presentation). If you can run that command, it will show you individual ip addresses inside the firewall and their udp and tcp connections they have established onto the internet. And you can go onto that PC and see what's wrong with it.
Click here for the live answer.
A. A server would send a TCP RST if the service requested by client is not active. Some applications may generate a RESET if they want to abruptly close a connection.
A. There are management tools that can do that like VMS RME/CSM and AUS. The ASA with AUS will pull configs from a server. RME will automatically archive and manage configs and images. Also please check the ASA command "write net" that can pull configs from tftp server whenever you want. I hope it helps a little.
A. It depends on your servers. Someone that has 2 servers will allow less than someone that has 20. It also depends on what is normal for your networks. I would suggest keeping track of "sh conn | i <server ip address>" and deciding what is the normal profile for your servers. And then setting your limits a little above the normal. I hope it makes sense.
A. We will mostly focus on troubleshooting, not so much VPN today. Maybe later in the future. To answer your question the sequence is as follows: the user logs in, and gets the attributes from the tunnel-group, and group-policy, then DAP kicks in and any actions specified are then applied. I hope it helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: