Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
2
Replies

ASA 1000V packets do not get to security-profile

Bogdan Nita
VIP Alumni
VIP Alumni

‎04-22-2013 02:37 AM - edited ‎03-01-2019 10:59 AM

VM has IP 172.16.41.111, default gateway: 172.16.41.115

VSG is working, can reach network 172.16.41.0/24

NO packets reach ASA security-profile

Nexus config:

vservice node vASA-user type asa

  ip address 172.16.41.115

  adjacency l2 vlan 360

  fail-mode open

vservice node VSG-user type vsg

  ip address 172.16.41.157

  adjacency l2 vlan 360

  fail-mode open

vservice path security-chain

  node VSG-user profile default order 5

  node vASA-user profile default order 10

port-profile type vethernet user-app-profile

  vmware port-group

  switchport mode access

  switchport access vlan 360

  vservice path security-chain

  org root

  no shutdown

  state enabled

VEM

~ # vemcmd show vsn ip-bi

  VSG Services Enabled  | VSG Licenses Available   1

  ASA Services Enabled  | ASA Licenses Available   1

   LTL  PATH   VSN  SWBD               IP  P-TYPE  P-ID

    50     1     2   360    172.16.41.157       1     1

    50     1     1   360    172.16.41.115       2     0


ASA config:

interface GigabitEthernet0/0

nameif INSIDE

security-level 100

ip address 172.16.41.115 255.255.255.0

!

interface GigabitEthernet0/1

nameif OUTSIDE

security-level 0

ip address 10.10.10.102 255.255.255.0

!

interface security-profile1

nameif sp0001

security-level 100

security-profile default@root

edge-firewall# sh vsn ip-binding

vsn ip-binding info :

IP               : 172.16.41.111

security-profile : default@root

Interface        : sp0001

Interface security-profile1 "sp0001", is up, line protocol is up

        security-profile default@root, spid 2

        service-interface is INSIDE

  Traffic Statistics for "sp0001":

        0 packets input, 0 bytes

        0 packets output, 0 bytes

        0 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Traffic Statistics for "sp0001":

        1 packets input, 28 bytes

        0 packets output, 0 bytes

        0 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎04-22-2013 04:15 AM

Another thing the ASA 1000v IP does not respond to ping, but other VMs in same LAN respond.

If i remove the IP from vservice ping starts working.

n1k-1(config)# vservice node vASA-user type asa

n1k-1(config-vservice-node)# no ip address 172.16.41.115

Warning: Deleted IP address. It will affect the traffic bound to this node.

0 Helpful

mohitkshirsagar
Level 1
Level 1
In response to Bogdan Nita

‎04-23-2013 11:58 AM

Hi There,

Were you able to resolve this issue?? I am seeing Secuirty-level 0 on my inside and outside interface

Please advice. I am stuck

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card