CCNP Security (CCIE Sec. written June 2017, one lab attempt so far!), Fire Jumper, Cisco Support Community Hall of Fame and VIP x6. Passionate about solving problems in network security and helping others learn to do the same.
For Disaster Recovery of Firepower Management Center you need to either:
a. Use hardware appliances that support HA, or
b. Do a backup/restore scheme outside the context of Firepower itself. If the subnet does not exist in the remote location, you won't be able to easily restore as device registration etc. will be broken.
c. Manage the DR site appliances with an FMC at the DR site. (Of course this would not address any appliances at other sites.)
Note that most features continue to work fine in the absence of the FMC.
... View more
As of release 6.3, FDM now supports high availability devices.
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html#concept_D3A005FB2B0E45BBBDF5392C4D1DD138
... View more
For a single named user, Oracle's current published cost is $2.50 per month.
https://www.oracle.com/technetwork/java/javaseproducts/overview/javasesubscriptionfaq-4891443.html
If strict compliance is a requirement in your environment, that would seem a relatively small price to pay. It would also be surprising if Cisco ASDM was the only application for which Java is required in your entire enterprise.
... View more
Can you share what you have so far as a running-config on the new device?
Then show us what error you receive when trying to configure your nat statements.
... View more
Ping uses the icmp protocol which is not inspected by default on Cisco ASA. If you add icmp inspection on your default class map it should work.
... View more
I asked Andrew Ossipov directly at Cisco Live Barcelona today.
He told me that on an ASA 5585-X (non-Firepower), the single flow throughput limit is 3-4 Gbps (TCP) or 6-8 Gbps (UDP).
... View more
Only the base VPN module is currently supported for installation and associated profile push via FTD remote access VPN.
This is true even with the current latest release 6.3:
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy
... View more
When an ASA 5500-X (except 5585-X) has a Firepower module it dynamically allocates half the physical memory at boot time to the service module. So you have 4 GB for ASA code and 4 GB for the Firepower service module in your case.
The memory is not upgradable.
... View more
Are you using the Firepower module? If so, the limiting factor will be that a given flow (5-tuple) is tied to a single Snort process. A Snort process is limited to something like 500 Mbps per instance.
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html#anc6
... View more
@Salman.Baig ,
Both @Marius Gunnerud and @balaji.bandi mentioned your ESXi configuration as a very likely cause of the issue but you have ignored their request to show that bit. Please check the vSwitch and share screenshots of its configuration. Be sure to verify that promiscuous mode is enabled for the vSwitch interfaces assigned to the FTDv appliance.
Also note that when you ping from FTDv it will by default try to use the dataplane interface according to the routing table. to verify management plane connectivity use the "ping system" command. Also, your "show interface ip brief" will show the LINA (ASA code) section of the running configuration, not the interface that is assigned to the FTDv management interface.
... View more
It works fine here - although the rendering can be really hard to see for some of the controls.
As @bhum11 noted, it's more a a Java thing than an ASDM issue per se.
... View more
Is the existing "Lan-to-Lan" a VPN connection?
If so, and it's using IKEv1 IPsec , all you need is to define both the primary (x.x.x.x) backup peer (y.y.y.y) - e.g.: "set peer x.x.x.x y.y.y.y" to fall back to the second peer.
If your needs aren't met by that, there is a more complex method described here:
https://learningnetwork.cisco.com/blogs/vip-perspectives/2018/07/27/cisco-asa-site-to-site-vpn-failover
... View more
Also, you "ping system <IP>" vs. "ping <IP>" when initiating traffic from the FTD mgmt interface. Otherwise it will try to use the data interface (which one is according to the appliance's routing table).
... View more