Cluster ASA IFC failure
Hi, team
We had a problem with the failover of the ASA
one should see the day before, but he failed
Indicate the last failure reason time
This host - secondary
Active no
Another host - primary
Ifc failure failed
inside: failure
could you help to understand what is the failure of the IFC? I have check the inside interface, clear at all. also, I checked the L2, clear switching State as well
Thanks for your help!
concerning
Daniel
Hi Daniel.
Can you please send the output from the following commands:
See failover
show the history of failover
view the status of failover
Also, can you check the interfaces inside of both units and make sure they are in the same VLAN, speed, duplex, etc..
Thank you for evaluating useful messages!
Tags: Cisco Security
Similar Questions
-
Hi all
Another sily question, I configure an ASA so I could access it via ssh. Everything is configured as described in the user guide for the cisco, but surprisingly enough, it does not work...
I tried ssh v1 and 2, I have zero key and regenerated a new but it still does not work. Connectivity seems to be although I get ssh prompt.
Any idea?
Kind regards
Thibault.
Thibault, you do not have AAA activate, try adding that this command so you will be authenticated with the local database:
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
local AAA authentication try 5 max in case of failure
Hope this helps.
Kind regards
-
Hello
I intend to group 4 ASA firewall between 2 domain controllers.
I would like to know if the ASA IPS device is also grouped with the ASAs 4 or I have to buy the hardware module ASA IPS?
In the case where I will need to buy the module hardware IPS ASA it will work as a single module or it could also be clustered?
Thank you very much for the help.
Kind regards
J
The Documentation States that the IPS is managed individually by unit. So every unit will have it of own IPS and protects the traffic he sees. Without a config-replication available for IPS, you should plan to use a system management as MSC company to ensure that all units have the same configuration.
-
Host - HA Cluster failure &; file locking
Hello
In a HA cluster, if the failure of a host (loses power or something similar) how are the locks on files on a virtual machine that was running this particular host published so that another host in the cluster HA can start? I know that if a host finds that as isolated, it releases the file locks, but what happens in case of failure?
Thank you
Steve
Blockage in a shared storage have a waiting period of I think 15 seconds. Direct receipt is refreshing the lock so the other guests cannot claim locked object. When the host fails the lock expires and can be requested by another host in a cluster.
-
SFR in license cluster mode?
If I run two ASAs in cluster mode, is there a special setting that I need to do on the modules of sfr?
The pair of cluster ASAs forwards traffic to the two modules of sfr?
Documentation is very vague on the subject of sourcefire, clustering, everything he says really is to "maintain a coherent policy on the modules of sfr and do not use areas during your period.
Are there additional licenses required? IE I have control of x 2 + protect however only 1 AMP / URL license
Does this mean that only SFR modules can process the malware and URL filtering?
Any help would be greatly appreciated
Thank you
Are you running the ASAs in a pair of Active-Standby HA with module of firepower on each of them?
If so, the licensing of the modules must match each module. Otherwise, you will not be able to appply URL filtering and policy file (AMP) on one of the modules.
If the ASAs are truly in a cluster 2 nodes (not active-Standby) so it is even more important that licenses match because only by flow of traffic can take another Member as a transfer device.
Ideally simply build you a set of policies in the Management Center FireSIGHT and apply them to two modules of firepower.
-
Hello
We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?
Thank you very much.
Better with respect to Antonello.Antonello;
Configuration mirroring between the AIP-SSMs is not currently available. You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.
Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.
Scott
-
How does am sharing happens in the env cluster
can someone indicate topics... Thank you.
In general, the links ADF layer creates a JboDataControl object and stores it in the HTTP session. (This is not stored directly in the HttpSession, but in a container called DataControl Frame object. We're going for simplicity to skip those details). The HTTP session is replicated to another server in the cluster (which is done by the WLS cluster) and the JboDataControl is replicated as part of session replication. The JboDataControl contains an instance of a class of SessionCookie (there is a related class of the ADF, do not be fooled by its name and get an association wrong with HTTP cookies, which have nothing to do here). The SessionCookie contains the ID of the State AM passive of the instance of AOS, which was used by the DataControl last time. When comes the next HTTP request (it can happen on the same server or on a secondary server in the cluster, where the HTTP session is replicated), the JboDataControl allocates an instance AM pool (which could be an arbitrary instance of AM to the pool) and activates its State according to the ID of the report of the SessionCookie (using the passive of the passivation AM store state).
Necessary AOS configuration to be configured to make "Tipping Transaction State on managed Release" so that this mechanism to work. This indicates the instance AM doing passivation of mandatory State at the end of each request. This must be done so that the application of ADF activate State AM on the other server in the cluster, if the failure of the principal server and the next request arrives on the secondary server. This mandatory passivation puts considerable achievements to the application. On the other hand, if the application is not clustered, passivation State AM happen only when a particular instance of AM of the pool is recycled in another user session. The performance overhead is the trade-off between the clusters and applications ADF nonclustered indexes.
Dimitar
-
The GRE Tunnel descends?
So here's my setup:
Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)
Internal Cluster ASA a configured PAT production internal then all the VLANS.
The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.
The external control point is configured with NAT for the incoming and outgoing traffic.
The branch is a DSL router with a static IP address.
The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.
The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.
The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.
I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.
I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.
However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:
1 = to branch tunnel
Tunnel of 100 = internal
002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairsThe IPSec tunnel, for the branch remains in place throughout.
Can anyone help!?
The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.
This is how the branch was to learn the route to the tunnel destination:
Tunnel1 interface
Tandragee Sub Station router VPN Tunnel description
bandwidth 64
IP 172.17.205.62 255.255.255.252
no ip-cache cef route
delay of 20000
KeepAlive 10 3
source of tunnel Loopback1
tunnel destination 172.17.255.23
be-idz-vpn-01 #sh ip route 172.17.255.23
Routing for 172.17.255.23/32 entry
Through the 'static', the metric distance 1 0 known
Routing descriptor blocks:
* 172.17.252.129
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/25 entry
Known via 'connected', distance 0, metric 0 (connected, via the interface)
Routing descriptor blocks:
* directly connected by GigabitEthernet0/1
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #.
This is how the next hop as learned GRE Tunnel between internal and DMZ routers
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/27 entry
By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external
Redistribution via eigrp 1
Last updated on Tunnel100 192.168.5.66, ago 00:07:25
Routing descriptor blocks:
* 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25
Path metric is 40258816, 1/number of shares of traffic is
Time total is 10110 microseconds, minimum bandwidth 64 Kbps
Reliability 255/255, MTU minimum 1476 bytes
Loading 1/255, 2 hops
We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.
This case causes the Tunnel 1 drops.
The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.
The solution we applied:
Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.
Router eigrp 1
distribute-list 1
Network 10.10.10.0 0.0.0.3
network 172.17.203.56 0.0.0.3
network 172.17.203.60 0.0.0.3
network 172.17.205.60 0.0.0.3
network 172.19.98.18 0.0.0.0
network 192.168.5.64 0.0.0.3
passive-interface Loopback1
be-idz-vpn-01 #sh access-list 1
IP access list standard 1
10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)
20 permit (1230 matches)
be-idz-vpn-01 #.
Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.
-
Uninstalling vshield app requires a restart of the host?
We are upgrading vsphere 5.1 to 5.5 and plan to uninstall apps vshield to do a fresh install. We will migrate the hosts, but not vshield apps, then install new applications in the environment of 5.5...
Thank you!
-anne
Hi Anne,.
Uninstalling vShield app requires the host to restart and you keep the VMs and then uninstall of vShield manager. This will remove the filters from the NIC--> modules to remove the host, followed by restart.
If your cluster tolerates the failure of the single host, you can do without virtual machine downtime.
-
I want to confirm something I've heard which seems to contradict what I've learned in the classroom. If the DRS and HA are implemented on a cluster AND the failure of an ESX Server, the virtual machines on the host CAN live migrate to another host? I was told in class that VMs will be always powered down if HA is implemented. So which is true?
In addition, if the DRS and HA have been implemented on a cluster and we will say I pull the plug on an ESX host... it is not enough time to migrate VMs live, so I'm inclined to believe that's NOT true.
Let me see if I can summarize-------.
HA - protects you in the event of a failure of the host - if a host fails (you pull the plug) the virtual machines running on this host will restart on the other nodes in the cluster and if DRS is activated it then make sure that virtual machines draw their resources. The way the cluster hosts know that they are alive is by the HA heartbeat if heart rate is not detected a host of the cluster think the host has failed, but he could not because of network problems - host is then described as being isolated but not bencessaryily down, so virtual machines on it are still running - the cluster tries to restart virtual machines but not power because the VMDK will be locked - this is where isolation answer comes to you can get the Power Down the VMs host to the HA cluster to restrt them (moving) or let them powere gift there is no failure (where they are). VMotion and DRS has nothing to do with VMware HA-
FT - whicxh is a feature of the Enterprise Plus can have NO downtime in the event of a failure of the host and also protects from the questions of the o/s and - if there is a failure that the VM mirroring resumes instantly with no downtime of fault tolerance.
If you find this or any other answer useful please consider awarding points marking the answer correct or useful
-
addNode.sh fails when voting records are placed in ASM
Hello Forum, adding a node with script addNode throws an error when voting records are placed on ASM. Has anyone else had this problem or ideas?
Thanks a lot for your help.
[grid@host02 bin] $ sh - x./addNode.sh-silencieux 'CLUSTER_NEW_NODES = {host01}' "CLUSTER_NEW_VIRTUAL_HOSTNAMES = {host01-vip}.
+ OHOME=/u01/app/11.2.0/grid
+ INVPTRLOC=/u01/app/11.2.0/grid/oraInst.loc
+ ADDNODE='/u01/app/11.2.0/grid/oui/bin/runInstaller addNode - invPtrLoc - /u01/app/11.2.0/grid/oraInst.loc ORACLE_HOME=/u01/app/11.2.0/grid-silent CLUSTER_NEW_NODES = CLUSTER_NEW_VIRTUAL_HOSTNAMES {host01} = {host01-vip}'
+ ' [' "= Y o '!' /u01/app/11.2.0/grid/cv/cvutl/check_nodeadd.pl f ']'
+ CHECK_NODEADD='/u01/app/11.2.0/grid/perl/bin/perl /u01/app/11.2.0/grid/cv/cvutl/check_nodeadd.pl - pre-silent CLUSTER_NEW_NODES = CLUSTER_NEW_VIRTUAL_HOSTNAMES {host01} = {host01-vip}'
+ /u01/app/11.2.0/grid/perl/bin/perl /u01/app/11.2.0/grid/cv/cvutl/check_nodeadd.pl - pre-silent ' CLUSTER_NEW_NODES = {host01} "' CLUSTER_NEW_VIRTUAL_HOSTNAMES = {host01-vip}'"
+ ' [' 1 - eq 0 ']'
[grid@host02 bin] $
/U01/app/11.2.0/grid/cv/log/cvutrace.log.0 output:
< snipped >
TaskVotingDisk: voting disk: TASK_SUMMARY: FAILURE: CRITICISM: VERIFICATION_FAILED
ERRORMSG (Global): PRVF-5430: the disk configuration does not meet the recommendation of the Oracle of three locations on the disk to vote to vote
ERRORMSG (Global): PRVF-5431: verification of configuration Oracle Cluster voting disk failure
ERRORMSG (host01): PRVF-5449: location of verification of vote of the "ORCL:SPT_OCRVOTE01(ORCL:SPT_OCRVOTE01)" drive failed on the following nodes:
ERRORMSG (host01): no such file or directory
ERRORMSG (host01): PRVF-5449: location of verification of vote of the "ORCL:SPT_OCRVOTE02(ORCL:SPT_OCRVOTE02)" drive failed on the following nodes:
ERRORMSG (host01): no such file or directory
< snipped >
Edited by: user12857528 11/14/2010 18:39Hello
It reminds me of a mistake that I've met.
In the addnode.sh script Oracle included cluvfy (-pre nodeadd), who with 11.2.0.2 also a shared device checks.Unfortunately this check of the aircraft (sometimes) will fail, since shared cluvfy device control does not always work correctly.
A lot of other ppl. here probably already recognized installation 11.2.0.2 often will tell you that the sharedness of devices is not OK. You can ignore the installation, but not for addnode.So if you are sure, that your devices are shared (which seems OK after your release), you will need to disable the precheck required in the addnode.sh.
Simply follow these steps:
Export IGNORE_PREADDNODE_CHECKS = Y
before calling the addNode.
Concerning
Sebastian -
Questions of pre-installation on IPS on Cisco ASA Cluster
Hello
I'm looking for some configuration directives and IPS.
I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about setting it up.
We have a customer who requires their web servers to be protected with the IPS Module. I have the following questions:
1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?
2. can you syslog alerts?
3. is it possible to use snmp around alert also interrupts?
4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the
Firewall and block traffic if they choose to do so? Is it possible for an administrator to block traffic (or leave if his)
a false positive in IPS) without having to connect to the ASDM? If you have a scenario where you don't want to give users access to
the firewall, what is the best way to go about this?
5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?
6. I'm afraid that if I put it with a profile he can start blocking valid traffic. What is the best way to start with IPS to protect
a server?
7 if its possible to syslog, what kind of detail is the capture of syslog? Need name attack, etc.?
A lot of questions! I hope someone can help
Thanks a mill
1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?
Yes. There are several ways to do this, but the easiest way is to put the sensor in promiscuous mode (in the config of the ASA)
2. can you syslog alerts?
N ° the cisco IPS OS doesn't support syslog.
3. is it possible to use snmp around alert also interrupts?
Yes. But you must set the 'action' on each signature that you want to send a trap.
4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the
Firewall and block traffic if they choose to do so? Is it possible for an administrator to block traffic (or leave if his)
a false positive in IPS) without having to connect to the ASDM? If you have a scenario where you don't want to give users access to
the firewall, what is the best way to go about this?
Who should perform the analysis of IPS events have generally sufficient privilege and access to make any changes necessary to your firewall security and IPS sensors. It takes time, knowledge and skills for the analysis of the IPS. Most customer do not have the resources to do the job that you describe.
5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?
No syslog. You can set alerts email on a per-signature basis.
6. I'm afraid that if I put it with a profile he can start blocking valid traffic. What is the best way to start with IPS to protect
a server?
Start in "Promiscuous" mode and see what hit the signatures. Investigate them, adjust your false positive until you have a tight game, an action of signatures. Then switch to online mode.
7 if its possible to syslog, what kind of detail is the capture of syslog? Need name attack, etc.?
No syslog.
-Bob
-
I have a cluster active / standby with two ASA5510 and I want to change one of them, because an ASA5510 is damaged. Both have a CSC - SSM module. What should I consider?
(Licensing, Configuration,...)
In the failover configuration, make sure that both units in a failover configuration must have the same hardware configuration. They must be of the same model, have the same number and types of interfaces, the same amount of RAM and installed the same SSMs, ASA 5500 series security appliance (if any).
The two units do not have to have the same size Flash memory. If using units with memory sizes different Flash in your failover configuration, check the unit with the smaller Flash memory has enough space to accommodate the files the software image and configuration files. If it is not the case, the synchronization of the configuration of the device with the largest Flash memory to the unit with the smaller Flash memory will fail.
-
SSL VPN using ASA 5520 mode cluster - several problems
I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.
The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.
The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.
Any suggestions?
To disable the drop-down menu, you can turn it off with the command
WebVPN
no activation of tunnel-group-list
This will take care of your last issue.
***************************
You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.
**************************
Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.
*****************************
-
Capacity of the crypto ipsec Cisco ASA 9.1 stats system failures
Hello
I'm trying to find some performance issues on one ASA centralized and some site VPN settings. I already address bits of fragmentation and flow control which seeks to solve performance problems, but I came across something that I can't identify to understand what he said.
I can't seem to find any documentation that explains what triggers the counter for "Capacity of the system failures" on the stats command see the crypto ipsec:
crypto ipsec sho stats #.
IPsec statistics
-----------------------
The active tunnels: 41
Previous tunnels: 8999
Incoming traffic
Bytes: 8292491846127
Decompressed bytes: 8292491846127
Packages: 25115896849
Packet ignored: 1291637
Review of chess: 220
Authentications: 25114592561
Authentication failures: 0
Decryptions: 25114592564
Decryption failures: 0
TFC packages: 12836
Fragments of decapsules who need reassembly: 17418535
Invalid ICMP received errors: 0
Invalid ICMP received errors: 0
Outgoing
Bytes: 37818073925334
Uncompressed bytes: 37818837785556
Packages: 38014583887
Packet ignored: 2413164
Authentications: 38020189281
Authentication failures: 0
Encryption: 38020191839
Encryption failures: 0
TFC packets: 0
Success of fragmentation: 7763651
Fragmentation before successses: 7763651
After fragmentation success stories: 0
Fragmentation failures: 267158
The failures of previous fragmentation: 267158
Fragmentation failures after: 0
Fragments created: 15527302
PMTUs sent: 267158
PMTUs rcvd: 185
Protocol of failures: 0
Missing chess SA: 255102
Outages of capacity: 3167258Does anyone have knowledge of what this is referring to specifically?
Cheers, Dale
Hello
What is the model of the ASA you have and how many vpn sessions you get on average during peak hours?
Lack of capacity occurs when it is short of ability of the material or the use...
Concerning
Knockaert
Maybe you are looking for
-
my Skype a problem of one whenever it does not find my website of I want cam as me Geek in video,
-
Keychain, Apple ID and blocked iCloud
Hello! When I try to do almost anything in iCloud (like change the password, or see the devices that are connected on it), he asks me for security issues. I know the answers for them, but apparently, I don't get the right formulation (I basically tri
-
Windows 7 screen saver has suddenly stopped working
Recently, the screen saver on my laptop (Sony Vaio Z model VPCZ119GX with 6 GB of ram and a core i7 processor) has stopped working. He has always worked in the past, but suddenly (as of mid-June 2010) stopped it. None of the Windows 7 default scree
-
How can I get rid of the code 80070422 won't let me load the windows updates
I can not load any windows updates get them all is code 80070422 and said to get help, I tried all the normal with the administrative tools, and using safe mode but nothing seems to work, please help me I have more patience
-
BlackBerry Smartphones Help - can't get music from ITunes to the storm
Have installed everything, but the drop of Itunes is "grey"... where mistaken?