Cluster ASA IFC failure

Similar Questions

• ASA - SSH failure

  Hi all

  Another sily question, I configure an ASA so I could access it via ssh. Everything is configured as described in the user guide for the cisco, but surprisingly enough, it does not work...

  I tried ssh v1 and 2, I have zero key and regenerated a new but it still does not work. Connectivity seems to be although I get ssh prompt.

  Any idea?

  Kind regards

  Thibault.

  Thibault, you do not have AAA activate, try adding that this command so you will be authenticated with the local database:

  AAA authentication enable LOCAL console

  LOCAL AAA authentication serial console

  AAA authentication http LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication LOCAL telnet console

  LOCAL AAA authorization command

  local AAA authentication try 5 max in case of failure

  Hope this helps.

  Kind regards

• Cluster ASA with IPS

  Hello

  I intend to group 4 ASA firewall between 2 domain controllers.

  I would like to know if the ASA IPS device is also grouped with the ASAs 4 or I have to buy the hardware module ASA IPS?

  In the case where I will need to buy the module hardware IPS ASA it will work as a single module or it could also be clustered?

  Thank you very much for the help.

  Kind regards

  J

  The Documentation States that the IPS is managed individually by unit. So every unit will have it of own IPS and protects the traffic he sees. Without a config-replication available for IPS, you should plan to use a system management as MSC company to ensure that all units have the same configuration.

• Host - HA Cluster failure & file locking

  Hello

  In a HA cluster, if the failure of a host (loses power or something similar) how are the locks on files on a virtual machine that was running this particular host published so that another host in the cluster HA can start? I know that if a host finds that as isolated, it releases the file locks, but what happens in case of failure?

  Thank you

  Steve

  Blockage in a shared storage have a waiting period of I think 15 seconds. Direct receipt is refreshing the lock so the other guests cannot claim locked object. When the host fails the lock expires and can be requested by another host in a cluster.

• SFR in license cluster mode?

  If I run two ASAs in cluster mode, is there a special setting that I need to do on the modules of sfr?

  The pair of cluster ASAs forwards traffic to the two modules of sfr?

  Documentation is very vague on the subject of sourcefire, clustering, everything he says really is to "maintain a coherent policy on the modules of sfr and do not use areas during your period.

  Are there additional licenses required? IE I have control of x 2 + protect however only 1 AMP / URL license

  Does this mean that only SFR modules can process the malware and URL filtering?

  Any help would be greatly appreciated

  Thank you

  Are you running the ASAs in a pair of Active-Standby HA with module of firepower on each of them?

  If so, the licensing of the modules must match each module. Otherwise, you will not be able to appply URL filtering and policy file (AMP) on one of the modules.

  If the ASAs are truly in a cluster 2 nodes (not active-Standby) so it is even more important that licenses match because only by flow of traffic can take another Member as a transfer device.

  Ideally simply build you a set of policies in the Management Center FireSIGHT and apply them to two modules of firepower.

• AIP - SSM in cluster

  Hello

  We have a failover cluster ASA, with 2 IPS, each in an ASA AIP - SSM. There is a way of module config mode cluster as ASA IPS, or have a configuration that is mirrored between them?

  Thank you very much.
  Better with respect to Antonello.

  Antonello;

  Configuration mirroring between the AIP-SSMs is not currently available.  You can emulate this process by copying the current configuration of the AIP - SSM active to a FTP server, change the configuration to remove the specific details of the host (IP address, etc) and then copy this configuration on the stand by AIP - SSM.

  Another option would be to invest in Cisco Security Manager (CSM) and create a shared strategy that is applied to the two AIP - SSM.

  Scott

• How does am sharing happens in the env cluster

  can someone indicate topics... Thank you.

  In general, the links ADF layer creates a JboDataControl object and stores it in the HTTP session. (This is not stored directly in the HttpSession, but in a container called DataControl Frame object. We're going for simplicity to skip those details). The HTTP session is replicated to another server in the cluster (which is done by the WLS cluster) and the JboDataControl is replicated as part of session replication. The JboDataControl contains an instance of a class of SessionCookie (there is a related class of the ADF, do not be fooled by its name and get an association wrong with HTTP cookies, which have nothing to do here). The SessionCookie contains the ID of the State AM passive of the instance of AOS, which was used by the DataControl last time. When comes the next HTTP request (it can happen on the same server or on a secondary server in the cluster, where the HTTP session is replicated), the JboDataControl allocates an instance AM pool (which could be an arbitrary instance of AM to the pool) and activates its State according to the ID of the report of the SessionCookie (using the passive of the passivation AM store state).

  Necessary AOS configuration to be configured to make "Tipping Transaction State on managed Release" so that this mechanism to work. This indicates the instance AM doing passivation of mandatory State at the end of each request. This must be done so that the application of ADF activate State AM on the other server in the cluster, if the failure of the principal server and the next request arrives on the secondary server. This mandatory passivation puts considerable achievements to the application. On the other hand, if the application is not clustered, passivation State AM happen only when a particular instance of AM of the pool is recycled in another user session. The performance overhead is the trade-off between the clusters and applications ADF nonclustered indexes.

  Dimitar

• The GRE Tunnel descends?

  So here's my setup:

  Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)

  Internal Cluster ASA a configured PAT production internal then all the VLANS.

  The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.

  The external control point is configured with NAT for the incoming and outgoing traffic.

  The branch is a DSL router with a static IP address.

  The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.

  The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.

  The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.

  I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.

  I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.

  However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:

  1 = to branch tunnel

  Tunnel of 100 = internal

  002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
  002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
  002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
  002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
  002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
  002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
  002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairs

  The IPSec tunnel, for the branch remains in place throughout.

  Can anyone help!?

  The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.

  This is how the branch was to learn the route to the tunnel destination:

  Tunnel1 interface

  Tandragee Sub Station router VPN Tunnel description

  bandwidth 64

  IP 172.17.205.62 255.255.255.252

  no ip-cache cef route

  delay of 20000

  KeepAlive 10 3

  source of tunnel Loopback1

  tunnel destination 172.17.255.23

  be-idz-vpn-01 #sh ip route 172.17.255.23

  Routing for 172.17.255.23/32 entry

  Through the 'static', the metric distance 1 0 known

  Routing descriptor blocks:

  * 172.17.252.129

  Path metric is 0, number of shares of traffic 1

  be-idz-vpn-01 #sh ip route 172.17.252.129

  Routing for 172.17.252.128/25 entry

  Known via 'connected', distance 0, metric 0 (connected, via the interface)

  Routing descriptor blocks:

  * directly connected by GigabitEthernet0/1

  Path metric is 0, number of shares of traffic 1

  be-idz-vpn-01 #.

  This is how the next hop as learned GRE Tunnel between internal and DMZ routers

  be-idz-vpn-01 #sh ip route 172.17.252.129

  Routing for 172.17.252.128/27 entry

  By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external

  Redistribution via eigrp 1

  Last updated on Tunnel100 192.168.5.66, ago 00:07:25

  Routing descriptor blocks:

  * 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25

  Path metric is 40258816, 1/number of shares of traffic is

  Time total is 10110 microseconds, minimum bandwidth 64 Kbps

  Reliability 255/255, MTU minimum 1476 bytes

  Loading 1/255, 2 hops

  We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.

  This case causes the Tunnel 1 drops.

  The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.

  The solution we applied:

  Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.

  Router eigrp 1

  distribute-list 1

  Network 10.10.10.0 0.0.0.3

  network 172.17.203.56 0.0.0.3

  network 172.17.203.60 0.0.0.3

  network 172.17.205.60 0.0.0.3

  network 172.19.98.18 0.0.0.0

  network 192.168.5.64 0.0.0.3

  passive-interface Loopback1

  be-idz-vpn-01 #sh access-list 1

  IP access list standard 1

  10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)

  20 permit (1230 matches)

  be-idz-vpn-01 #.

  Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.

• Uninstalling vshield app requires a restart of the host?

  We are upgrading vsphere 5.1 to 5.5 and plan to uninstall apps vshield to do a fresh install.  We will migrate the hosts, but not vshield apps, then install new applications in the environment of 5.5...

  Thank you!

  -anne

  Hi Anne,.

  Uninstalling vShield app requires the host to restart and you keep the VMs and then uninstall of vShield manager. This will remove the filters from the NIC--> modules to remove the host, followed by restart.

  If your cluster tolerates the failure of the single host, you can do without virtual machine downtime.

• HA and DRS

  I want to confirm something I've heard which seems to contradict what I've learned in the classroom.   If the DRS and HA are implemented on a cluster AND the failure of an ESX Server, the virtual machines on the host CAN live migrate to another host?    I was told in class that VMs will be always powered down if HA is implemented.  So which is true?

  In addition, if the DRS and HA have been implemented on a cluster and we will say I pull the plug on an ESX host... it is not enough time to migrate VMs live, so I'm inclined to believe that's NOT true.

  Let me see if I can summarize-------.

  HA - protects you in the event of a failure of the host - if a host fails (you pull the plug) the virtual machines running on this host will restart on the other nodes in the cluster and if DRS is activated it then make sure that virtual machines draw their resources. The way the cluster hosts know that they are alive is by the HA heartbeat if heart rate is not detected a host of the cluster think the host has failed, but he could not because of network problems - host is then described as being isolated but not bencessaryily down, so virtual machines on it are still running - the cluster tries to restart virtual machines but not power because the VMDK will be locked - this is where isolation answer comes to you can get the Power Down the VMs host to the HA cluster to restrt them (moving) or let them powere gift there is no failure (where they are). VMotion and DRS has nothing to do with VMware HA-

  FT - whicxh is a feature of the Enterprise Plus can have NO downtime in the event of a failure of the host and also protects from the questions of the o/s and - if there is a failure that the VM mirroring resumes instantly with no downtime of fault tolerance.

  If you find this or any other answer useful please consider awarding points marking the answer correct or useful

• addNode.sh fails when voting records are placed in ASM

  Hello Forum, adding a node with script addNode throws an error when voting records are placed on ASM. Has anyone else had this problem or ideas?
  Thanks a lot for your help.
  
  
  [grid@host02 bin] $ sh - x./addNode.sh-silencieux 'CLUSTER_NEW_NODES = {host01}' "CLUSTER_NEW_VIRTUAL_HOSTNAMES = {host01-vip}.
  + OHOME=/u01/app/11.2.0/grid
  + INVPTRLOC=/u01/app/11.2.0/grid/oraInst.loc
  + ADDNODE='/u01/app/11.2.0/grid/oui/bin/runInstaller addNode - invPtrLoc - /u01/app/11.2.0/grid/oraInst.loc ORACLE_HOME=/u01/app/11.2.0/grid-silent CLUSTER_NEW_NODES = CLUSTER_NEW_VIRTUAL_HOSTNAMES {host01} = {host01-vip}'
  + ' [' "= Y o '!' /u01/app/11.2.0/grid/cv/cvutl/check_nodeadd.pl f ']'
  + CHECK_NODEADD='/u01/app/11.2.0/grid/perl/bin/perl /u01/app/11.2.0/grid/cv/cvutl/check_nodeadd.pl - pre-silent CLUSTER_NEW_NODES = CLUSTER_NEW_VIRTUAL_HOSTNAMES {host01} = {host01-vip}'
  + /u01/app/11.2.0/grid/perl/bin/perl /u01/app/11.2.0/grid/cv/cvutl/check_nodeadd.pl - pre-silent ' CLUSTER_NEW_NODES = {host01} "' CLUSTER_NEW_VIRTUAL_HOSTNAMES = {host01-vip}'"
  + ' [' 1 - eq 0 ']'
  [grid@host02 bin] $
  
  /U01/app/11.2.0/grid/cv/log/cvutrace.log.0 output:
  < snipped >
  TaskVotingDisk: voting disk: TASK_SUMMARY: FAILURE: CRITICISM: VERIFICATION_FAILED
  ERRORMSG (Global): PRVF-5430: the disk configuration does not meet the recommendation of the Oracle of three locations on the disk to vote to vote
  ERRORMSG (Global): PRVF-5431: verification of configuration Oracle Cluster voting disk failure
  ERRORMSG (host01): PRVF-5449: location of verification of vote of the "ORCL:SPT_OCRVOTE01(ORCL:SPT_OCRVOTE01)" drive failed on the following nodes:
  ERRORMSG (host01): no such file or directory
  ERRORMSG (host01): PRVF-5449: location of verification of vote of the "ORCL:SPT_OCRVOTE02(ORCL:SPT_OCRVOTE02)" drive failed on the following nodes:
  ERRORMSG (host01): no such file or directory
  < snipped >
  
  Edited by: user12857528 11/14/2010 18:39

  Hello
  It reminds me of a mistake that I've met.
  In the addnode.sh script Oracle included cluvfy (-pre nodeadd), who with 11.2.0.2 also a shared device checks.

  Unfortunately this check of the aircraft (sometimes) will fail, since shared cluvfy device control does not always work correctly.
  A lot of other ppl. here probably already recognized installation 11.2.0.2 often will tell you that the sharedness of devices is not OK. You can ignore the installation, but not for addnode.

  So if you are sure, that your devices are shared (which seems OK after your release), you will need to disable the precheck required in the addnode.sh.

  Simply follow these steps:

  Export IGNORE_PREADDNODE_CHECKS = Y

  before calling the addNode.

  Concerning
  Sebastian

• Questions of pre-installation on IPS on Cisco ASA Cluster

  Hello

  I'm looking for some configuration directives and IPS.

  I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about setting it up.

  We have a customer who requires their web servers to be protected with the IPS Module.  I have the following questions:

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  2. can you syslog alerts?

  3. is it possible to use snmp around alert also interrupts?

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  A lot of questions!  I hope someone can help

  Thanks a mill

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  Yes. There are several ways to do this, but the easiest way is to put the sensor in promiscuous mode (in the config of the ASA)

  2. can you syslog alerts?

  N ° the cisco IPS OS doesn't support syslog.

  3. is it possible to use snmp around alert also interrupts?

  Yes. But you must set the 'action' on each signature that you want to send a trap.

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  Who should perform the analysis of IPS events have generally sufficient privilege and access to make any changes necessary to your firewall security and IPS sensors. It takes time, knowledge and skills for the analysis of the IPS. Most customer do not have the resources to do the job that you describe.

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  No syslog. You can set alerts email on a per-signature basis.

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  Start in "Promiscuous" mode and see what hit the signatures. Investigate them, adjust your false positive until you have a tight game, an action of signatures. Then switch to online mode.

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  No syslog.

  -Bob

• Replace an ASA in a Cluster

  I have a cluster active / standby with two ASA5510 and I want to change one of them, because an ASA5510 is damaged. Both have a CSC - SSM module. What should I consider?

  (Licensing, Configuration,...)

  In the failover configuration, make sure that both units in a failover configuration must have the same hardware configuration. They must be of the same model, have the same number and types of interfaces, the same amount of RAM and installed the same SSMs, ASA 5500 series security appliance (if any).

  The two units do not have to have the same size Flash memory. If using units with memory sizes different Flash in your failover configuration, check the unit with the smaller Flash memory has enough space to accommodate the files the software image and configuration files. If it is not the case, the synchronization of the configuration of the device with the largest Flash memory to the unit with the smaller Flash memory will fail.

• SSL VPN using ASA 5520 mode cluster - several problems

  I configured 2 ASA 5520 s in the load balancing cluster mode. I connect using anyconnect and I download the customer the first time and everything works well except outlook. I don't know why outlook does not work.

  The second problem is after the anyconnect client is installed on your machine, he remembers that ASA (say ASA2) he first connected and the GUI shows the address IP of ASA2 instead of the virtual IP address of the cluster. I want users always connect using the virtual IP address.

  The third problem I have is there is a default group of SSL VPN and I want all users to use this group. In the initial web page, there is a drop down menu which shows that this group, but I still want to disable this menu drop-down.

  Any suggestions?

  To disable the drop-down menu, you can turn it off with the command

  WebVPN

  no activation of tunnel-group-list

  This will take care of your last issue.

  ***************************

  You can create a profile of the Anyconnect client with the name of the server you want to connect with and that make the ASA that will solve your problem of virtual IP.

  **************************

  Regarding Outlook, do you use specific ports which allows inspection of the ASA. Take a look at the list of inspection on the SAA and perhaps try to disable inspection and see if it works.

  *****************************

• Capacity of the crypto ipsec Cisco ASA 9.1 stats system failures

  Hello

  I'm trying to find some performance issues on one ASA centralized and some site VPN settings.  I already address bits of fragmentation and flow control which seeks to solve performance problems, but I came across something that I can't identify to understand what he said.

  I can't seem to find any documentation that explains what triggers the counter for "Capacity of the system failures" on the stats command see the crypto ipsec:

  crypto ipsec sho stats #.

  IPsec statistics
  -----------------------
  The active tunnels: 41
  Previous tunnels: 8999
  Incoming traffic
  Bytes: 8292491846127
  Decompressed bytes: 8292491846127
  Packages: 25115896849
  Packet ignored: 1291637
  Review of chess: 220
  Authentications: 25114592561
  Authentication failures: 0
  Decryptions: 25114592564
  Decryption failures: 0
  TFC packages: 12836
  Fragments of decapsules who need reassembly: 17418535
  Invalid ICMP received errors: 0
  Invalid ICMP received errors: 0
  Outgoing
  Bytes: 37818073925334
  Uncompressed bytes: 37818837785556
  Packages: 38014583887
  Packet ignored: 2413164
  Authentications: 38020189281
  Authentication failures: 0
  Encryption: 38020191839
  Encryption failures: 0
  TFC packets: 0
  Success of fragmentation: 7763651
  Fragmentation before successses: 7763651
  After fragmentation success stories: 0
  Fragmentation failures: 267158
  The failures of previous fragmentation: 267158
  Fragmentation failures after: 0
  Fragments created: 15527302
  PMTUs sent: 267158
  PMTUs rcvd: 185
  Protocol of failures: 0
  Missing chess SA: 255102
  Outages of capacity: 3167258

  Does anyone have knowledge of what this is referring to specifically?

  Cheers, Dale

  Hello

  What is the model of the ASA you have and how many vpn sessions you get on average during peak hours?

  Lack of capacity occurs when it is short of ability of the material or the use...

  Concerning

  Knockaert