In this article we collected the answers for the questions on the Topic-Troubleshooting ASA, PIX, and FWSM.
Note: It was provided by Kureli Sankar, which is available in the Ask The Expert section of Cisco Support Community.
Q&A: How to Troubleshoot ASA, PIX, and FWSM?
ASA/PIX-Basic Configuration
Q. Is ASA 5500 limited to one outside interface?
A. No, customers who are running DMZ both public-facing and internet-facing, and even have the inside port internet-facing. Basically, you could have 2 interfaces internet facing but, only one is default route.
Click here for the live answer.
Q. Is it possible to have two (2) inside interfaces on the same subnet on ASA 5505/5510?
A. Meaning, inside1 and inside2? Certainly. On the same subnet? No. It has to be on a different subnet.
Click here for the live answer
Q. Can reserved addresses be configured in the DHCP scope on the DHCP server on the ASA?
A. Yes, you can configure those scopes from 10 to 20, and start off at 30 to 40, ignoring the small segement left out.
Click here for the live answer.
Q. We setup our ASAs via CLI and plan to implement CSM to manage the Firewall and VPNs. Are there any issues or reasons why we should not to use CSM?
A. No, I don’t see any reason why not to use CSM. People use CSM to because many people are involved in making minor, access-less changes that work on a shift basis and don’t have priviledge15 access on the firewall. It allows people to make requests for changes, etc. It also allows for archiving of changes, which allows you to roll back a config it it doesn’t work. But bear in mind, once you start managing a device with CSM, only make changes from CSM. DO NOT make changes with CLI, only from CSM. If you make changes with CLI, then implement changes with CSM, your CLI changes will be ignored.
Click here for the live answer.
Q. What are the different modes you can run on the ASA firewall and what is the most practical mode to run the ASA?
A. There are two modes you can run a firewall in:
– Routed
– Transparent
In routed mode ASA is a hop in a network and in transparent mode, ASA is not a hop and works at Layer 2. A transparent firewall can only use 2 interfaces for traffic filtering and can be installed in an existing network with minimal changes. It completely depends on security policy/environment as to which mode would suite the network.
ASA/PIX-Software Versions
Q. Why should we upgrade to ASA Version 8.3 considering the learning curve with changes to the NAT rules?
A. ASA version 8.3 has new features like Smart Call Home, global ACLs, VPN and inspection enhancements that could be very useful to people. I would suggest looking at the ASA 8.3 Release Notes for all the new features. As a side note, the learning curve is something that will take time. One more advantage is that NAT will be simpler in ASA 8.3. I hope this makes sense.
Q. When I upgraded to 8.3, our NAT quit working. Looking through the Release notes and Migration guide, we didn’t see any notes on this or even procedures to take before the upgrade. Do you have any suggestions?
A. the Release notes say that you need to upgrade memory. But the rest of the migration should go smoothly. Also the notes will say how to downgrade using the downgrade command. Now if you faced issue you could be hitting one defect we have seen with ACL migration or one with overlapping nats. I am not sure which exactly. I would suggest downgrading if there are issues and keep a copy of the 8.3 config to talk to TAC to see if you hit the defects I mentioned.
Q. I have an ASA 5510 running 7.0(6). If I upgrade to 8.2, will I have to update the config file for incompatibility?
A. There have been few commands which got changed/deprecated from 7.0 -> 8.2. Hence, it would be better to possibly do a step-by-step upgrade so that command changes are done accordingly. 7.0 -> 7.1 -> 7.2 -> 8.0 -> 8.2.
Q. What special considerations do I need to consider when I have to put private addresses on the outside of the ASA? In this case, we have a subordinate campus that wants their own ASA but we are in 10.1.1.x here for their uplink (We are the ISP).
A. Private IP address is to save address space. They will work as other IP addresses as long as there is the routing in place. I am not sure exactly how you will assign private IP addresses to a campus reachable from the internet, but you need to consider routing and also that sometimes following RFC1918, network administrators might block private ip addresses on their routers,firewalls etc. Otherwise the private ranges can be used exactly as public. I hope it helps.
Q. I’m using an ASA 5505. When copying a config from tftp to startup config, is startup config merged with the tftp config like when using pix w/ 6.3, or is the startup config overwritten completely?
A. The config is completely overwritten, only when do you copy over to the running config, it merges. Once you copy over the startup config, it will completely overwrite the startup config.
Click here for the live answer.
Q. Can I copy the config from ASA5550 to ASA5540?
A. Yes we can. However, keep in mind that ASA5550 comes with a bundled 4-GE-SSM module. If these interfaces are in use on ASA5550, but do not exist on ASA5540, configuration related to those interfaces will be ignored.
Failover
Q. We have our failover going through a switch. This is preferred over a cable? We had a module fail that had the primary interfaces and the failover on it, so the ASA did not fail over. We assume to fix this; we need to move the failover to another switch blade as the primary interfaces. Is this correct?
A. That would be correct. The firewall performs an ARP test before failing over when the failover link goes. It wills ARP out all interfaces for its peer to see if it can elicit a response. If any response is received a failover will not take place as to avoid an active/active scenario. With the failover link down, the two firewalls cannot communicate their status to each other. In your case, they probably saw each other on another interface preventing the failover.
Q. Is VPN’s supported in an active/active configuration?
A.When the security appliance is configured for security contexts (also called firewall multimode) or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable.
Q. Can you configure a two 5500 ASAs in failover mode via the management interface to connect the two?
A. Yes. However, keep in mind that Management interfaces are FastEthernet interfaces. If you plan to share stateful link also with failover link, you should use fastest interface available on the unit.
Q. Is it possible to have a failover ASA that does not have the AIP – SSM installed when the primary has the AIP-SSM installed?
A. Yes. However, if the configuration is utilizing AIP-SSM, then this would not work.
Q. Shouldn’t stateful failover include routing information / OSPF negotiations if customers aren’t supposed to notice an outage during a failover event?
A. Correct. Currently, dynamic routing tables are not replicated from active to standby unit. There is an enhancement request filed to add this feature–Refer the bug ID CSCsu90386 (registered customers only).
Q. Is there a roadmap to adding routing tables to stateful failover? We have ASA’s in statefull failover, but that is worthless as we need to wait 20-40 seconds for OSPF to update the routing tables on the newly active ASA when a failover occurs.
A. Yes. This is on the roadmap. There is an enhancement bug filed for this –Refer the Bug ID CSCsl08631 (registered customers only). You can track the progress of this request or you can work with Accounts team to get this feature added in future releases.
Q. Can we upgrade the firmware for a pair of firewalls in HA mode without downtime? Especially since only one of the firewalls needs to be upgraded.
A. You can use ‘Zero-downtime upgrade’ procedure. Please find the same on following link:
https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mswlicfg.html#wp1053398
Q. What is difference between STATE failover & LAN failover? Type of failover: like LAN, STATE, and Serial? What is exact difference?
A. There are two types of failover mechanisms:
-Cable based failover (Only on PIX)
-Lan based failover
In cable based failover a serial cable is connected between two firewalls over which failover communications happen. In Lan based failover [fast/gig]ethernet ports of two units are connected on which failover communications occur. Stateful failover is an additional feature which can be utilized in cable/lan failover. This feature allows replication of state table from Active to Standby unit. Thus, in event of failover, user does not have to re-establish the connection.
Q. Between these two commands — failover interface ip FAILOVER and failover interface ip STATE–what is difference between both commands?
A. One is for interface, the other is for stateful. Stateful is the state that tcp will be updated between the two machines over the STATE link. Sometimes the failover and STATE links are over the same line. When a failover happens, and the stateful is not defined, all the tcp and udp sessions have to be re-established
Click here for the live answer.
Q. for ASA5510, will it be better to use 1GE interface as failover interface or 100T interface? Which is sufficient to become failover interface?
A. For these connections, will you be routing the traffic out to an intermediary device on the outside interface then back to the ASA? Without knowing the exact requirements it is hard to say exactly how this will be accomplished. Here is a link for intra interface communications on the ASA. https://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a0080734db7.shtml
Q. Do route tables sync in 3.1 failover?
A. No. For example, OSPF will need to re-converge after a failover event. I hope it makes sense.
ASA/PIX-Support
Q. Does the ASA5505 and 5510 support DMVPN with SR520?
A. ASA does not support DMVPN.
Click here for the live answer.
Q. Is it still a recommended feature to keep the number of firewall rules not in a big number?
A. You can say that it is a good recommendation. It makes the ACE search faster so your firewall can process packets faster. most people will not notice any difference but we have seen CPU issues in the past with huge ACLs (~400K on an ASA). I hope it helps.
Q. To confirm, ASA doesn’t do routing protocol/BGP for multiple internet connections? Must use router or L3 switch?
A. Correct. The ASA will not do BGP. It can do RIP, OSPF, EIGRP. The FWSM will support BGP. I hope it clarifies it.
Cisco ASA-QoS
Q. Can the ASA set QoS tags?
A. Nope. The ASA will match and police/shape/prioritize based on tags. But it cannot set them.
Q. I have a cisco 5510 and several Cisco 5505’s. At each location we have a Cisco 5505, with 2 types of traffic: staff and public. How can I setup QoS or prioritization for our staff so they get priority through the VPN?
A. There is a very good example here https://supportforums.cisco.com/docs/DOC-1230#Traffic_Policing_with_Prioritization
You match on the staff traffic and you police the rest of your VPN. Note that you need to police in order for prioritization to kick in. So decide how much your VPN will take and prioritized traffic that matches the staff. I hope it helps.
Q. We are using phone proxy on our ASA5520 in our organization. Is there anything that can be done to improve call quality?
A. the ASA does provide functionality for QOS and priority queuing of the voice traffic. This typically only comes into play if the interfaces are being saturated with traffic. Besides QOS we would need to take a look at the interfaces to see if there are any errors or indications or problems. It may be something further upstream which is causing the quality issues. It is also important to monitor when the problem occurs. Does it only happen during peak times? This would be an indication of link saturation.
ASA/PIX-Issues
Q. I’m running ASA 5505 on my network and my VPN tunnels drop at random times. Some stay up for 20 days, other fail in 15 minutes. Do you know why I would see this activity?
A. I’m not really sure on the answer for that one. Usually the lifetime of a tunnel is defaulted to a specific number. Sorry.
Click here for the live answer
Q. I’m having high latency after switching to ASA 5505. Any suggestions?
A. I would suggest checking the interfaces first. Do a “sh interface | i error” on the ASA and connected devices. If you see errors check for duplex or speed mismatch. If not, check the load on the ASA, “sh cpu” and “sh interface” and look if you see high cpu or overruns or underruns. Those could relate with too much traffic. Finally, if the above don’t help try to capture packets for a slow flow in and out of the ASA to try to eliminate where the slowness/drops are introduced. It could be a pipe oversubscription issue also. I hope it helps.
Q. I have an ASA 5510 running IOS version 8.2.2 Device Manager 6.2.5.53. I have been constantly having memory issues since upgrading to these versions. I have opened multiple TAC cases for this issue, but have yet been able to have this issue resolved. I run the same configuration on ASA 5520’s with no issues. Are there known memory issues with this IOS and Device Manager version when running on a 5510?
A. There are some memory leak issues with 8.2.2 version, however, those are *not* specific to ASA5510 platform. I think we first need to establish if what you are running into is a memory leak issue or high memory utilization. To track this, you should check what the status of free memory is just after device boots up. If free memory % is very low, then possibly it’s the size of configuration (typically ACLs) which could be eating up memory. If device boots with ample free memory %, but this gradually decreases, it means you are running into a memory leak issue. To track what memory leak bug you are running into needs more comprehensive data for analysis. If possible, you can upgrade to latest CCO release available and track from there if facing a memory leak issue.
Q. I’ve been having a problem where there is no “no shut” for inside or outside interfaces on our ASA 5505. Is this a problem specific to ASA 5505?
A. Are you trying to do “shut – no shut” under the vlan or the interface? Note that the 5505 has vlan interfaces and the physical interfaces. You should be able to do a “shut – no shut” under the physical. Please elaborate with a snippet if that is what you are trying to do.
Q. What would be considered an excessive amount of TCP connections using the “sh local | i host|count/limit” command you mentioned?
A. In regards what would be considered “normal” is dependant on your situation. If you were a small company with a web server, it may have up to 40 to 50 connections. If you were a big company/enterprise (Ebay, Paypal, etc.) They may have thousands of connections. It really depends on the size of the network along with how many users are on the network. Another indicator is the embryonic count. If it’s above 200-300, then there is clearly something wrong/malicious traffic.
Click here for the live answer.
Q. Can you explain the sh local | i host | count/limit command?
A. That command is used for isolating specific hosts which may be generating an abnormally high number of connections. Suppose you have a client on inside which is infected with a virus and scanning the network. This command will parse through the local host entries and output each host seen as well as the total number of connections associated to that host.
Q. Is the “sh local | i local | count/limit” command version specific?
A. No. It should work in 7.2 and 8.x versions.
Q. I have SSH running on ASA. Why does my config prompt for enable password each time? It seems that level 15/rpriv 15 works for routers, why not ASA?
A. Yup, the ASA will not get you to enable mode right away even for the priv15 users. It was by design.
FWSM
Q. We are running FWSM 4.0(8) on my network. We have a scheduled failover test coming up and, occasionally in the past, failover worked but sessions would not establish after the failover until a “clear xlate” was performed. Is 4.0(8) affected by this issue – that is, will we have to “clear xlate” after each failover?
A. No, you should not have to initiate a “clear xlate” after any failover. I have not run into any known defects that require a clear xlate. Failover should be very smooth and, if you configured a stable failover, you do not have to clear xlate and configure the sessions again. It should be seemless.
Click here for the live answer.
Q. Is there a quick reference guide to differences between the 3.1x train and 4.0x train of the FWSM?
A. There isn’t a quick reference guide for the main differences. The best place to learn what changes have occurred is to look at the release notes. Please look at the links provided in the Powerpoint (and at the bottom of this post).
Click here for the live answer.
Q. Is there a link on upgrading the FWSM firmware from 3.1(6) to 3.1(18) and how disruptive is it?
A. It’s not disruptive at all. The following link steps through this procedure. Download the image, put it on your tftp server and copy the image onto both of the units. Then reload the active unit so the standby unit will become the active unit. Once the first unit is done updating, you can do the same to the other unit. If it’s just one unit, then just reload it with the image. Please not this is for maintenance release upgrades only.
https://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/swcnfg_f.html#wp1057450
Click here for the live answer.
Q. Our FWSM is running version 3.1(6) with Device Manager 5.2(3)F , what version of code do you recommend I upgrade to?
A. If you are planning for an upgrade, unless there is specific features you require in a later release it is best to stay on the current minor build (2nd number) and go to the latest maintenance release available (3rd number). Currently we are on 3.1(18).
ASA-PIX-FWSM-Difference
Q. Hi, I would like to know the exact difference between ASA & FWSM . As per my understanding I found only throughput difference.
A. The FWSM is a specialized firewall designed to be installed in the 6500 switching platform. The hardware architecture has been designed to complement the switch and allows for greater performance. The ASAs as standalone firewalls, but support features not found on the FWSM. This includes IPSec/SSL VPN and content filtering among others. The higher end ASAs also have performance numbers that can compete with the FWSM.
Q. What’s difference between ASA, PIX and FWSM?
A. The FWSM is a specialized firewall designed to be installed in the 6500 switching platform. The hardware architecture has been designed to complement the switch and allows for greater performance. The ASAs as standalone firewalls, but support features not found on the FWSM. This includes IPSec/SSL VPN and content filtering among others. The higher end ASAs also have performance numbers that can compete with the FWSM. You can also install additional modules like AIP-SSM/CSC-SSM on ASA platforms to get Intrusion prevention or Content Security. PIXes are older platforms which much like ASA’s however, do not support additional modules like AIP-SSM/CSC-SSM.
Miscellaneous
Q. Recently, our company got hit with virus and the infected PCs were sending data to the internet. How can we stop this immediately using the firewall, and what indicators would we need to look in the firewall logs to identify the infected PCs?
A. We reviewed a command in the presentation: “show local | include host | count \ limit” (located in the High CPU usage portion of the presentation). If you can run that command, it will show you individual ip addresses inside the firewall and their udp and tcp connections they have established onto the internet. And you can go onto that PC and see what’s wrong with it.
Click here for the live answer.
Q. In which case would the server send TCP RST?
A. A server would send a TCP RST if the service requested by client is not active. Some applications may generate a RESET if they want to abruptly close a connection.
Q. Is there anything like the archive function found on the Cisco IOS for the ASA? The purpose is to be able to automatically push out a config change to a ftp server as well as automatically push the config on a schedule.
A. There are management tools that can do that like VMS RME/CSM and AUS. The ASA with AUS will pull configs from a server. RME will automatically archive and manage configs and images. Also please check the ASA command “write net” that can pull configs from tftp server whenever you want. I hope it helps a little.
Q. How do you figure out what number of embryonic connections and TCP/UDP max connections you should allow into your DMZ?
A. It depends on your servers. Someone that has 2 servers will allow less than someone that has 20. It also depends on what is normal for your networks. I would suggest keeping track of “sh conn | i <server ip address>” and deciding what is the normal profile for your servers. And then setting your limits a little above the normal. I hope it makes sense.
Q. If you will cover ASA VPN at all, does a dynamic access policy get ‘processed’ first when an ipsec user connects or does the group policy process the access request without using the DAP?
A. We will mostly focus on troubleshooting, not so much VPN today. Maybe later in the future. To answer your question the sequence is as follows: the user logs in, and gets the attributes from the tunnel-group, and group-policy, then DAP kicks in and any actions specified are then applied. I hope it helps.
Doc Reference from https://supportforums.cisco.com/docs/
More Related TOPICS:
Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs
What Things to be Considered While Upgrading ASA 5500 Series?
What is Cisco ASA CX Security Module?
Eight Commands on a Cisco ASA Security Appliance You Should Know