|
Has anyone ever had a ASA drop the WAN link after 4-5 minutes? The interface shows as up then down, yet the link lights never change. I can ping, then I can not. I am starting to wonder if it is my crappy DSL modem.
|
#
¿
Jun 3, 2012 05:45
|
|
|
|
| # ¿ May 14, 2024 20:04 |
|
|
adorai posted:I've seen all sorts of cisco gear do this due to a speed/duplex mismatch or failure to auto negotiate (which is ultimately the same thing). Link comes up for a few minutes, then goes down. I remember reading about it, I will go ahead and manually set the speed and see if it helps.
|
|
#
¿
Jun 4, 2012 04:06
|
|
|
Turns out my crappy DSL modem does not like me. I wiped the config, rebuilt it with DHCP for my vlan 2 outside address + told it to get the default route from dhcp and all is well. It has been up for 10+ hours straight. Bit worried that I went a bit underpowered on the ASA5505 after doing some reading. I have three connections for this to handle, a 100mb Cable line + 5mb DSL + 100mb Fiber. I know we will be maxing the fiber pretty regularly. Thinking of upgrading to a 5515-x.
|
|
#
¿
Jun 4, 2012 15:58
|
|
|
Why does not a single supplier have a pair of ASA 5515-x's in stock?
|
|
#
¿
Jun 8, 2012 23:25
|
|
|
These showed up on my desk: My entire network is HP Procurve, minus these two 5515-x's and two 5505's. Think I will have any issues getting them to play nice?
|
|
#
¿
Jul 3, 2012 22:54
|
|
|
I finally gave in and realized I did not have time to setup our new ASA5515-X's, so I brought in a consultant. So far things are going smoothly. How long would you estimate it would take to replace the existing router with two ASA5515-x's, setup a site to site vpn, and setup SSL vpn? Just curious. What would you guys recommend for my heartbeat switches?
|
|
#
¿
Aug 9, 2012 18:33
|
|
|
Our environment is a bit more complicated and it seems this consultant is rather green... But he is smart and I am happy so far. We have two 5515-x's at Site 1. Another two 5505's at Site 2. Both sites have cable and DSL internet connections, along with a site to site fiber link- handed off via 1gb ethernet. His project is to replace the existing router, install the new ASA's with proper routing/ect for the multiple internet connections/fiber, and setup the VPN. I was thinking this is a couple week project. I had read that a crossover on the 5510's at least causes issues. If the second one comes back up with the crossover disconnected, it causes problems. The general recommendation is a switch. He would like to do two for HA, which I am ok with.
|
|
#
¿
Aug 9, 2012 19:38
|
|
|
I am giving up on the Cisco Consultant I hired to install 3 ASA55150-x. I had to add a default route to his config just so he could get the internet up in the test environment. That and he has taken over a month just to get basic configs done. You live, you learn. Sadly my budget takes the hit on this one... How is Smartnet? I purchased it with these. If I hit a config issue, can I call and get a reasonably quick response? Anyways, Has anyone used one of these? http://gridconnect.com/bluetooth-to-rs232.html
|
|
#
¿
Sep 18, 2012 05:55
|
|
|
Martytoof posted:Does the ASA have something like SDM? I don't know a thing about the ASA line other than some experience with a PIX like ten years ago, but I'm pretty sure given a month I could come up with a reasonable config ASDM and I have configured several 5505's over the years. He did get HA setup and working, but could not figure out that the modem needed to be restarted when he could not get internet up... I built a dozen configs just playing with ASA's, but simply ran out of time. He came decently recommended and sadly just does not have a clue despite being CCNA/MCITP.
|
|
#
¿
Sep 18, 2012 06:24
|
|
|
ASA question: Other then a static route, do I need a ACL to allow internet access in the setup below? I have a 5515-x (8.6.2) and a HP 5604zl. I have ip routing enabled on the HP, I can ping between the vlans- all of that works. My problem is I can not get internet on any of the vlans. I have my ip route configured on the HP and a static route configured on the ASA. I do not have any ACL's configured and I have seen it mentioned that there needs to be. Thanks!
|
|
#
¿
Sep 21, 2012 01:30
|
|
|
I should clarify- I have internet if I set the default gateway on the hosts to the ASA's inside IP. Can you give me a example? I believe we do, I will need to remote in later to answer that.
|
|
#
¿
Sep 21, 2012 02:58
|
|
|
ragzilla posted:Default ASA policy is to permit to lower security-level unless that changed in -X. The usual thing I see people missing is an outbound NAT/PAT if needed. What should the outbound NAT/PAT look like?
|
|
#
¿
Sep 21, 2012 04:03
|
|
|
Sepist posted:He's using 8.6 code Thanks! I converted it last night, but did not have a chance to test it. The HP is 10.20.28.254 and has: ip route 0.0.0.0 0.0.0.0 10.20.28.1 The ASA is 10.20.28.1. It has a static route: 10.20.0.0 255.255.0.0 10.20.28.254 It also has a existing network obj_any statement that fairly closely matches that one. I will check when I get to that site.
|
|
#
¿
Sep 21, 2012 18:23
|
|
|
It looks like I figured it out- it was my Hp 5406zl. I needed to assign a IP to the default vlan, use that as the default gateway for the edge switches, and restart everything. Came right up. This works great, thanks!
|
|
#
¿
Sep 22, 2012 05:18
|
|
|
I have a good question: I finally got my ASA5515-x's in and setup, got my Anyconnect SSL vpn working, and hit a problem I am hoping there is a simple answer to. It's actually 2 questions now that I think about it- First, I can not seem to resolve hosts by name when connected to the VPN- except for my Server 2008R2 boxes which are on the domain. (The rest of the workstations are not yet on the domain.) Why can I resolve my domain.local Hosts, but not workstations? Second- I can not access other vlans. I can access everything on the Office Vlan- which hosts the ASA and my HP 5406zl L3 switch which takes care of my Inner-Vlan routing. I think this has to do with me using split tunneling. For any device on the network, its default gateway must be the Vlan's IP for it to talk with other Vlans. With split tunneling, there does not appear to be a default gateway. When I disable split tunneling, there is no internet access. I have not tried checking if I can access other vlans though. I will check this weekend. Any input is welcome! Thanks!
|
|
#
¿
Oct 25, 2012 21:58
|
|
|
I'm starting to think my ASA hates me. I have a ASA5515-x and a HP procurve 5406 L3 switch handling vlans/inter-vlan routing. It works great, except other then the main vlan, none of the other vlans are getting internet access. DNS works fine on them, no ping or traceroute outside though. The worst part? It was all working fine before- the only thing I have done in the last week is attempt to setup a site-to-site VPN (which does not work and is another story.) ASA 10.20.28.1 HP 10.20.28.254 VLAN 28- 10.20.28.254 VLAN 60- 10.20.60.254 On the ASA: route 10.20.0.0/16 10.20.28.254 On the HP : 0.0.0.0 0.0.0.0 10.20.28.1 Devices in VLAN 28 work fine, internet works fine, I can ping/RDP devices in the 10.20.60.x subnet. I can ping/RDP devices in the 10.20.28.x from the 10.20.60.x subnet. I can ping from the HP to the Cisco, I can ping from the Cisco to VLAN 28 and VLAN60, I can ping from the HP to 8.8.8.8 just fine. The vlans use their IP as the default gateway (hence why routing is working.) But its like the ASA does not know how to find the 10.20.60.x subnet. I tried setting more defined static routes, but that did not help. What am I missing?
|
|
#
¿
Jan 29, 2013 22:09
|
|
|
*Edit- VLAN internet issue fixed. Site to site VPN will not come up. The other router is a twin of this. Here is the config: REMOVED the spyder fucked around with this message at 09:15 on Jan 30, 2013 |
|
#
¿
Jan 30, 2013 00:20
|
|
|
ragzilla posted:This is why traffic doesn't work from the other subnet, change PATTOCOMCAST to be 10.20.0.0/16 I owe you a beer if your ever in Portland. Thank you. This makes complete sense, in my test lab I built the PAT- here I was going off what the contractor set it as. I swear I stared at this for a good hour today looking for anything like this. My head was exploding, haha. I re-upped the full config. I built the VPN using the wizard and I am familiar with the CLI. It must be the route, if I login to the ASA and traceroute the router for the second site, it goes straight to my outside interface, not the Site2Site interface. *Fixed- Added a static route to the remote subnet via the site2site link. route Site2site 10.10.0.0 255.255.0.0 10.15.1.100 1 the spyder fucked around with this message at 09:14 on Jan 30, 2013 |
|
#
¿
Jan 30, 2013 04:58
|
|
|
I have an absolutely odd one for you guys. Scheduled the down time to test my new ASA5515-x at our corp office. I plugged in the WAN- I can ping the modem/8.8.8.8 just fine- no problems there. I plugged in the LAN and nothing. I can not ping the internal gateway, I can not ping any internal hosts. From the core switch (HP 5406-zl) I can not ping the ASA. Here is what I tested: Laptop directly connected to ASA LAN port via patch cord- static IP, I can ping the ASA just fine. Laptop directly connected to Switch- static IP, I can ping the Gateway just fine. Checked ASA config- static route inside is fine Checked HP config- outbound route is fine Checked ASA int: Auto/Auto 1000mb connected is UP Disabled ASA LAN Int, reset ASA, re-enabled. I am a bit stumped. Could be this head cold, but I don't get it. Everything worked fine in the LAB.
|
|
#
¿
Feb 16, 2013 21:08
|
|
|
I'll try clearing the ARP, but I figured a reset would do that on both the ASA/HP. The switch port is correct(hence why I can plug my laptop in and ping the HP gateway just fine.) Before I toss in the towel today I decided to try one last thing. I grabbed a spare L3 switch and plugged my laptop directly in to it, set it up identical to the other core vlan's and all, and plugged the ASA in. It works. Here is the difference. Network layout (does NOT work): Cisco ASA-> HP 2510 (Access) -> HP 5406zl Core Network layout (works) Cisco ASA-> HP 2910al (Core) I am just plain confused- Why can I plug my laptop in to the distro switch and ping the Core just fine, but when I plug the ASA in, nothing. Nada. The only thing I can think of is I have never tried plugging an ASA in to a HP2510 switch before, only the 2910/5406. Could it possibly be a uplink/speed issue? *EDIT It's something with the switch gear. No idea what yet, but I decided to plug everything back in, except I added a 2nd port on the HP 2510 Access switch and plugged my laptop in. The laptop/asa ping eachother just fine- but can not ping the core despite everything being tagged correctly... With the ASA plugged in, I can not ping the core (where as before I could.) I wish my internet did not come in to the access closet. I think I might cheat though, I found where the 4x1Gb Cat6 runs are connecting the two "halves" of our offices (it used to be two separate offices). I could easily yank 4 more pulls back to the main server room and move the ASA in to a nice AC'd room with the rest of my gear and connect it straight up to the core. I am liking this idea more and more... Minus having to pull/terminate 4 runs. Oh well. the spyder fucked around with this message at 22:19 on Feb 16, 2013 |
|
#
¿
Feb 16, 2013 21:46
|
|
|
Has anyone troubleshot a slow Site to Site VPN between two ASA's before? I have two 5515-x and a 100Mb Fiber line with ethernet hand offs at each end. I went through the basics, directly connected between the site to site ends I see 9-12MB's speeds over FTP. 6MB over CIFS. Connected via the VPN, I am seeing 500Kb's over FTP and 100Kb over CIFS. All the devices are set to 1500 MTU (Fiber supports up to 1600 MTU per provider). Any ideas? This is just painfully slow. *Edit* Of course it was a cable issue. Back up to around ~3MB's via FTP. Still pretty slow IMO. *Edit 2* It was the machine. 6.5MB/s on my workstation via TeraCopy. the spyder fucked around with this message at 21:32 on Feb 22, 2013 |
|
#
¿
Feb 22, 2013 21:06
|
|
|
I'm in the process of rebuilding my home lab in the hopes of actually using it for CCNA/CCNP. Here is what I have ended up with last year: 2x ASA5505 Sec Plus with 1gb ram 2x 1841 3x 2950 2x 2620's 1x 3620 1x 3640 I want to add/replace a few things- what would you guys recommend? I was offered two more 1841's and a 3750 locally. Trying to keep it under $1k.
|
|
#
¿
Mar 15, 2013 01:50
|
|
|
I somehow got 2x 1841's for $30/e and a friend owes me trip through his ewaste buiness warehouse where I know he has at least 4 more. The 3640 is my frame relay router.
|
|
#
¿
Mar 15, 2013 03:50
|
|
|
Wow, not sure what to think of that guy. Interesting changes. I think I will try to get through the current exam.
|
|
#
¿
Mar 29, 2013 19:59
|
|
|
the spyder posted:I'm in the process of rebuilding my home lab in the hopes of actually using it for CCNA/CCNP. Bringing this back from the dead: I acquired more gear from my buddy who owns a ewaste recycling company and I am thinking of craigslisting a bunch of the old stuff: 1x ASA5505 Sec Plus 1x 1760 with WIC 1DSU-T1 V2 3x 1841 with WIC 1DSU-T1 V2 cards 3x 2950 (Replace with 3560's?) 1x 2950T 3x 2621xm with WIC 1DSU-T1 cards 1x 2620 with WIC 1DSU-T1 and Serial cards (Junk?) 1x 2610 with NM-32A ASYNC module and cable (Junk, but keep ASYNC card, move to 2620?) 1x 3620 (JUNK) 1x 3640 with NM-4A/S I have three 3560's waiting to be picked up, but I think I want to get rid of 1/2 this gear- I can do the CCNA with just 3 swithes and 3 routers from what I understand. Selling all the unneeded gear would pay for the cabling/cards I need too.
|
|
#
¿
Apr 23, 2013 04:22
|
|
|
I was recently handed several page list of IP's and domains to log for on my Cisco ASA's by a large three letter organization. The only way I am aware of doing this is logging every host/url and downloading the log to compare with the xml document I have. Any suggestions?
|
|
#
¿
Apr 25, 2013 19:15
|
|
|
I'm not sure this qualifies as a short question- but I need some other input on a vpn issue. The hardware in question are two ASA5515-x's. Friday our ipsec site-to-site VPN started to crash randomly. The tunnel would stay up, but no data could pass. It got worse over the weekend and became unusable. Today I started diagnosing it and found a few bugs in 8.6.1 that matched the symptoms and decided upgrading to 8.6.5 or above would be a good idea. Tonight I backed up both routers and restarted them before even getting to the firmware updates. After the restart, I ended up having to head home and postpone the update. When I got home I was greeted by several emails asking why both the site to site and remote any connect VPN are down. Awesome. Now the anyconnect VPN is doing the same thing the site to site VPN is- it connects and looks good on the client side, but no traffic to the 10.10.x.x network will pass. The routing looks fine, the IP's are correct, and it's got me rather confused. Nothing has been touched on these routers outside of VPN user names in the last 6 months. Until this last week, they have been incredibly solid. Any ideas are welcome, I'm about to start researching and seeing what I can come up with. Here's hoping my old Logmein account on our management host is still alive. Edit1: Looks to only be the main office VPN. Edit2: I can connect from Site A to site B, but Site B can not connect to Site A. Solution: The reload disabled inbound VPN sessions bypassing interface access lists and removed the split tunnel network list. All fixed. the spyder fucked around with this message at 08:28 on Nov 12, 2013 |
|
#
¿
Nov 12, 2013 05:32
|
|
|
A simple question: What was I looking at yesterday? My knowledge of highend Cisco hardware ends at the handful of ASA's and 3750G's I manage. Anyways, I visited a friends colo DC and hiding in the back corner was a new build out. Inside two 48u racks were the largest Cisco routers I have ever seen, taking up the entire 48u rack. My friend blabbered something out about 9000 series chassis while we stood in awe. The best part, there was a single card in each of these monsters with a single green fiber running to the mdf in the basement... 100Gb's claimed my friend. Guess who owned it? Haha.
|
|
#
¿
Mar 14, 2014 19:14
|
|
|
Sepist posted:We call it the megatron, it's an ASR9922. If you saw a linecard with 1 or 2 ports chances are it was a 100gb linecard. We have a lot of them deployed in our DC's, here's some pics. You can see the 2x100Gb linecards in the lower part of each chassis That's it! They were bloody huge. A popular social media company owned these. I'm sure the two were linked, we just did not notice it.
|
|
#
¿
Mar 14, 2014 20:49
|
|
|
I was offered access in to our local fiber exchange today and I'm pissed because I doubt my boss is going to go for it. We're starting to push/pull a large amount of data to/from Google/EC2 (TB's) and Comcast quoted $2300/m for a 100/100 EDI line over existing dark fiber. The local exchange is ~8 blocks from our office and has a peer link to Google and Amazon (along with Netflix, local schools/hospitals/datacenters. I was able to borrow a port thanks to a friend who's company manages it and it got the data there nearly two weeks quicker then we could have. Here's how the cost broke down: 1/3rd cabinet $400/m in the DC 100MB Internet Carrier 1 $200/m + $15 copper fee 1GB burst (100MB normal) Internet Carrier 2 $600/m + $15 copper fee 1GB Fiber link to local fiber exchange- $100/m Dark fiber to office $unknown- checking on Juniper MX5 $15k (NOS friends company ordered spare for a project that did not happen.) Apparently I would have to act ASAP due to IPV4 addresses running out. To even get a block, I have to have two ISP's and be running BGP. The upside here is I would end up with portable addresses and I could ditch our existing cable internet for both offices. It all comes down to how much Comcast is going to want to rape me for 8 blocks of fiber. (I wish it was that simple- I don't believe they have a direct line back to this DC, I'll find out more next week.) Worst case, I toss a small server in the 1/3rd cabinet with a USB3 card and do it from there. I ran a speed test on the 1GB's link they let me borrow- solid 920/980Mbps on my laptop. I can dream, right? 
|
|
#
¿
Mar 15, 2014 03:17
|
|
|
Crossposting from Enterprise WiFi- Has anyone used Junipers EX4200/4550 or EX4300/4600 switches? I'm re-doing our HQ and expanding onto another floor. There's two MPO fiber runs between the floors, 192 ports per floor that need 1GBE, POE, and mixed 10GBE. Combine this with 10 racks needing 1GBE and 10GB-SFP+. My other main office is a full Cisco shop, Nexus 7000/4506-E- but the current design lacks redundancy and has a dedicated basement DC that everything home runs to. We're planning on expanding out to a local DC and personally I would like to run Juniper MX's as my outside routers. I would like to explore the Cisco equivalent of the Juniper gear listed above if anyone has a recommendation.
|
|
#
¿
May 4, 2015 19:44
|
|
|
Drank the Cisco cool aid and dropped any hope of switching to Juniper this week. Too many of our offices are legacy Cisco gear and our new management doesn't want to have multiple brands. Soooo Nexus 6004EF/2348 and 3650's it is. I'm going to demo Meraki AP's next week.
|
|
#
¿
Jun 6, 2015 19:50
|
|
|
So I contacted Meraki and they offered to send a dozen AP's to my site for testing... I was not expecting that. I wanted one, maybe two for some basic testing. Well, we shall see how they work next week.
|
|
#
¿
Jun 11, 2015 00:40
|
|
|
Does anyone have a recommendation for a basic Nexus deployment guide? I have a Nexus 6004, (2) 2348 FEX's, and a dozen 3650's for my access layer. I'm pouring through the Cisco documentation now. I'm after a very simple setup, just a handful of vlan's.
|
|
#
¿
Aug 17, 2015 23:35
|
|
|
Here's a fun one. I have a Nexus 6004 with 24 QSFP ports, a 2348TQ FEX, and a dozen 3650's for distro. The goal was to replicate the existing network, but provide a high speed core for the HPC work we do. When we were spec'ing gear, I'm fairly certain we all forgot about the firewall side of things. Currently I'm having a hell of a time figuring out how to replicate what we have. The existing network looks like this: Firewall --------> HP 5400ZL (Core)------- HP 3800 (Distro) There are a half dozen VLAN's and we're using IP Routing/ Inter-vlan routing. There's a static route on both the firewall and the core switch point at each other, the firewall is directly connected to the core. Very simple. I setup the Nexus using the same model. Installed our LAN-BASE license, enabled feature interface-vlan, and setup my VLAN's. Everything internally to the network works. I can ping hosts in the different VLAN's, from different distro switches. Great. This is where I'm stuck. I decided to not use the default VRF and created a new one. Inside that VRF is a static route to our firewall. I then added all the VLAN's to the VRF and created a VLAN just for our firewall. The firewall is connected through a port on the 2348TQ FEX. I can ping the firewall from the Nexus(nexus#ping 192.168.1.2 vrf DFGW) and I can ping 8.8.8.8. However I can NOT ping 8.8.8.8 from any of the hosts on the different VLAN's. All of my default gateways are correct, I can ping the firewall and the firewall VLAN's gateway- but I can't get out. Oddly enough I can access the firewalls [url]https://[/url] login page- but I can't login. At this point, I'm assuming two things. 1) My routing is screwed up and 2) Using a FEX for anything L3 is a terrible idea. Any feedback is welcome, I'm trying to get this deployed this weekend and this is my last sticking point.
|
|
#
¿
Sep 1, 2015 02:56
|
|
|
adorai posted:is your route in the same vrf as all of your other vlans? It sounds like you are testing from one vrf but your real traffic is in another. VLAN's are on the correct VRF. Example config below. vrf context DFGW ip route 0.0.0.0/0 10.10.2.2 vrf context management ip route 0.0.0.0/0 10.10.99.1 vlan 2 name Firewall vlan 100 name 1st_Floor vlan 200 name 2nd_Floor int vlan 2 description Firewall ip address 10.10.2.1/24 vrf member DFGW int vlan 100 description 1st_Floor ip address 10.10.10.1/24 vrf member DFGW no shutdown int vlan 200 description 2nd_Floor ip address 10.10.20.1/24 vrf member DFGW no shutdown int ethernet 101/1/1 switchport accèss VLAN 100 int ethernet 101/1/2 switchport accèss VLAN 200 int ethernet 101/1/48 switchport accèss VLAN 2 EDIT- Routing issue on the firewall. Working with the fw admin. the spyder fucked around with this message at 20:20 on Sep 1, 2015 |
|
#
¿
Sep 1, 2015 18:11
|
|
|
What's the consensus on config backup tools? I have a multi site environment with dell/hp/cisco gear. The last time I used rancid, it required a ton of manual tweaking. I found Oxidized, but have not had time to set it up. Recommendations are welcome.
|
|
#
¿
Sep 26, 2016 19:36
|
|
|
On a level of 1-10, how screwed am I? I just inherited a MDS 9509 that's been sitting unmanaged for god knows how long. Both sup's won't respond to Telnet and even with console access the login I have does not work. I'm going to try this tomorrow, but I'm not sure if I want to touch it since otherwise it's working. http://www.cisco.com/c/en/us/support/docs/storage-networking/mds-9000-series-multilayer-switches/29441-8.html
|
|
#
¿
Oct 4, 2016 22:58
|
|
|
My night thus far has involved hash cat, several GPU's, and the admin password for our 7010 chassis. I don't even want to talk about how we got here, the short answer is former employee. Even with half a dozen GPU's at my disposal, it would still be 6 months to brute-force the password according to the software. This. This is why you don't let a site manage its own gear. God.drat.It. (Excuse the rant).
|
|
#
¿
Feb 3, 2017 08:13
|
|
|
|
| # ¿ May 14, 2024 20:04 |
|
|
It's in production at a remote site. The good news is I was successful in generating a wordlist with combos of similar passwords the guy used. Now on to the N6004 and 4506-E.... No config backups either.
|
|
#
¿
Feb 3, 2017 22:11
|
|