ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Tuesday, 27 February 2018

How to configure IP SLA monitoring on Cisco ASA?

  February 27, 2018    

IP SLA MONITORING on Cisco ASA:

I have 2 ISPs connected on "outside" and "outside2".
I want to have ISP connected on outside interface as my primary and if something goes wrong with this ISP then I would like to change my default route towards ISP on outside2.
In this case I will be tracking some IP that guarantees me the availability for ISP1. And then I will apply this track on my "Main" route.

To understand how it works, look at the very bottom.

First configure SLA monitoring process using a unique ID. In t.his example I am using 100
Here we define what IP address we will be sending pings to and what interface will be used to source it from.
here we are going to send pings to  8.8.8.8 using "outside" interface IP address.
We want to send 3 ping packets at an interval of 10 seconds.

sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10

Now schedule your monitoring process, when would you like to have it started.

sla monitor schedule 100 life forever start-time now

Create a Track and associate it with the monitoring process that we created above.
I am using a track ID 1 and associating it with monitoring process 100.

track 1 rtr 100 reachability

rtr = Response Time Reporter

Now the track is ready to be applied on a route that you would like to MONITOR.

route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 34.65.1.2 10

Working:
=============
As per the above example I am pinging to 8.8.8.8 by sending 3 packets after every 10 seconds. If I do not get reply for 1 packet, it will think that something went wrong with ISP1 and track will FAIL. When track fails, the route that it has been applied to also fails.
It dynamically disables that route, and the other static route configured with a higher metric value becomes active. During this time, that SLA is still sending pings to 8.8.8.8 via ISP1. If it receives a reply, considers ISP1 back online and track becomes active. As a results that route also becomes active.

All configuration at once:
sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10
 !
sla monitor schedule 100 life forever start-time now
!
track 1 rtr 100 reachability
!
route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1

  No Comments

How to configure failover on Cisco ASA?

  February 27, 2018    

 Cisco ASA failover prerequisites:
1. Both ASAs must be same hardware model.
2. Both ASAs must have same interfaces and modules (can be verified using "sh inventory" command)
3. Both ASAs must have same licenses.
4. Both must have failover license enabled.
5. It is recommended to have same software version for better stability.
6. They can have different amount of flash.
7. Flash content is not replicated during a stateful failover.

Below is an example configuration for "Stateful Failover" using 2 interfaces (one for LAN failover and other for stateful failover).

on Primary:
==============================================================================
failover lan unit primary
inter gi0/0
no shut
inter gi0/1
no shut
! note: There is no additional configuration required on physical interfaces. All other configuration such as assigning ip address and nameif will be done by "failover" comamnds shown below.
! Define interface for failover
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
failover
==============================================================================

On Secondary
==============================================================================
failover lan unit secondary
inter gi0/0
no shut
inter gi0/1
no shut
! Define interface for failover
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
Failover
==============================================================================

Useful debug comamnds:
To check failover LAN status:
 debug  fover cable

 Working output:
 fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_lan_check() Failover Interface OK

When there is actually a problem with failover LAN link:

fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: fover_lan_check() Failover Interface TEST started
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
Debug fover tx
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x2489 size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248a size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248b size = 32 bytes

Debug fover rx
fover_ip: HA TRANS: receive message for client Failover Control Module, length 200
fover_rx: rx msg: cmd 0x30, seqNum 0xce1
fover_rx: receive_msg(cmd=FXCHG_CARD_INFO), seqNum=0xce1, size=200
fover_parse: parse_thread_helper() - execute msg 48
fover_ip: HA TRANS: receive message for client Failover Control Module, length 28

  No Comments

Monday, 26 February 2018

How to allocate interfaces in multiple contexts?

  February 26, 2018    

When we have switched to multiple context, ASA created a system space and admin context by default. Admin context can be used as a normal user context, but is not recommended. System context is used to manage the entire system space, such as creating contexts, allocating resources, allocating interfaces, etc.

Lets say I have created a context with name ASA1 and I would like to allocate Eth0/0 and Eth0/1 to this context.
This will be done from System context: Here are the commands

changeto System
allocate-interface Eth0/0
allocate-interface Eth0/1

  No Comments

Subscribe to: Posts (Atom)