This is a strange one? I was deploying FirePOWER to a pair of ASA 5550-8-X firewalls in Active / Standby failover last week. After each SFR was updated (via ASDM.) I could no longer ‘ping it’, the SFR itself could ping everything on the same VLAN, APART from its own default gateway, (which was an SVI on the Cisco 3750 switch it was connected to).
This happened every time I updated the SFR, (or re-imaged it.) Then after an hour or so it was fine?
Solution
If I connected to the switch that the SFR, (and firewall) was connected to, I could NOT ping the SFR. The interface was up/up on the switch, and the firewalls Management interface was also up/up.
[box]
Petes-3750#ping 10.2.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
[/box]
I did notice it was in the ARP table though, (with the correct MAC address), So I manually removed it;
[box]
Petes-3750#clear ip arp 10.2.1.252
[/box]
Then it was fine?
[box]
Petes-3750#ping 10.2.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
The following procedure was carried out on two Cisco Catalyst 3750 switches.
Solution
1. We can see (above) that we have two switches, but if your connected remotely, best make sure.
[box]
Petes-Stack#show switch
Switch/Stack Mac Address : 0018.7347.a000
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0018.7347.a000 1 0 Ready
2 Member 0024.f79b.9b00 1 0 Ready
[/box]
2. Lets see what IOS files are in the flash memory on both switches.
3. Well there’s only one IOS file in there but let’s make sure anyway, by seeing what version is loaded.
[box]
Petes-Stack#show version----output ommitted for the sake of brevity----
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750-48P 12.2(55)SE8 C3750-IPSERVICESK9-M
2 52 WS-C3750-48P 12.2(55)SE8 C3750-IPSERVICESK9-M
----output ommitted for the sake of brevity----
[/box]
4. Lets delete the IOS file from flash1, and make sure it’s gone.
8. Even though it’s been deleted, the boot variable will be set to the OLD version of the IOS, to demonstrate issue the following command.
[box]
Petes-Stack#show boot
BOOT path-list : flash:/c3750-ipservicesk9-mz.122-55.SE8
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
NVRAM/Config file
buffer size: 524288
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
-------------------
Switch 2
-------------------
BOOT path-list : flash:/c3750-ipservicesk9-mz.122-55.SE8
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : no
Auto upgrade path :
Petes-Stack#
[/box]
9. So change the boot variable to the new one, and check again.
[box]
Petes-Stack# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Stack(config)# boot system switch all flash:c3750-ipservicesk9-mz.122-55.SE9.bin
Petes-Stack#show boot
BOOT path-list : flash:c3750-ipservicesk9-mz.122-55.SE9.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
NVRAM/Config file
buffer size: 524288
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
-------------------
Switch 2
-------------------
BOOT path-list : flash:c3750-ipservicesk9-mz.122-55.SE9.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : no
Auto upgrade path :
Petes-Stack#
[/box]
10. Save the changes, and reload the switch.
[box]
Petes-Stack#write mem
Building configuration...
[OK]
Petes-Stack#reload
Proceed with reload? [confirm] {Enter}
Switch 2 reloading...
[/box]
11. Post reboot, log in and check that the stack is running the new code.
[box]
Petes-Stack#show version
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Mon 03-Mar-14 22:45 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Petes-Stack uptime is 5 minutes
System returned to ROM by power-on
System image file is "flash:c3750-ipservicesk9-mz.122-55.SE9.bin"
[/box]
Option 2
You can also carry out the following procedure on the switch ‘stack master’ that will automate the entire procedure for you. Note: This requires the IOS in .tar format not .bin (as above);
Back in Part Two we configured the specific 802.1x policies in Cisco ISE. Remember with 802.1x it is a three tier system there is a supplicant, (a machine that wants to authenticate), the Authenticator, (the device the supplicant connect to, in our case a switch), and finally an Authentication server (Cisco ISE).
Below I will add our switch into ISE, as a RADIUS device and create some groups, and locations for good housekeeping.
Solution
1. From within ISE > Authentication > Network Resources > Network Devices > Network Devices > Add.
2. Specify a name and description for the device > Set its IP address > Set the device type and location (we will change these in a minute) > Under authentication settings select RADIUS and enter a shared secret, (you can set these up globally if you prefer).
3. Create a Device Type: Administration > Network Devices > Network Device Groups > Groups > All Device Types > Add.
Note: You can have as many of these as you like to make managing your network easier, I’m just going to set one up for Cisco Switches.
4. Give the group a name and description > Submit.
5. Create a Location: On the same page > All Locations > Add.
6. Give the location a name and description > Submit.
7. You can now go back to the network device you created earlier, and set the location and group accordingly.
8. Now you can configure the Cisco switch for RADIUS Authentication.
Note: 192.168.100.12 is the IP address of the ISE server, and 666999 is the shared secret we setup in step 2.
[box]
Petes-3750(config)#aaa new-model
Petes-3750(config)#aaa group server radius ISE
Petes-3750(config-sg-radius)#server-private 192.168.200.12 key 666999
Petes-3750(config-sg-radius)#exit
Petes-3750(config)#aaa authentication dot1x default group ISE
Petes-3750(config)#aaa authorization network default group ISE
Petes-3750(config)#dot1x system-auth-control
Petes-3750(config)#do write
Building configuration...
[OK]
Petes-3750(config)#
[/box]
9. To configure the port that our supplicant is going to connect to;
Note: I’m setting the host-mode to multi-host because my clients are all in VMware ESXi and are coming from a VMware vSwitch into the Cisco switch.
[box]
Petes-3750(config)#interface fastEthernet 1/0/4
Petes-3750(config-if)#authentication host-mode multi-host
Petes-3750(config-if)# authentication port-control auto
Petes-3750(config-if)# dot1x pae authenticator
Petes-3750(config-if)#exit
Petes-3750(config)#exit
Petes-3750#write mem
Building configuration...
[OK]
Petes-3750#
[/box]
10. Once a supplicant has been authenticated you can check like so;
[box]
Petes-3750#show dot1x all summary
Interface PAE Client Status
--------------------------------------------------------
Fa1/0/4 AUTH 0050.56b1.5f5c AUTHORIZED
Petes-3750#
[/box]
Related Articles, References, Credits, or External Links