BT Business Hub 3 – And Cisco ASA 5500

KB ID 0000762 

Problem

Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution).

You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity

Solution

For this procedure I was running an ASA5505 (Unlimited) with version 8.4(5). You will need to know the public IP address range allocated to you by BT (and the IP allocated to the router/hub).

Allocating a Public IP address to an Internal Client with the BT Business Hub

1. Log into the router, (the password initially is on the pull out plastic tab on top of the router). Set the IP to the one allocated to the router by BT (from the IP range they have given you). Note: The router actually gets a different IP address externally, this is normal, don’t panic.

2. Apply > Wait for the changes to apply.

3. Under business Network > Devices> You should see your device listed > Select it.

4. Assign the public IP as shown, you need to select the two radio buttons before the drop-down list of IP addresses will work > Apply.

5. Note: additionally if you are installing a firewall you might want to disable the Business Hubs internal firewall. Settings >Port Forwarding > Firewall > “Allow all traffic…” > Apply.

Problem with Cisco ASA (Now Resolved: See below)

My firewall (after a reload) picked up the correct IP address, but was unable to connect to the internet. My laptop (also connected to the BT Business Hub) connected fine to the internet (both with an allocated public address, and using the public address of the router). The ASA could not get out at all, nor could it ping the IP address of the Business Hub. The ASA showed as disconnected for a while, then disappeared from the ‘Devices’ tab, even though it continued to get the correct IP address leased to it from the Business Hub, this persisted after a reload of the firewall – so the hub COULD see it. I tried giving the ASA the correct IP address statically, I also locked the speed and duplex of the ethernet interface (in case it was simply an auto-negotiation error), this did not resolve the problem. BT told me they had no record of anyone having the same problem, but that they would take a note in case it came up again. Luckily the client had his old 2Wire router as soon as I plugged that in everything worked fine.  

 

Update 210414 (and resolution)

Got an email from Nate Morris this week who had been working on this very problem, while debugging the ARP traffic he saw;

[box]

arp-in: request at external from 192.168.1.254 c0ac.54e4.d8d8 for 123.123.123.123 
0000.0000.0000 arp-in: Arp packet received from 192.168.1.254 which is in different subnet 
than the connected interface 123.123.123.123/255.255.255.248 

[/box]

This pointed to a known problem with Cisco ASA introduced in version 8.3(4). Cisco identified this as bug CSCty95468 (Cisco CCO Login required to view). To resolve this problem you need to allow the ASA to populate its ARP table from a non connected subnet. To do this you need to issue an arp permit-nonconnected command.

[box]

User Access Verification Password: 
Type help or '?' for a list of available commands. 
Petes-ASA> enable 
Password: ******** 
Petes-ASA# configure terminal 
Petes-ASA(config)# arp permit-nonconnected 
Petes-ASA(config)# exit 
Petes-ASA# write mem 
Building configuration... Cryptochecksum: 28790e0e 91da681e 7cf92e8a 85efb7ea 9449 bytes copied in 1.310 secs (9449 bytes/sec) [OK] 
Petes-ASA# 

[/box]

Update 260213

Got an Email from Andrew Joubert, to say that he had the same problem, and he was using the BT business hub via BT Infinity not ADSL.

Related Articles, References, Credits, or External Links

Original Article Written 26/02/13

Credit to: Nate Morris, for finding the resolution to the original problem.

Special thanks to Steve at BT, who rang me back on my mobile so I didn’t have wait in a queue, and then followed up afterwards to see what the outcome was, if I knew his surname I would publish it! He did a grand job, and does not get paid enough!

Also thanks to Chris at BT who pitched in and did as much as he could.

Cisco ASA 5500 – Install and Configure a CSC Module

KB ID 0000731 

Problem

The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).

If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.

It is a hardware device that plugs into the back of the ASA, and comes in two flavours.

1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.

2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.

In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).

Solution

Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.

Set the ASA to get time from an External NTP Server

Step 1: License the Cisco CSC Module

1. Connect to the ASA via command line, go to enable mode and issue the following command;


From the output you should be able to get the serial number of the CSC module (write it down).

2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.

3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.

Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.

4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.

5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.

6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).

7. Open the license file (will have a .lic extension) with notepad and you should see two keys.

Step 2: Setup the CSC Module

Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.

1. Connect to the firewall’s ASDM console > Trend Micro Content Security > It should point you straight to the setup wizard.

9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.

10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.

11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.

12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.

13. Review the settings > Finish.

Note: You may get a warning if you set ‘fail open’ above that’s OK.

Connecting to and Managing the Cisco CSC Module

Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443

Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.

Cisco CSC Module – Stop it scanning its own update traffic

Adding a ‘PLUS’ License to a Cisco CSC

If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.

1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.

2. Paste in the new code > Activate.

3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.

Related Articles, References, Credits, or External Links

Cisco CSC Module Error – Activation Warning

Apple Devices will not Update Though Cisco ASA and CSC Module

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module

Cisco Firewalls Changing the Web Management Port

Cisco 5500 Changing the ASDM Port
Unable to Port Forward HTTPS

KB ID 0000268

Problem

You want to change the port that the Cisco ASDM runs over, or you are attempting to port forward https/ssl and see the following error

Error:
ERROR: unable to reserve port 443 for static PAT
ERROR: unable to download policy

You are trying to port forward (Create a static PAT entry) on a Cisco ASA for port 443 / https. This port is in use by the ASDM.

Solution

Change the Cisco ASA ASDM Port via Command Line

Connect to the ASA via command line. (In the following example I’ll change the ASDM to use TCP port 2456).

code?

Change the Cisco ASA ASDM Port via ASDM

1. Connect to the the Cisco ASDM > Configuration > Device Management > Management access > ASDM/HTTPS/Telnet/SSH > http Settings > Port Number > Change accordingly > Apply.

2. Save the new config > File > “Save Running Configuration to flash”.

Cisco PIX (Version 6) Firewalls – Disable Web Management

If you are stuck on version 6, i.e. you are running a PIX 506E or PIX 501, then you CANNOT change the PDM port. you only option is to disable the PDM if you want to port forward https / ssl / TCP Port 443.

 

Related Articles, References, Credits, or External Links

Cisco ASA – Allow Remote Management

Original Article Written 25/03/11

Configure Cisco EasyVPN With Cisco ASA 5500

KB ID 0000337

Problem

Site to site VPN’s are great for main office to branch office connections, but for remote workers in a SOHO environment obtaining a static IP address can be expensive and time consuming. Traditionally remote workers will use either AnyConnect or IPSEC Remote VPN’s.

However Cisco have a system which lets you have a main site (or sites), with a static IP, that acts as the EasyVPN server, then remote sites with dynamic DHCP IP addresses can authenticate and connect via a hardware device. That remote hardware device can be another ASA (Note: Only ASA5505 can be used as an EasyVPN client), or a Cisco IOS router. In addition if you have any old PIX 501 or 506E firewalls laying around they can also be used as EasyVPN clients.

Solution

Step 1 Setup the EasyVPN server at the main site. (Example on ASA5510)

Step 2 Setup the EasyVPN client at the remote site. (Example on ASA5505)

Before you start – No other VPN’s can be running from this remote device, i.e. ISAKMP cannot be enabled on its outside interface.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Java RDP Error – Connection Exception Wrong modulus size! Expected64 +8got:264

KB ID 0000452

Problem

Seen while attempting to connect to to a Windows machine via the RDP plug in on a Cisco ASA firewall.

Error:
properJavaRDP error
Connection Exception Wrong modulus size! Expected64 +8got:264

Solution

1. I’ve seen some posts indicating that this can be caused by the version of Java that’s installed, however in my case that was NOT the problem.

2. Connect to the ASDM of the ASA firewall > Configuration > Clientless SSL VPN Access > Portal > Client Server Plug-ins. Ensure your RDP plug in is up to date, download and import the latest one (Cisco CCO account and valid support agreement required).

Note: At time of writing the latest is rdp2-plugin.090211.jar (released 14/08/09).

3. Ensure that the bookmark you are using is set to use rdp2 (not rdp). Under Portal > Bookmarks > Your bookmark list > Edit.

4. Your RDP session should now connect.

 

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA Redundant or Backup ISP Links with VPNs

KB ID 0000544

Problem

This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well.

Where we are at the start.

Where we want to be

 

Solution

Before you go any further the ASA that will have the backup ISP line, needs a Security Plus Licence or it’s not going to work.

Setup Backup ISP Links at the Main Site

1. Log into the firewall and setup the IP address on your backup interface.

[box]

PetesASA>
PetesASA> en
Password: *******
PetesASA#
PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/3
PetesASA(config-if)# nameif backup
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 234.234.234.234 255.255.255.248
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit
PetesASA(config)#

[/box]

2. In a ‘Failed Over’ state your traffic needs to then be NATTED to the backup interface, then setup a new route for the outside interface, and finally one for the backup interface. Note: The new primary route will be “Tracked” based on an SLA we will configure in a minute.

[box]

Configure NAT for a firewall running an OS NEWER than 8.3

PetesASA(config)# object network obj_any-01
PetesASA(config-network-object)# subnet 0.0.0.0 0.0.0.0 
PetesASA(config-network-object)# nat (inside,backup) dynamic interface
Configure NAT for a firewall running an OS OLDER than 8.3

PetesASA(config)# global (backup) 1 interface
INFO: backup interface address added to PAT pool

Configure the Routes

PetesASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124 1 track 1
PetesASA(config)# route backup 0.0.0.0 0.0.0.0 234.234.234.235 2

[/box]

3. Now we are going to setup a new SLA that maintains connectivity to an IP address (In this case 4.2.2.2 via ICMP, then we are going to tie that SLA to “track 1”, )which you will remember is what keeps the default route on the Primary ISP), if that route fails, it swaps to the backup route.

[box]

PetesASA(config)# sla monitor 100
PetesASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
PetesASA(config-sla-monitor-echo)# num-packets 3
PetesASA(config-sla-monitor-echo)# frequency 10
PetesASA(config-sla-monitor-echo)# sla monitor schedule 100 life forever start-time now
PetesASA(config)# track 1 rtr 100 reachability
PetesASA(config)#

[/box]

4. Any port forwarding getting done on the outside interface needs a mirror entry for the backup interface. and also will need matching ACL’s

[box]

PetesASA(config)# static (inside,backup) tcp interface www 10.0.0.5 www netmask 255.255.255.255
PetesASA(config)# static (inside,backup) tcp interface smtp 10.0.0.3 smtp netmask 255.255.255.255
PetesASA(config)# access-list backup permit tcp any interface backup eq www
PetesASA(config)# access-list backup permit tcp any interface backup eq smtp PetesASA(config)# access-group backup in interface backup

[/box]

5. Lets test it, issue a “show route” command, then disconnect your primary ISP then issue another “show route” command and it should have failed over like so;

[box]

PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 123.123.123.124 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 123.123.123.0 255.255.255.240 is directly connected, outside
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.123.124, outside
 PetesASA(config)#
 
 
Now Disconnect the Primary line
 
 PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 234.234.234.235 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [254/0] via 234.234.234.235, backup
 PetesASA(config)#

[/box]

6. To enable this firewall to accept the existing VPN on its backup interface, you need to add the backup interface to that cryptomap (issue a show run crypto if your unsure). Then you need to enable ISAKMP on the backup Interface.

[box]

PetesASA(config)# crypto map outside_map interface backup
 PetesASA(config)# crypto isakmp enable backup

[/box]

7. Save the changes with a write mem command.

[box]

PetesASA(config)# wr mem
 Building configuration...
 Cryptochecksum: 91d190ba 2a3eb9c4 244d8c88 0da54e36
 
 10220 bytes copied in 3.740 secs (3406 bytes/sec)
 [OK]
 PetesASA(config)#

[/box]

Change the ASA at the Remote VPN Site

1. Connect to the firewall at the remote site, find the cryptomap that points to the main site (show run crypto). find the one that pointing to the IP at the main site, then add the new IP address as an alternate peer address.

[box]

RemoteSite(config)# crypto map outside_map 2 set peer 123.123.123.123 234.234.234.234

[/box]

2. Then create a tunnel group for the new backup address with the same shared secret as tunnel group to the primary IP.

[box]

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789

[/box]

3. Save the changes with a “write mem” command.

[box]

RemoteSite(config-tunnel-ipsec)#write mem
 Building configuration...
Cryptochecksum: 7a455ca7 3b637757 cd40aa82 7f3a22d8
 
7842 bytes copied in 1.530 secs (7842 bytes/sec)
[OK]
RemoteSite(config-tunnel-ipsec)#

[/box]

To test the VPN fails over, at the remote site issue a “show cry isa” command, then get someone at the primary site to disconnect the primary ISP, wait a few seconds and then re-issue a “show cry isa” command and it should have flipped over.

[box]

Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
 
Now Disconnect the Primary line at the Main site
 
Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 234.234.234.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

[/box]

Related Articles, References, Credits, or External Links

Original article written 12/12/11

Allow access to VMware View through Cisco ASA 5500

KB ID 0000545 

Problem

To access VMware View though a firewall you need the following ports to be open;

In the following example I’m using 192.168.1.100 as the internal IP address of the View Server and the public IP address of the firewall is 123.123.123.123.

Which solution you use, depends on weather you are allowing access via a dedicated public IP that you will assign to the VMware View server, or if you do not have a spare public IP, you will need to use port forwarding.

Option 1 – You have a public IP that you want to assign to the VMware View Server

Option 2 – You want to use Port Forwarding (And your ASA is pre version 8.3)

Option 3 – You want to use Port Forwarding (And your ASA is version 8.3 or newer)

Solution

Option 1 – You have a public IP that you want to assign to the VMware View Server

As I’m using 123.123.123.123 on the outside of my ASA I’m going to use another public IP address for the VMware View server (123.123.123.124) and I will statically map that to its internal IP address. Then I allow the ports to that IP address, and finally apply the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from).

Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).

[box]static (inside,outside) 123.123.123.124 192.168.1.100 netmask 255.255.255.255
access-list inbound extended permit tcp any host 123.123.123.123 eq www
access-list inbound extended permit tcp any host 123.123.123.123 eq https
access-list inbound extended permit tcp any host 123.123.123.123 eq 4172
access-list inbound extended permit udp any host 123.123.123.123 eq 4172
access-group inbound in interface outside
[/box]

Option 2 – You want to use Port Forwarding (And your ASA is pre version 8.3)

Below I’m creating a static PAT entry for all the ports required, then allowing the traffic with an access-list, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)

Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).

Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port. The following two commands would change the ASDM to port 2345 for example:

no http server enable
http server enable 2345

[box]static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.100 https netmask 255.255.255.255
static (inside,outside) tcp interface 4172 192.168.1.100 4172 netmask 255.255.255.255
static (inside,outside) udp interface 4172 192.168.1.100 4172 netmask 255.255.255.255
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 4172
access-list inbound permit udp any interface outside eq 4172
access-group inbound in interface outside
[/box]

Option 3 – You want to use Port Forwarding (And your ASA is version 8.3 or newer)

Below I’m creating a network object for all the ports required and statically NATTING the ports required to them, then I’m allowing the traffic to reach that network object, and finally applying the access-list (ACL) that I’ve used to the outside interface (where the VMware View traffic will be coming from)

Warning: The last command (starting access-group, applies the access-list ‘inbound’ in the inbound direction on the outside interface, you may already have an access-list applied to this interface (the ‘show run access-group’ command will tell you) If you do have another ACL simply substitute the name of yours for the work inbound in my example below).

Note: If you port forward https on the outside interface, as I’m doing here, you will not be able to access the ASDM from outside – unless you put it on another port: The following two commands would change the ASDM to port 2345 for example:

no http server enable
http server enable 2345

[box]object network VMWare-View-T80
host 192.168.1.100
nat (inside,outside) static interface service tcp www www
object network VMWare-View-T443
host 192.168.1.100
nat (inside,outside) static interface service tcp https https
object network VMWare-View-T4172
host 192.168.1.100
nat (inside,outside) static interface service tcp 4172 4172
object network VMWare-View-U4172
host 192.168.1.100
nat (inside,outside) static interface service udp 4172 4172
access-list inbound permit tcp any object VMWare-View-T80 eq www
access-list inbound permit tcp any object VMWare-View-T443 eq https
access-list inbound permit tcp any object VMWare-View-T4172 eq 4172
access-list inbound permit udp any object VMWare-View-U4172 eq 4172
access-group inbound in interface outside
[/box]

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding Using Command Line, ASDM and PDM

ASA – Memory Error (Post upgrade to version 8.3)

KB ID 0000553 

Problem

I’ve split this article away from this one, as it tripped me up this week again, so I think it deserves an article of its own.

Some ASA firewalls that shipped prior to February 2010 may need a hardware memory upgrade, before you can update them to version 8.3 and beyond. If not you will see the following;

Memory Error as seen on an ASA5510

[box]

*************************************************************
**
** *** WARNING *** WARNING *** WARNING *** WARNING ***
**
** ----> Minimum Memory Requirements NOT Met! <---- **
**
** Installed RAM: 256 MB **
** Required RAM: 1024 MB **
** Upgrade part#: ASA5510-MEM-1GB= **
** **
** This ASA does not meet the minimum memory requirements needed to **
** run this image. Please install additional memory (part number **
** listed above) or downgrade to ASA version 8.2 or earlier. **
** Continuing to run without a memory upgrade is unsupported, and **
** critical system features will not function properly. **
** **
**************************************************************

[/box]

Memory Error as seen on an ASA5505

[box]

**************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING ***
** **
** ----> Minimum Memory Requirements NOT Met! <---- **
** **
** Installed RAM: 256 MB **
** Required RAM: 512 MB **
** Upgrade part#: ASA5505-MEM-512= **
** **
** This ASA does not meet the minimum memory requirements needed to **
** run this image. Please install additional memory (part number **
** listed above) or downgrade to ASA version 8.2 or earlier. **
** Continuing to run without a memory upgrade is unsupported, and **
** critical system features will not function properly. **
** **
***************************************************************

[/box]

ASDM Memory Error as seen on an ASA5505

Solution

ASA Memory Requirements

ASA 5500 Memory Requirements for version 8.3 and Later
Cisco ASA

Mem
(Pre 8.3)

Mem
(Post 8.3)
New ASA
(after Feb 2010) shipped with
Memory Part Number
5505 10 User
256MB
256MB
512MB
 
5505 50 User
256MB
256MB
512MB
 
5505 Unlimited
256MB
512MB
512MB
ASA5505-MEM-512=
5505 Sec Plus
256MB
512MB
512MB
ASA5505-MEM-512=
5510
256MB
1GB
1GB
ASA5510-MEM-1GB=
5510 Sec Plus
256MB
1GB
1GB
ASA5510-MEM-1GB=
5520
512MB
2GB
2GB
ASA5520-MEM-2GB=
5540
1GB
2GB
2GB
ASA5540-MEM-2GB=
5550
4GB
4GB
4GB
 
5580-20
8GB
8GB
8GB
 
5580-40
12GB
12GB
12GB
 

Fitting the Memory Upgrade to an ASA5505

Fitting the Memory Upgrade to an ASA5510

Related Articles, References, Credits, or External Links

Cisco ASA5500 Update System and ASDM (From ASDM)

Cisco ASA5500 Update System and ASDM (From CLI)

Cisco PIX/ASA 8.3 Command Changes {NAT / Global / Access-List}

Cisco ASA 5500 – Reset / Recycle VPN Tunnels

KB ID 0000586 

Problem

I’ve been asked this before and it came up on EE today, basically you have a site to site VPN tunnel and you either want to restart it or reset it.

Solution

Cisco ASA Reset ALL VPN Tunnels

1. Connect to your ASA, then to reset ALL your ISAKMP VPN tunnels use the following command;

[box] clear crypto isakmp sa [/box]

In the example below I’ve reset ALL my tunnels. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

WARNING: This will reset ALL ISAKMP VPN tunnels (both site to site, and client to gateway).

Cisco ASA Reset One VPN Tunnel

1. If you just want to reset one site to site VPN then you need to reset the IPSEC SA to the peer (IP Address of the other end of the tunnel). Use the following command;

[box] clear ipsec sa peer X.X.X.X [/box]

Unlike above, in the example below I’ve reset just ONE tunnel. I had a constant ping running across the VPN, and it only dropped one packet before the tunnel established again.

Cisco ASA Check VPN Uptime

Just to prove this isn’t all smoke an mirrors, after the tunnel has re-connected you can check its uptime with the following command;

[box] show vpn-sessiondb detail l2l [/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA5500 Site to Site VPN from ASDM