--- Begin Message ---
Hi Reuben,
Unfortunately, 'Terminated' in this case has double meanings. It in
fact does mean exactly what you have stated, 'a conscious decision was
made not to fix this bug'. However, it /also/ means 'Unreproducible -
we are unable to reproduce the issue, and need
--- Begin Message ---
Hi All,
Sorry to hear you are being impacted by this issue. I took a look at
the bug, and it is in a holding pattern, waiting until we can get some
logs from an impacted device - in order to root cause it. Can I ask
that anyone impacted please open a TAC case so they
it, but it seems that there is some issue there after
all. The thing is I had "sysopt noproxyarp DMZ" in my configuration ,
which should have prevented this behaviour. Apparently it did not.
I am already working on this with your colleague from TAC .
Best regards,
Jan
On 02/16/2016 03:57 PM, D
Sounds like CSCux15273 - inaccurate reporting of memory usage in 9.5(2)+
Sincerely,
David.
On 2/16/16 10:28 AM, Don Nightingale wrote:
I'm seeing this as well on our pair we upgraded 2/11 to 9.5(2)2.
Memory usage is slowly reported as increasing. It's currently
breaking the asdm memory
The non -smp image is also posted (for the 5505). Look on the 5505
download page under:
All Releases
--> Interim
--> 8
--> 8.2.5 Interim
Sincerely,
David.
On 2/15/16 3:43 PM, Nick Cutting wrote:
This is best news I've heard all day. Was going to have to move 55 VPNs by
Hi Eric,
I know your original post was a rant, but I wanted to respond because
as someone who lives, eats and breathes my customer's problems (just
like my fellow TAC engineers) it hits hard when I hear about something
like this. As others have mentioned, there are escalation paths within
and
a system where people
going on vacation in 1-2 weeks don't get certain types of tickets.
Stephen Mikulasik
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Eric
Van Tol
Sent: Thursday, April 30, 2015 8:44 AM
To: David White, Jr. (dwhitejr
as well not even have security
levels.Hopefully today will be the day I learn there's a knob to turn
that implicit deny into an implicit allow-to-less-secure which will
make me regret all those hours spent tuning DMZ inbound access-lists.
On Wed, Feb 11, 2015 at 8:57 AM, David White, Jr. (dwhitejr
On 2/11/2015 7:29 AM, Joshua Riesenweber wrote:
This has a few good
examples:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html
I might very well be wrong, but I believe the security levels are negated if
an access list is applied to an
Correct.
David.
On 2/11/2015 4:22 AM, Alan Buxey wrote:
Going from 0 to 100 . That's a default block on the ASA platform isn't it?
alan
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
First, a couple things to be aware of on the ASA:
1) All inbound traffic (from unprotected -- protected network) is
Denied by default. You must explicitly permit the traffic you want via
an interface ACL.
2) All outbound traffic (from protected network -- unprotected network)
is Permitted by
*
*Regards,*
*Aakil*
Thanks Regards,
Ahsan Rasheed
On Tue, Nov 25, 2014 at 2:34 PM, David White, Jr. (dwhitejr)
dwhit...@cisco.com mailto:dwhit...@cisco.com wrote:
Hi Ahsan,
The customer cannot configure the 'same' IP address on both ASAs in an
Active/Standby pair
Hi Ahsan,
The customer cannot configure the 'same' IP address on both ASAs in an
Active/Standby pair.
Each ASA's outside interface must have it's own IP (or the Standby could
be configured without an IP - but in that case the physical interface
would not be monitored for all failures).
When the
The error code 62 is indicating a certificate validation has failed.
For this issue, you need to upgrade to patch 1140.
I don't quite understand the challenge you are facing opening a TAC case
- if the CSC module is under a support contract. Have you tried again?
Sincerely,
David.
On
Hi Chris / All,
Thanks for alerting us to this problem. The Support Case Manager team
put a fix (we hope) in this weekend.
Glad it is now working for you.
Sincerely,
David.
On 2/3/2014 10:12 AM, Chris Marget wrote:
On Sat, Feb 1, 2014 at 12:41 PM, Chris Marget ch...@marget.com wrote:
I
Hi Adam,
So, the symptoms are high latency from internal network to Inside of
ASA's interface?
And during this problem, the switch appears to be re-establishing the
OSPF neighbor?
It wasn't clear to me if you were also seeing packet loss or not.
A suggestion to narrow down some things:
If the
No, the SSP modules must match.
Sincerely,
David.
On 10/25/2013 2:26 PM, Yang Yu wrote:
Is it possible to mix SSP and IPS SSP models? For example SSP-20 with
IPS SSP-40? When I mixed them I could not bring up the IPS SSP.
Thanks
___
cisco-nsp
Hi Michael,
If you see the UDP netflow packets leaving the ASA (via say a capture
from the ASA), and they are destined to the prtg server, then the issue
is downstream of the ASA. I would focus the troubleshooting there.
Sincerely,
David.
On 10/24/2013 3:41 PM, Michael Sprouffske wrote:
I am
] On Behalf Of David White, Jr.
(dwhitejr)
Sent: terça-feira, 8 de Maio de 2012 23:20
To: Peter Rathlev; Judith Sanders
Cc: 'cisco-nsp@puck.nether.net'
Subject: Re: [c-nsp] Timeout value on ASA
An alternative is to use Dead Connection Detection (DCD) on the ASA to
validate if both endpoints
Sanders
Pioneer Telephone
Inside Plant Networking Services
jasand...@ptci.com mailto:jasand...@ptci.com 405.375.0645
*/Our lives change when our habits change./*
*/ Matthew Kelly/*
*/ /*
*From:* David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com]
*Sent:* Wednesday, May 09
An alternative is to use Dead Connection Detection (DCD) on the ASA to
validate if both endpoints on the idle connection are still alive, and
if so reset the idle timeout, else tear it down.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_connlimits.html#wp1080752
Hi Peter,
It looks like you are running into known bug CSCtl23397, which is fixed
in 8.2.5.6 and higher images.
I would recommend upgrading to 8.2.5.13, which is currently posted to
Cisco.com
Because the TCP header check occurs before the L3 interface ACL.
You can verify this by taking a packet capture from this source with the
'trace' option. Once the problem packet is captured, view the
packet-tracer information on it to see the actions taken on the packet.
Sincerely,
David.
on the main
product page for the card is a pretty ballsy lie even for Cisco.
*From:* David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com]
*Sent:* Friday, June 03, 2011 12:04 AM
*To:* Jeff Bacon
*Cc:* Pete Templin; Peter Rathlev; cisco-nsp@puck.nether.net
*Subject:* Re: [c-nsp] cat6500
Hi Jeff,
The Standby IP is used to monitor both interfaces (the interface on the
Active and the one on the Standby). Failover will work without a
standby IP, but the ASA will not be able to detect failure conditions on
that interface, unless the failure condition results in a link down. If
a
And here is a great doc TAC wrote up on single flow TCP performance
which should answer all your questions:
https://supportforums.cisco.com/docs/DOC-12668
Sincerely,
David.
Jeff Bacon wrote:
I recall it being two 3Gbps etherchannels, so I'd always assumed no
single flow could exceed 3Gbps.
For the ASA, what is important is the latency caused by the distance.
For best results, latency should be less than 10 msec. There is a 30
msec timer used to check the acknowledgment that the peer received the
message (this includes round-trip time, plus the time it takes the peer
to accept,
than 250 milliseconds. If latency is more than10
milliseconds, some performance degradation occurs due to
retransmission of failover messages.
Sincerely,
David.
Chris Kane wrote:
On Thu, Mar 17, 2011 at 5:35 PM, David White, Jr. (dwhitejr)
dwhit...@cisco.com mailto:dwhit...@cisco.com
Hi Deric,
I'm assuming you have a ASA-5510. Initially, all the interfaces on the
ASA-5510s were limited to 100M. Later, E0 and E1 were given the
capability to run at 1 Gbps. However, this required that the following
2 conditions be met:
1) The ASA must be running 7.2(3), 8.0(3) or higher
2)
snip
from an internet host I attempt a connection to port 80:
ggw@76.65.229.23:~$ telnet x.x.x.x 80
I see the packets egress the newdmz interface:
1: 15:55:11.839525 802.1Q vlan#560 P0 x.x.x.x.2716 192.168.53.19.1433: .
3365025458:3365025459(1) ack 2402449091 win 64453
2:
shouldn't have to go that far :-) This should be a pretty easy
problem to solve. Let me know what you see from the above, and we can
go from there.
Sincerely,
David.
take care,
greg
On Jan 25, 2011, at 2:03 PM, David White, Jr. (dwhitejr) wrote:
snip
from an internet host I
Hi Bill,
The change (tracked by CSCta35563) re-ordered the message-length
maximum client auto command and also enabled it by default in the
preset and migrated dns_map.
This change went into Versions: 8.3(1), 8.2(2), 8.1(2.37), 8.0(5.2),
7.2(5)
Sincerely,
David.
Bill Blackford wrote:
Ryan West wrote:
David,
-Original Message-
From: David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com]
Sent: Wednesday, December 08, 2010 2:38 PM
The change (tracked by CSCta35563) re-ordered the message-length maximum
client auto command and also enabled it by default
Hi Edward,
It sounds like you are missing the following line in your configuration:
aaa authorization exec authentication-server
Issue show curpriv after the user logs in to verify they are assigned
the correct privilege level from the Radius server.
Sincerely,
David.
Edward Iong wrote:
copy paste puts data into the running-configuration, and that is a
'merge'.
If you start with a blank config on the PIX (from clear config all),
then pasting in your old config should yield your old conf (other than
the fact that interfaces will be shutdown).
The other option is to take the
Also, have a look at:
https://supportforums.cisco.com/docs/DOC-1268
Sincerely,
David.
Ramcharan, Vijay A wrote:
Try Google or Bing with search string asa inspect http regex
The example given below is for blocking certain websites but you should be
able to come up with a configuration that
The heading of the column is incorrect. It says Hardware address, but
what is really being presented is the DHCP Client Identifier (if sent),
or hardware address.
If you would like this changed, please open a TAC case and let me know
the case number. There is a bug for this, but it was closed,
Hi Antonio,
Please see inline..
Antonio Soares wrote:
Group,
I need help with the PIX/ASA show counters command:
http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/s2.html#wp1358086
As you can see, the command reference doesn't give too much details about the
Hi David,
It sounds like you are running into CSCsj53102. What version are you
running on your 8.0 devices?
Sincerely,
David.
David Coulson wrote:
I have a number of ASAs and Pix devices with interconnected VPNs. From
each LAN I can telnet into the local device, however on both an
ASA5510
On 2/7/10 10:05 AM, David White, Jr. (dwhitejr) wrote:
Hi David,
It sounds like you are running into CSCsj53102. What version are you
running on your 8.0 devices?
Sincerely,
David.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https
Hi Antonio,
The show service-policy output is not available via SNMP.
Sorry,
David.
Antonio Soares wrote:
Hello group,
I'm trying to find the OID that gives us the same type of information we see
in the show service-policy output:
pixfirewall(config)# show service-policy
Global
Hi Antonio,
7.2(4.44) is the latest. But you need a TAC case to get it, and an
associated bug that you are running into which would be resolved by
running 7.2(4.44).
Sincerely,
David.
Antonio Soares wrote:
Hello group,
I see that the latest 7.2 interim release available on CCO is
Hi Tom,
If a standby IP is not assigned to the Outside interface, then that
interface will not be able to participate in failover monitoring.
Meaning, the two ASAs will not be able to exchange 'hellos' out that
interface (as the Active unit will not have an IP to send the hello to
on the
Metrics... :)
Regards,
Antonio Soares, CCIE #18473 (RS/SP)
amsoa...@netcabo.pt
-Original Message-
From: David White, Jr. (dwhitejr) [mailto:dwhit...@cisco.com]
Sent: terça-feira, 19 de Janeiro de 2010 18:23
To: Antonio Soares
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASA
FWSM version 3.2 added support to monitor the NAT/PAT xlates:
NAT Xlates -- 1.3.6.1.2.1.123.1.6(natAddrBindTable)
PAT Xlates -- 1.3.6.1.2.1.123.1.8(natAddrPortBindTable)
Also see:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/monitr_f.html#wp1104519
Sincerely,
Hi Jack,
Yes, it is most likely that this is normal. There are no CLI commands
on the FWSM to adjust this. I would have to understand your traffic
profile along with your config to tell you why the given profile is
almost exclusively utilizing ports 3 and 6.
Sincerely,
David.
jack b wrote:
you say that there aren't any commands to
change this? The command is not run in the fwsm but rather the switch/router.
Nick
From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net]
On Behalf Of David White, Jr. (dwhitejr) [dwhit
Hi Brad,
The below static would not cause the behavior you describe.
Are you sure you don't have another static (outside,inside)...
statement which covers the network range of the inside network?
As a temporary workaround you can most likely disable proxy-arps on the
inside interface via 'sysopt
That is not currently possible. Once AnyConnect Essentials is enabled,
Clientless (webportal) VPN will be disabled, along with CSD. Users
accessing the ASA via the web page will automatically be sent to the
AnyConnect Web launch after successful authentication.
Sincerely,
David.
values will not work with Essentials?
-ryan
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David White, Jr.
(dwhitejr)
Sent: Wednesday, September 16, 2009 10:04 AM
To: nm...@guesswho.com
Cc: cisco-nsp
50 matches
Mail list logo