Which devices support PIX 7.x?

A. PIX 515, PIX 515E, PIX 525, PIX 535 and all of the Cisco ASA 5500 Series Adaptive Security Appliances (ASA 5510, ASA 5520, and ASA 5540) support software version 7.x and later. The PIX 501, PIX 506E, and PIX 520 Security Appliances are not supported in software version 7.x.

Q. I have a PIX 515/515E model that runs on software version 6.x, and I want to upgrade to 7.x. Is this possible?

A. Yes, it is possible provided you have the necessary memory modules. Refer to Cisco PIX 515/515E Security Appliance Memory Upgrade for PIX Software version 7.0 for the exact memory requirements before you upgrade PIX 515/515E.

Q. What are the changes and new features in PIX 7.0? When I upgrade from version 6.x to 7.x, are the old features taken care of automatically?

A. Refer to Changes in PIX Security Appliance Version 7.0 for details related to the changes and new features in PIX 7.0. Most changed and deprecated features and commands are converted automatically when PIX Security Appliance 7.x boots on your system. A few features and commands require manual intervention before or during the upgrade. Refer to Changed and Deprecated Features and Commands for more information.

Configuration Issues

Q. How do you perform a basic configuration for Security Appliances running 7.x?

A. Refer to the Configuring Basic Settings section of Cisco Security Appliance Command Line Configuration Guide, Version 7.1.

Q. How do I configure the interfaces in PIX 7.x?

A. PIX/ASA 7.0 is set up to resemble the router and switch Cisco IOS as closely as possible. In PIX/ASA 7.0, the configuration reads like this:
interface Ethernet0 description Outside Interface speed 100 duplex full nameif outside security-level 0 ip address 10.10.80.4 255.255.255.0 standby 10.10.80.6

Refer to Configuring Interface Parameters on PIX 7.0. for more information.

Q. How do I create an access list (ACL) on the ASA or PIX?

A. An access list is made up of one or more Access Control Entries (ACE) with the same access list ID. Access lists are used to control network access or to specify traffic for many features to act upon. In order to add an ACE, use the commandaccess-list <ID> extended in global configuration mode. In order to remove an ACE, use the no form of this command. In order to remove the entire access list, use the clear configure access-list command. This access-list command allows all hosts (on the interface to which you apply the access list) to go through the security appliance:

hostname(config)#access-list ACL_IN extended permit ip any any

If an access list is configured to control traffic through the security appliance, it must be applied to an interface with the access-group command before it takes effect. Only one access list can be applied to each interface in each direction. Enter this command in order to apply an extended access list to the inbound or outbound direction of an interface:
hostname(config)#access-group access_list_name {in | out} interface interface_name [per-user-override]

This example shows an inbound access list applied to the inside interface that allows the network 10.0.0.0 /24 through the security appliance:
hostname(config)#access-list INSIDE extended permit ip 10.0.0.0 255.255.255.0 any hostname(config)#access-group INSIDE in interface inside

This example shows an inbound access list applied to the outside interface that allows all hosts on the outside of the security appliance to have web access through the security appliance to the server at 172.20.1.10:
hostname(config)#access-list OUTSIDE extended permit tcp any host 172.20.1.10 eq www hostname(config)#access-group OUTSIDE in interface outside

Note: Access lists contain an implicit "deny" at the end. This means that once an ACL is applied, all traffic not explicitly permitted by an ACE in the ACL is denied.

Q. Can I use the management0/0 interface on the ASA in order to pass traffic like any other interface?

A. Yes. Refer to the management-only command for more information.

Q. What does Security Context in Security Appliance mean?

A. You can partition a single hardware PIX into multiple virtual devices, known as Security Contexts. Each context becomes an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are

similar to having multiple standalone devices. Many features are supported in multiple context mode and include routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.

Q. How do I configure the VPN user group-lock feature on the ASA or PIX?

A. In order to configure group lock, send the group policy name in the class attribute 25 on the Remote Authentication Dial-In User Service (RADIUS) server and choose the group in order to lock the user within the policy. For example, in order to lock the Cisco 123 user into the RemoteGroup group, define the Internet Engineering Task Force (IETF) attribute 25 class OU=RemotePolicy for this user on the RADIUS server. Refer to this configuration example in order to configure group lock on an Adaptive Security Appliance (ASA)/PIX:
group-policy RemotePolicy internal group-policy RemotePolicy attributes dns-server value x.x.x.x group-lock value RemoteGroup tunnel-group RemoteGroup type ipsec-ra tunnel-group RemoteGroup general-attributes address-pool cisco authentication-server-group RADIUS-Group default-group-policy RemotePolicy

Note: OU sets the group policy, and the group policy locks the user into the preferred tunnel-group. In order to set up your Cisco Secure ACS for Windows, RADIUS server to lock a user into a particular group configured on the ASA.

Q. How can I capture packets in PIX/ASA?

A. Packets can be captured in PIX/ASA if you use the Packet Capture feature. Refer to ASA/PIX/FWSM: Packet Capturing using CLI and ASDM Configuration Example for

more information on how to configure the Packet Capture feature.

Q. How can I redirect HTTP traffic to HTTPS on ASA?

A. Issue the http redirect command in global configuration mode in order specify that the security appliance redirect HTTP connections to HTTPS.
hostname(config)#http redirect interface [port]

Software Upgrade Issues

Q. I upgraded my PIX from 6.x to 7.x. After the upgrade I noticed 8-10% higher CPU usage for the same amount of traffic? Is this increase normal?

A. PIX 7.0 has three times more syslogs and new features than the 6.x versions. Increased CPU usage compared to 6.x is normal.

Connectivity issues
Q. I am unable to ping outside of the outside interface while using Security Appliance 7.0. How do I fix this?

A. There are two options in PIX 7.x that allow inside users to ping outside. The first option is to setup a specific rule for each type of echo message. For example:
access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded

access-group 101 in interface outside

This allows only these return messages through the firewall when an inside user pings to an outside host. The other types of ICMP status messages might be hostile and the firewall blocks all other ICMP messages. Another option is to configure icmp inspection. This allows a trusted IP address to traverse the firewall and allows replies back to the trusted address only. This way, all inside interfaces can ping outside and the firewall allows the replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall. For example:
policy-map global_policy class inspection_default inspect icmp

Q. I am unable to access the inside interface of the Security Appliance when connected via a VPN tunnel. How can I do this?

A. The inside interface of the Security Appliance cannot be accessed from the outside, and vice-versa, unless the management-access is configured in global configuration mode. Once management-access is enabled, Telnet, SSH, or HTTP access must still be configured for the desired hosts.
pix(config)#management-access inside pix(config)#show running-config managementaccess management-access inside

Q. Why am I unable to connect IP Phone through VPN Tunnel with ASA?

A. It can be an authentication issue. Verify that the IP phone user group has authentication (X-auth) enabled.

ASDM Related

Q. How do I enable/access the ASDM on ASA/PIX?

A. You need to enable the HTTPS server and allow HTTPS connections to the security appliance in order to use ASDM. All of these tasks are completed if you use the setup command. Refer to Allowing HTTPS Access for ASDM for more information.

Supported Features
Q. What are the two modes of operations in Security Appliance?

A. The PIX Security Appliance can operate in two different firewall modes: 1. Routed modeIn routed mode, the PIX has IP addresses assigned to its interfaces and acts as a router hop for packets that pass through it. All traffic inspection and forwarding decisions are based on Layer 3 parameters. This is how PIX Firewall versions earlier than 7.0 operate. 2. Transparent modeIn transparent mode the PIX does not have IP addresses assigned to its interfaces. Instead it acts as a Layer 2 bridge that maintains a MAC address table and makes forwarding decisions based on that. The use of full extended IP access lists is still available and the firewall can inspect IP activity at any layer. In this mode of operation the PIX is often referred to as a "bump in the wire" or "stealth firewall". There are other significant differences as to how transparent mode operates in comparison to routed mode: o Only two interfaces are supported inside and outside o NAT is not supported or required since the PIX is no longer a hop.

Note: NAT and PAT is supported in the transparent firewall for ASA/PIX releases 8.0(2) and later. Refer to PIX/ASA: Transparent Firewall Configuration Example for more information on how to configure the Security Appliance in Transparent Mode. Note: Because transparent and routed modes use different approaches to security, the running configuration is cleared when the PIX is switched to transparent mode. Be sure to save your routed mode running configuration to Flash or an external server.

Q. Does ASA support ISP load balancing?

A. No. Load balancing must be handled by a router that passes traffic to the security appliance.

Q. Is MD5 authentication with BGP supported through ASA?

A. No, MD5 authentication is not supported through ASA, but a workaround can be to disable it. Refer to ASA/PIX: BGP through ASA Configuration Example for more information.

Q. Does PIX/ASA support EtherChannel/PortChannel interfaces?

A. Yes, support for EtherChannel is introduced in ASA software version 8.4. You can configure up to 48 802.3ad EtherChannels of eight active interfaces each. For more information, refer to Release Notes of ASA Version 8.4.

Q. Can Anyconnect and Cisco VPN Client work together on ASA?

A. Yes, because they are not interrelated. Anyconnect works on SSL and Cisco VPN Client works on IPSEC.

Q. Is ASA/PIX is able to block Skype?

A. Unfortunately, the PIX/ASA is not able to block the skype traffic. Skype has the capability to negotiate dynamic ports and to use encrypted traffic. With encrypted traffic, it is virtually impossible to detect it as there are no patterns to look for. You could eventually use a Cisco Intrusion Prevention System (IPS). It has some signatures that are able to detect a Windows Skype Client that connects to the Skype server to synchronize its version. This is usually done when the client is initiated the connection. When the sensor picks up the initial Skype connection, you can be able to find the person who use the service, and block all connections initiated from their IP address.

Q. Does ASA support SNMPv3?

A. Yes. Cisco ASA Software Release 8.2 supports Simple Network Management Protocol (SNMP) version 3, the newest version of SNMP, and adds authentication and privacy options in order to secure protocol operations.

Q. Is there a way to log entries with a name instead of an IP address?

A. Use the names command in order to enable the association of a name with an IP address. You can associate only one name with an IP address. You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.

The name command allows you to identify a host by a text name and map text strings to IP addresses. Use the clear configure name command in order to clear the list of names from the configuration. Use the no names command in order to disable logging name values. Both the name and names commands are saved in the configuration.

Q. Is the ip accounting command available in PIX/ASA 7.x?

A. No.

Q. Does Security Appliance 7.0 support the Are You There (AYT) feature?

A. Yes. In an AYT scenario, a remote user has a personal firewall installed on the PC. The VPN Client enforces the firewall policy defined on the local firewall, and it monitors that firewall to make sure that is runs. If the firewall stops running, the VPN Client drops the connection to the PIX or ASA. This firewall enforcement mechanism is called Are You There (AYT), because the VPN Client monitors the firewall by sending it periodic "are you there?" messages. If no reply comes, the VPN Client knows the firewall is down and terminates its connection to the PIX Security Appliance. The network administrator might configure these PC firewalls originally, but with this approach, users can customize their own configurations.

Q. Is FTP with TLS/SSL supported through the Security Appliance?

A. No. In a typical FTP connection, either the client or the server must tell the other what port to use for data transfer. The PIX is able to inspect this conversation and open that port. However, with FTP with TLS/SSL, this conversation is encrypted and the PIX is unable to

determine what ports to open. Thus, the FTP with TLS/SSL connection ultimately fails. One possible workaround in this situation is to use an FTP client that supports the use of a "clear command channel" while still using TLS/SSL to encrypt the data channel. With this option enabled, the PIX should be able to determine what port needs to be opened.

Q. Does the Security Appliance support DDNS?

A. Yes, the Security Appliance support DDNS. Refer to Configuring Dynamic DNS for more information.

Q. Does the PIX support WebVPN/SSL VPN?

A. No, but it is supported in the Cisco 5500 Series Adaptive Security Appliance (ASA).

Q. Does the PIX support Cisco AnyConnect VPN Client?

A. No, it is supported only in the Cisco 5500 Series Adaptive Security Appliance (ASA).

Q. Does the PIX support any services modules like AIPSSM and CSC-SSM?

A. No.

Q. Does the Cisco Security Appliance support IPsec Manual Keying (manual encryption)?

A. No.

Q. Does the ASA support password management with NT?

A. ASA does not support password management with NT. Note: Security appliance supports password management for the RADIUS and LDAP protocols.

Q. Can Cisco 5500 Series ASA do a Policy Based Routing (PBR) like Cisco Router? For example, mail traffic should be routed to first ISP while http traffic should be routed to the second one.

A. Unfortunately, there is no way to do policy-based routing on the ASA at this time. It can be a feature that is added to the ASA in the future. Note: The route-map command is used to redistribute routes between routing protocols, such as OSPF and RIP, with the use of metrics and not to policy route regular traffic as in routers.

Q. Can I use ASA 5510 as an Easy VPN Client?

A. No. Easy VPN client configuration is only supported on ASA 5505.

Q. Does ASA supports Asymmetric routing ?

A. ASA supports Asymmetric routing in version 8.2(1) and later. It is not supported in ASA versions prior to 8.2(1).

Q. Does ASA support PPTP client?

A. No.

Q. Does ASA support QOS marking the packet with DSCP value?

A. No, it supports only matching the DSCP traffic and pass it to next hop devices without changing the DSCP values. Refer to DSCP and DiffServ Preservation for more information.

Q. Which IPsec transforms (ESP, AH) are supported on the ASA/PIX versions 7.0 and later?

A. Only IPsec Encapsulating Security Payload (ESP) encryption and authentication is supported. Authentication Header (AH) transforms are not supported on the ASA/PIX versions 7.0 and later.

Q. Does ASA support Universal Plug and Play (UPnP) feature?

A. No, ASA does not support Universal Plug and Play (UPnP) feature as of now.

Q. Does ASA support source-based routing?

A. No.

Q. Does H.329 traffic pass through PIX/ASA 8.1 and later?

A. No.

Q. Does ASA support H.460 protocol inspection?

A. No.

Q. Does ASA support EXEC Authorization, which logs the user directly into enable mode after authentication?

A. No, EXEC Authorization feature is not supported in ASA.

Q. Does ASA allow Broadcast traffic to pass through its interface?

A. No.

Q. Is it possible to configure two-factor L2L VPN authentication between 5505 ASAs?

A. Two-factor authentication can be configured beginning with ASA version 8.2.x only for AnyConnect and SSL VPN. You cannot configure two-factor authentication for L2L VPN.

Q. Is it possible to add two phone proxies on the same ASA?

A. No. It is not possible to add two phone proxies on the same ASA as ASA does not support this.

Q. Does the ASA support the NetFlow configuration?

A. Yes, this feature is supported in Cisco ASA version 8.1.x and later. For complete implementation details, refer to the Cisco NetFlow Implementation Guides. For a complete configuration summary, refer to the Configuration Examples for NewFlow Secure Event Logging section of Configuring NetFlow Secure Event Logging.

Q. Does the ASA support the native L2TP/IPsec Client on Android devices?

A. The Android is not fully RFC compliant and supported by Cisco ASA starting with version 8.4.1. For more information, refer to Supported Clients.

Failover
Q. Can a Security Appliance with a failover license be part of an active-active failover?

A. Security Appliance failover units can be used in an active/active failover pair once they have a new failover active/active license upgrade installed (active/active requires one UR model and one "FO active/active" model). Refer to Feature Licenses and Specifications for more information on licensing.

Q. Does the ASA support SSL VPN when configured for failover?

A. ASA supports SSL VPN only when configured for Active/Standby Failover and not in Active/Active Failover. For more information, refer to ASA Failover handling of SSL VPN application traffic and configurations.

Error Messages
Q. I am unable to configure failover when EZVPN is enabled on ASA 5505. Why does this error message appear: error :- ERROR]] vpnclient enable * Disable failover
CONFIG CONFLICT: Configuration that would prevent successful Cisco

Easy VPN Remote operation has been detected, and is listed above. Please resolve the above configuration conflict(s) and re-enable?

A. If ASA 5505 uses EasyVPN for remote users (Client mode), failover works, but if you have the ASA configured to use it with Easy VPN Client (Network-Extension ModeNEM mode), then it does not work when Failover is configured. So Failover works only when ASA uses EZVPN for remote users (Client mode), and so this errror occurs.

Q. I receive this error message when I configure the third VLAN: :- ERROR: This license does not allow configuring
more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured. How can I resolve this error?

A. This error has occurred due to a license limitation on ASA. You must obtain the Security Plus license in order to configure more VLANs as in routed mode. Only three active VLANs can be configured with the Base license, and up to 20 active VLANs with the Security Plus license. You can create a third VLAN with the Base license, but this VLAN only has communication either to the outside or to the inside but not in both directions. If you need to have the communication in both directions, then you need to upgrade the license. Also, if you use the Base license, allow this interface to be the third VLAN and limit it from initiating contact to one other VLAN with the hostname(config-if)# no forward interface vlan number command. Thus the third VLAN can be configured.

Q. How can I resolve this error message:

%ASA-6-110002: Failed to locate egress interface for UDP from outside:x.x.x.x/xxxx to x.x.x.x/xxxx?

A. ASA gives this error message when VPN Client tries to use peer-to-peer program and that traffic goes into the tunnel, where the peer-to-peer server does not reside. Configure the split tunnel in order to resolve this issue so that the traffic that needs to go out to the internet does

not travel through the Tunnel and the packet is not dropped by the firewall. Refer to ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example for more information on Split Tunneling configuration in ASA.

Q. How can I resolve this error message:

Error: execUpgradeSoftware: operation timed out with 0 out of 1 bytes received?

A. When you attempt to upgrade the AIP-SSM with the FTP, it can timeout. Increase the FTP Timeout value in order to resolve the issue. For Example:
configure terminal service host network-settings ftp-timeout 2700 exit

Save Changes.

Q. How can I resolve this error message:

%ASA-4-402123:

CRYPTO: The ASA hardware accelerator encountered an error?

A. In order to resolve this issue, try one of these workarounds: Disable the DTLS on ASA interfaces on which it is enabled.

In order to complete this solution, go to the Anyconnect profile on the ASDM, and remove the tick beside the interface working for the Anyconnect. For more information, refer to Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections.

Reload the ASA.

This problem arises due to an error in the hardware accelerator of ASA. There are two bugs filed regarding this behavior. For more information, refer to CSCsd43563 (registered customers only) and CSCsc64621" (registered customers only) .

Q. How can I resolve this error message: authentication message?

unable to send

A. The ASA does not support password management when you use LOCAL (internal) authentication. Remove the password management if configured in order to resolve this issue.

Q. How can I resolve this error message that is received when testing the authentication on the ASA: ERROR: Authentication Server not responding: No error?
ASA# test aaa-server authentication TAC_SRVR_GRP username test password test123 Server IP Address or name: ACS-SERVER INFO: Attempting Authentication test to IP address <ACS-SERVER> (timeout: 12 seconds) ERROR: Authentication Server not responding: No error

A. Use any of these points to resolve this problem: Verify the connectivity from the ASA to the AAA server through ping test and ensure that the AAA server is reachable from the ASA. Verify the AAA related configuration on the ASA and check whether the AAA server is mentioned properly or not.
ASA# show run aaa-server aaa-server RAD_SRVR_GRP protocol radius aaa-server RAD_SRVR_GRP host ACSSERVER key * aaa-server TAC_SRVR_GRP protocol tacacs+ aaa-server TAC_SRVR_GRP host ACSSERVER key *

Verify if the Radius is TACACS ports are blocked by any firewall in the path between the AAA server and ASA. Ensure that corresponding ports are opened based on the protocol used. Verify the parameters on the AAA server. Reload the AAA server.

A successful test of the authentication looks like this:

ASA(config)# test aaa authentication topix host 10.24.10.10 username test password test1234 INFO: Attempting Authentication test to IP address <10.24.0.10> (timeout: 12 seconds) INFO: Authentication Successful

Q. How can I resolve this error message:

%Error opening disk0:/.private/startup-config (Read-only file system) Error executing command [FAILED]?

A. Format the flash or FSCK command in ASA/PIX in order to resolve this issue.

Q. How can I resolve this ASDM error message: Unconnected sockets not implemented?

A. This issue occurs when ASDM version 5.0 or later runs on the ASA, PIX, or FWSM, and uses Java 6 Update 10 or later. While loading ASDM, this message appears:
ASDM cannot be loaded. Click OK to exit ASDM. Unconnected sockets not implemented.

In order to resolve this issue, uninstall Java 6 Update 10, and install Java 6 Update 7. For more information, refer to CSCsv12681 (registered customers only) . In order to get ASDM to load correctly with Java 6 Update 10, update ASDM to ASDM 6.1(5)51. For detailed information, refer to the ASDM Client Operating System and Browser Requirements section of the Cisco ASDM Release Notes Version 6.1(5).

Q. How can I resolve this error message:

%ASA-1-199010: Signal 11 caught in process/fiber(rtcli async executor process)/(rtcli async executor) at address 0xf132e03b, corrective action at 0xca1961a0?

A. This issue might be caused when ASDM is used to access the ASA or when there is high CPU utilization on the ASA. This message usually appears when the error recovery mechanism prevents system from crashing. If there is no other issue with this message, it can be ignored. It is a recoverable error that does not impact performance.

Q. Oracle traffic does not pass through the firewall. How can I resolve this issue?

A. This issue is caused by the sqlnet inspection feature of the firewall. When it occurs, the connections are torn out. The TCP proxy for sqlnet inspection engine was designed to handle multiple TNS frames in one TCP segment. The sqlnet inspection handles many TNS frames in one packet rendering the code complex. In order to resolve this issue, the inspection engine should not handle multiple TNS frames in one packet. It is assumed that each TNS frame to be a different TCP packet and is inspected individually. Software bugs have been filed for this behavior; for more information, refer to CSCsr27940 (registered customers only) and CSCsr14351 (registered customers only) . The solution for this problem is given below. Use the no inspect sqlnet command in class configuration mode in order to disable the inspection for sqlnet.
ASA(config)#class-map sqlnet-port ASA(config-cmap)#match port tcp eq 1521 ASA(config-cmap)#exit ASA(config)#policy-map sqlnet_policy ASA(config-pmap)#class sqlnet-port ASA(config-pmap-c)#no inspect sqlnet ASA(config-pmap-c)#exit ASA(config)#service-policy sqlnet_policy interface outside

For more information, refer to the SQLNet inspection section of the Cisco Security Appliance Command Reference, Version 8.0.

Q. I am unable to copy the software image to the flash of the ASA, and I receive an error message similar to this message: Error writing disk0:/asa8XX-XX.bin (Cannot
allocate memory)

A. This issue might occur if the firewall is unable to allocate memory (RAM) to load the software image. ASA buffers the entire image in RAM while it is transfered to the ASA. Until it completes writing to flash, there must be an available free memory block large enough to hold the entire software image. One full memory block must be available to buffer the entire image before the ASA writes it to flash. Memory usage is directly related to the features enabled on your ASA; these features are loaded each time your ASA is booted, regardless of how the image is loaded (via network or flash). You can disable features that you are not currently using in order to reduce memory usage. Note that WebVPN, SSLVPN, and threat detection tend to consume a lot of memory. You can also use ROM monitor (ROMmon) to copy the image, or you can set your boot parameter to boot via tftp and then copy the image after the ASA has booted over the network. Since ROMmon does not load the configuration, it does not load these features; therefore, you should not experience the issue when you use this method to copy the file. Try these workarounds.

Disable threat detection on the firewall.

Enter these commands in order to disable threat detection:

conf t !

no threat-detection basic-threat no threat-detection statistics tcp-intercept no threat-detection statistics ! wr mem

Disable the WebVPN-related processes. Use the ROMmon to copy the image.

For detailed information on how to use the ROM monitor to load a software image, refer to Using the ROM Monitor to Load a Software Image.

Q. How can I resolve this error message:

[ERROR] threatdetection statistics host number-of-rate 0 threat-detection statistics host number-of-rate 0 ^ % Invalid input detected at '^' marker?

A. This error can occur while you use the threat detection feature in ASDM. Either use CLI to send the command or downgrade the ASDM in order to resolve this issue.

Q. How can I resolve this error message:

%ERROR: copying 'disk0:/csco_config/97/customization/index.ini' to a temporary ramfs file failed?

A. This issue is due to the Cisco bug ID CSCsy77628 (registered customers only) . In order to resolve this issue the command revert webvpn all command in privileged EXEC mode to clear all WebVPN configurations. Reconfigure from scratch and then reload the ASA.

Q. How can I resolve this error message on the ASA:

ERROR: mount: Mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument?

A. Reformat the flash in order to resolve this issue. If this does not resolve the issue then contact TAC for further assistance.

Q. I receive this error message on the ASA when I try to add non-English characters in a banner: The CLI
generated has unsupported characters. ASA does not accept such characters. The following line(s) has unsupported characters. How

can I resolve this error?

A. This issue is due to Cisco bug ID CSCsz32125 (registered customers only) . In order to resolve this issue, upgrade the ASA with software version 8.0(4.34).

Q. How can I resolve this error message on the ASA:

%ASA-1-216005: ERROR: Duplex-mismatch on Et0/0 resulted in transmitter lockup. A soft reset of the switch was performed?

A. This error message is seen when a duplex-mismatch exists between the specified port and the device that is connected to it. Set both devices to either auto or hardcoding the duplex on both sides to be the same in order to correct the duplex-mismatch. This resolves the issue. Note: Cisco bug ID CSCsm87892 has been filed regarding this problem, and the bug is moved to Resolved state now. For more information, refer to CSCsm87892 (registered customers only) .

Q. When I perform the recovery process on the AIP-SSM module and then the module repeatedly reboots, I receive this error message: Bad magic number (0x682a2af). How can I resolve this error message?

A. This issue happens when you use the wrong file for recovery or reimaging. If you use the .pkg file instead of the .img, then this action causes this error. This error also occurs when .img file is good, but ASA is stuck in boot loop. The only way to resolve this issue is to reimage the sensor.

Q. Why does this error message appear when I download Global Correlations updates for AIP-SSM:

collaborationApp[530] rep/E A global correlation update failed: Failed download of ibrs/1.1/config/default/1236210407 : HTTP connection failed collaborationApp[459] rep/E A global correlation update failed: Failed download of ibrs/1.1/drop/default/1296529950 : URI does not contain a valid ip address?

A. This issue might occur due to URL filtering that is configured, which affects the traffic flow, and also due to the management interface of the AIP-SSM module that can go through the ASA to get out to the Internet. Make sure that the URL filtering configured does not block the devices (AIP-SSM) from reaching the Global Correlations, which resolves the issue. This issue occurs when there is corruption in a previous GC update. This can usually be corrected by turning off the GC service and then turning it back on. In IDM, choose Configuration > Policies > Global Correlation > Inspection/Reputation. Then, set Global Correlation Inspection (and Reputation Filtering if On) to Off. Apply the changes and wait for 0 minutes. Turn the features back on and monitor.

Q. How can I resolve this error message on the ASA:

Secure Connection Failed. An error occurred during a connection to x.x.x.x. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)?

A. This issue is due to Cisco bug ID CSCtc37947 (registered customers only) . In order to resolve this issue, remove the temporary files created for auto update from the root account on CSC, and then restart the services.

Q. How can I resolve this error message on the ASA for Grayware: GraywarePattern : Pattern Update: The download file

was unsuccessful for ActiveUpdate was unable to unzip the downloaded patch packages. The zip file may be corrupted. This can happen due to an unstable network connection. Please try downloading the file again.. The error code is 24?

A. In order to resolve this issue, enter the 3DES activation key or use this command on the ASA: ciscoasa(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

des-sha1 rc4-md5 . This command is used to specify the encryption algorithms that the SSL/TLS protocol uses.

Q. How can I resolve this error message that I received while configuring the interfaces on ASA 5505:

ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s)?

A. This issue is due to the number of interfaces allowed to communicate based on the license present in the ASA. For models with a built-in switch, such as the ASA 5505, use the forward interface command in interface configuration mode in order to restore connectivity for one VLAN from initiating contact to another VLAN. In order to restrict one VLAN from initiating contact to another VLAN, use the no form of this command. You might need to restrict one VLAN depending on how many VLANs your license supports.

Q. How can I resolve this error message on the ASA: %Error opening system:/running-config (No such device)?

A. Reload the ASA in order to resolve this error message.

Q. I received this error:

[ERR-PAT-0003] The update system cannot find the required files in the decompressed set of update files, and cannot continue. This message is for diagnostic purpose only. Customers - please contact Technical Support. while upgrading to the latest pkg file on CSC-SSM. Why does this error occur?

A. This issue is due to Cisco Bug ID CSCta99320 (registered customers only) . Refer to this bug for more information.

Q. I receive this error message on the ASA, and the ASA does not reboot: mempool: error 12 creating global shared pool. Why does this issue occur, and how can it be resolved?

A. This problem might occur when you try to install more RAM than is appropriate for a particular platform. For example, if you try to install 4 GB of RAM in an ASA5540, you might receive this error because the ASA5540 should not run more than 2 GB of RAM. Keep these items in mind when you install the new RAM: Only the new RAM is installed in the ASA. The old RAM should be removed and NOT loaded in the extra RAM slots. The new RAM should be installed in alternating slot. For optimum performance, install the DIMMs in slots P13 and P15.

Q. I receive this error:

%ASA-4-402125: CRYPTO: The ASA hardware accelerator Ipsec ring timed out (Desc= 0xD6AF25E0, CtrlStat= 0xA000, ResultP= 0xD2D10A00, ResultVal= 186, Cmd= 0x10, CmdSize= 0, Param= 0x0, Dlen= 152, DataP= 0xD2D10974, CtxtP= 0xD46E6B10, SWReset= 21), when the ASA drops packet

exhibiting severely degraded performance. Why does this issue occur?

A. This issue is due to Cisco bug ID CSCti17266 (registered customers only) . Refer to this bug for more information.

Q. This error message is received on the ASA:

418001: Through-the-device packet to/from management-only network is denied: icmp src In-DMZ:192.168.145.53 dst Mgt-Net:10.40.10.1 (type 8, code 0). How do I resolve this?

A. Remove the management-only command from the interface where it is configured. In this specific case, from the above error message, remove the management-only command from the Mgt-Net interface.

Q. How can I resolve this error message:

%PIX|ASA-5-713137: Reaper overriding refCnt [ref_count] and tunnelCnt [tunnel_count] -deleting SA!?

A. This issue is due to Cisco bug ID CSCsq91271 (registered customers only) . Refer to this bug for more information.

Why are loopbacks advertised as /32 host routes in OSPF?

A. Loopbacks are considered host routes in OSPF, and they are advertised as /32. For more information, refer to section 9.1 of RFC 2328 . In Cisco IOS Software Releases 11.3T and 12.0, if the ip ospf network point-to-point command is configured under loopbacks, OSPF advertises the loopback subnet as the actual subnet configured on loopbacks. ISDN dialer interface advertises /32 subnet instead of its configured subnet mask. This is an expected behavior if ip ospf network point-to-multipoint is configured.

Q. How do I change the reference bandwidth in OSPF?

A. You can change the reference bandwidth in Cisco IOS Software Release 11.2 and later using the ospf auto-cost reference-bandwidth command under router ospf. By default, reference bandwidth is 100 Mbps. The ospf linkcost is a 16-bit number. Therefore, the maximum value supported is 65,535.

Q. How does OSPF calculate its metric or cost?

A. OSPF uses a reference bandwidth of 100 Mbps for cost calculation. The formula to calculate the cost is reference bandwidth divided by interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10. Note: If ip ospf cost cost is used on the interface, it overrides this formulated cost.

Q. What algorithm is used by OSPF if equal cost routes exist?

A. If equal cost routes exist, OSPF uses CEF load balancing. For more information, refer to Troubleshooting Load Balancing Over Parallel Links Using Cisco Express Forwarding.

Q. Are OSPF routing protocol exchanges authenticated?

A. Yes, OSPF can authenticate all packets exchanged between neighbors. Authentication may be through simple passwords or through MD5 cryptographic checksums. To configure simple password authentication for an area, use the command ip ospf authentication-key to assign a password of up to eight octets to each interface attached to the area. Then, issue the area x authentication command to the OSPF router configuration to enable authentication. (In the command, x is the area number.) Cisco IOS Software Release 12.x also supports the enabling of authentication on a per-interface basis. If you want to enable authentication on some interfaces only, or if you want different authentication methods on different interfaces that belong to the same area, use the ip ospf authentication interface mode command.

Q. What is the link-state retransmit interval, and what is the command to set it?

A. OSPF must send acknowledgment of each newly received link-state advertisement (LSA). It does this by sending LSA packets. LSAs are retransmitted until they are acknowledged. The link-state retransmit interval defines the time between retransmissions. You can use the command ip ospf retransmit-interval to set the retransmit interval. The default value is 5 seconds.

Q. What is the purpose of the variable IP-OSPFTransmit-Delay?

A. This variable adds a specified time to the age field of an update. If the delay is not added before transmission over a link, the time in which the link-state advertisement (LSA) propagates over the link is not considered. The default value is 1 second. This parameter has more significance on very low-speed links.

Q. Is it true that only the static option of the virtual link in OSPF allows discontiguous networks, regardless of the mask propagation properties?

A. No, virtual links in OSPF maintain connectivity to the backbone from nonbackbone areas, but they are unnecessary for discontiguous addressing. OSPF provides support for discontiguous networks because every area has a collection of networks, and OSPF attaches a mask to each advertisement.

Q. Are the multicast IP addresses mapped to MAC-level multicast addresses?

A. OSPF sends all advertisements using multicast addressing. Except for Token Ring, the multicast IP addresses are mapped to MAC-level multicast addresses. Cisco maps Token Ring to MAC-level broadcast addresses.

Q. Does the Cisco OSPF implementation support IP TOSbased routing?

A. Cisco OSPF only supports TOS 0. This means that routers route all packets on the TOS 0 path, eliminating the need to calculate nonzero TOS paths.

Q. Does the offset-list subcommand work for OSPF?

A. The offset-list command does not work for OSPF. It is used for distance vector protocols such as Interior Gateway

Routing Protocol (IGRP), Routing Information Protocol (RIP), and RIP version 2.

Q. Can an OSPF default be originated into the system based on external information on a router that does not itself have a default?

A. OSPF generates a default only if it is configured using the command default-information originate and if there is a default network in the box from a different process. The default route in OSPF is 0.0.0.0. If you want an OSPFenabled router to generate a default route even if it does not have a default route itself, use the command defaultinformation originate always.

Q. Can I use the distribute-list in/out command with OSPF to filter routes?

A. The distribute-list commands are supported in OSPF but work differently than distance-vector routing protocols such as Routing Information Protocol (RIP) and Enhanced Interior Gateway Routing Protocol (EIGRP). OSPF routes cannot be filtered from entering the OSPF database. The distribute-list in command only filters routes from entering the routing table; it does not prevent link-state packets from being propagated. Therefore, this command does not help conserve router memory, and it does not prohibit a router from propagating filtered routes to other routers. Caution: Use of the distribute-list in command in OSPF may lead to routing loops in the network if not implemented carefully. The command distribute-list out works only on the routes being redistributed by the Autonomous System Boundary Routers (ASBRs) into OSPF. It can be applied to external type 2 and external type 1 routes, but not to intraarea and interarea routes.

Refer to configuration example of distribute-list in OSPF,

Q. How can I give preference to OSPF interarea routes over intra-area routes?

A. According to section 11 of RFC 2328 preference for OSPF routes is:

, the order of

intra-area routes, O interarea routes, O IA external routes type 1, O E1 external routes type 2, O E2

This rule of preference cannot be changed. However, it applies only within a single OSPF process. If a router is running more than one OSPF process, route comparison occurs. With route comparison, the metrics and administrative distances (if they have been changed) of the OSPF processes are compared. Route types are disregarded when routes supplied by two different OSPF processes are compared.

Q. Do I need to manually set up adjacencies for routers on the Switched Multimegabit Data Service (SMDS) cloud with the OSPF neighbor subcommand?

A. In Cisco IOS Software releases earlier than Cisco IOS Software Release 10.0, the neighbor command was required to establish adjacencies over nonbroadcast multiaccess (NBMA) networks (such as Frame Relay, X.25, and SMDS). With Cisco IOS Software Release 10.0 and later, you can use the ip ospf network broadcast command to define the network as a broadcast network, eliminating the need for the neighbor command. If you are not using a fully meshed SMDS cloud, you must use the ip ospf network point-to-multipoint command.

Q. When routes are redistributed between OSPF processes, are all shortest path first algorithm

(SPF) metrics preserved, or is the default metric value used?

A. The SPF metrics are preserved. The redistribution between them is like redistribution between any two IP routing processes.

Q. How does Cisco accommodate OSPF routing on partial-mesh Frame Relay networks?

A. You can configure OSPF to understand whether it should attempt to use multicast facilities on a multi-access interface. Also, if multicast is available, OSPF uses it for its normal multicasts. Cisco IOS Software Release 10.0 includes a feature called subinterfaces. You can use subinterfaces with Frame Relay to tie together a set of virtual circuits (VCs) to form a virtual interface, which acts as a single IP subnet. All systems within the subnet should be fully meshed. With Cisco IOS Software Releases 10.3, 11.0 and later, the ip ospf point-to-multipoint command is also available.

Q. Which address-wild-mask pair should I use for assigning an unnumbered interface to an area?

A. When an unnumbered interface is configured, it references another interface on the router. When enabling OSPF on the unnumbered interface, use the address-wildmask pair of interfaces to which the unnumbered interface is pointing.

Q. Can I have one numbered side and leave the other side unnumbered in OSPF?

A. No, OSPF does not work if you have one side numbered and the other side unnumbered. This creates a discrepancy

in the OSPF database that prevents routes from being installed in the routing table.

Q. Why do I receive the "cannot allocate router id" error message when I configure Router OSPF One?

A. OSPF picks up the highest IP address as a router ID. If there are no interfaces in up/up mode with an IP address, it returns this error message. To correct the problem, configure a loopback interface.

Q. Why do I receive the "unknown routing protocol" error message when I configure Router OSPF One?

A. Your software may not support OSPF. This error message occurs most frequently with the Cisco 1600 series routers. If you are using a 1600 router, you need a Plus image to run OSPF.

Q. What do the states DR, BDR, and DROTHER mean in show ip ospf interface command output?

A. DR means designated router. BDR means backup designated router. DROTHER indicates a router that is neither the DR or the BDR. The DR generates a Network Link-State Advertisement, which lists all the routers on that network.

Q. When I issue the show ip ospf neighbor command, why do I only see FULL/DR and FULL/BDR, with all other neighbors showing 2-WAY/DROTHER?

A. To reduce the amount of flooding on broadcast media, such as Ethernet, FDDI, and Token Ring, the router becomes full with only designated router (DR) and backup designated router (BDR), and it shows 2-WAY for all other routers.

Q. Why do I not see OSPF neighbors as on my serial link?

FULL/DR

or

FULL/BDR

A. This is normal. On point-to-point and point-to-multipoint networks, there are no designated routers (DRs) or backup designated routers (BDRs).

Q. Do I need any special commands to run OSPF over BRI/PRI links?

A. In addition to the normal OSPF configuration commands, you should use the dialer map command. When using the dialer map command, use the broadcast keyword to indicate that broadcasts should be forwarded to the protocol address.

Q. Do I need any special commands to run OSPF over asynchronous links?

A. In addition to the normal OSPF configuration commands, you should use the async default routing command on the asynchronous interface. This command enables the router to pass routing updates to other routers over the asynchronous interface. Also, when using the dialer map command, use the broadcast keyword to indicate that broadcasts should be forwarded to the protocol address.

Q. Which Cisco IOS Software release began support for per-interface authentication type in OSPF?

A. Per-interface authentication type, as described in RFC 2178 , was added in Cisco IOS Software Release 12.0(8).

Q. Can I control the P-bit when importing external routes into a not-so-stubby area (NSSA)?

A. When external routing information is imported into an NSSA in a type 7 link-state advertisement (LSA), the type 7 LSA has only area flooding scope. To further distribute the external information, type 7 LSAs are translated into type 5 LSAs at the NSSA border. The P-bit in the type 7 LSA Options field indicates whether the type 7 LSA should be translated. Only those LSAs with the P-bit set are translated. When you redistribute information into the NSSA, the P-bit is automatically set. A possible workaround applies when the Autonomous System Boundary Router (ASBR) is also an Area Border Router (ABR). The NSSA ASBR can then summarize with the not-advertise keyword, which results in not advertising the translated type 7 LSAs.

Q. Why are OSPF show commands responding so slowly?

A. You may experience a slow response when issuing OSPF show commands, but not with other commands. The most common reason for this delay is that you have the ip ospf name-lookup configuration command configured on the router. This command causes the router to look up the device Domain Name System (DNS) names for all OSPF show commands, making it easier to identify devices, but resulting in a slowed response time for the commands. If you are experiencing slow response on commands other than just OSPF show commands, you may want to start looking at other possible causes, such as the CPU utilization.

Q. What does the clear ip ospf redistribution command do?

A. The clear ip ospf redistribution command flushes all the type 5 and type 7 link-state advertisements (LSAs) and scans the routing table for the redistributed routes. This causes a partial shortest path first algorithm (SPF) in all the routers on the network that receive the flushed/renewed

LSAs. When the expected redistributed route is not in OSPF, this command may help to renew the LSA and get the route into OSPF.

Q. Does OSPF form adjacencies with neighbors that are not on the same subnet?

A. The only time that OSPF forms adjacencies between neighbors that are not on the same subnet is when the neighbors are connected through point-to-point links. This may be desired when using the ip unnumbered command, but in all other cases, the neighbors must be on the same subnet.

Q. How often does OSPF send out link-state advertisements (LSAs)?

A. OSPF sends out its self-originated LSAs when the LSA age reaches the link-state refresh time, which is 1800 seconds.

Q. How do I stop individual interfaces from developing adjacencies in an OSPF network?

A. To stop routers from becoming OSPF neighbors on a particular interface, issue the passive-interface command at the interface. In Internet service provider (ISP) and large enterprise networks, many of the distribution routers have more than 200 interfaces. Configuring passive-interface on each of the 200 interfaces can be difficult. The solution in such situations is to configure all the interfaces as passive by default using a single passive-interface default command. Then, configure individual interfaces where adjacencies are desired using the no passive-interface command. For more information, refer to Default Passive Interface Feature.

There are some known problems with the passiveinterface default command. Workarounds are listed in Cisco bug ID CSCdr09263 (registered customers only) .

Q. When I have two type 5 link-state advertisements (LSAs) for the same external network in the OSPF database, which path should be installed in the IP routing table?

A. When you have two type 5 LSAs for the same external network in the OSPF database, prefer the external LSA that has the shortest path to the Autonomous System Boundary Router (ASBR) and install that into the IP routing table. Use the show ip ospf border-routers command to check the cost to the ASBR.

Q. Why is it that my Cisco 1600 router does not recognize the OSPF protocol?

A. Cisco 1600 routers require the Plus feature set image of Cisco IOS Software to run OSPF. Refer to Table 3: Cisco 1600 Series Routers Feature Sets in the Release Notes for Cisco IOS Release 11.2(11) Software Feature Packs for Cisco 1600 Series Routers for more information.

Q. Why is it that my Cisco 800 router does not run OSPF?

A. Cisco 800 routers do not support OSPF. However, they do support Routing Information Protocol (RIP) and Enhanced Interior Gateway Routing Protocol (EIGRP). You can use the Software Advisor (registered customers only) tool for more information on feature support.

Q. Should I use the same process number while configuring OSPF on multiple routers within the same network?

A. OSPF, unlike Border Gateway Protocol (BGP) or Enhanced Interior Gateway Routing Protocol (EIGRP), does not check the process number (or autonomous system number) when adjacencies are formed between neighboring routers and routing information is exchanged. The only case in which the OSPF process number is taken into account is when OSPF is used as the routing protocol on a Provider Edge to Customer Edge (PE-CE) link in a Multiprotocol Label Switching (MPLS) VPN. PE routers mark OSPF routes with the domain attribute derived from the OSPF process number to indicate whether the route originated within the same OSPF domain or from outside it. If the OSPF process numbering is inconsistent on PE routers in the MPLS VPN, the domain-id OSPF mode command should be used to mark that the OSPF processes with different numbers belong to the same OSPF domain. This means that, in many practical cases, you can use different autonomous system numbers for the same OSPF domain in your network. However, it is best to use consistent OSPF-process numbering as much as possible. This consistency simplifies network maintenance and complies with the network designer intention to keep routers in the same OSPF domain.

Q. I have a router that runs Cisco Express Forwarding (CEF) and OSPF, who does load-balancing when there are multiple links to a destination?

A. CEF works by performing the switching of the packet based on the routing table which is populated by the routing protocols such as OSPF. CEF does the loadbalancing once the routing protocol table has been calculated. For more details on load balancing, refer to How does load-balancing work?

Q. How does OSPF use two Multilink paths to transfer packets?

A. OSPF uses the metric aCost, which is related to the bandwidth. If there are equal cost paths (the same

bandwidth on both multilinks), OSPF installs both routes in the routing table. The routing table tries to use both links equally, regardless of the interface utilization. If one of the links in the first multilink fails, OSPF does not send all the traffic down the second multilink. If the first multilink peaks 100%, OSPF does not send any traffic down the second multilink because OSPF tries to use both links equally, regardless of the interface utilization. The second is used fully only when the first multilink goes down.

Q. How can you detect the topological changes rapidly?

A. In order to have a rapid fault detection of topology changes, the hello timer value needs to be set to 1 second. The hold timer value, which is is four times that of the hello timer, also needs to be configured. There is a possibility of more routing traffic if the hello and hold timer values are reduced from their default values.

Q. Does the 3825 Series Router support the OSPF Stub feature?

A. Yes, the 3800 Series Router that runs Advanced IPServices image supports the OSPF Stub feature.

Q. What does the error message %OSPF-4-FLOOD_WAR: Process process-id re-originates LSA ID ip address type-2 adv-rtr ip address in area area id means?

A. The error message is due to the some router that is flushing the network LSA because the network LSA received by the router whose LSA ID conflicts with the IP address of one of the router's interfaces and flushes the LSA out of the network. For OSPF to function correctly the IP addresses of transit networks must be unique. If it is not unique the conflicting routers reports this error message. In the error message the router with the OSPF router ID reported as adv-rtr reports this message.

Q. Can we have OSPF run over a GRE tunnel?

A. Yes, refer to Configuring a GRE Tunnel over IPSec with OSPF.

Q. Is there a way to manipulate and prefer the Type 3 LSAs to originate from two different areas sent to the non-backbone area?

A. Type 3 LSA is originated by the Area Border Router (ABR) as a summary route. Manipulating the summary route is not possible in an ABR router.

Q. Is there a drop/flap of an OSPF neighborship when changing an OSPF area type from nssa no-summary to nssa?

A. When the NSSA ABR is configured to move from nssa no-summary to nssa, the OSPF neighborship does not flap.

Q. In the

%OSPF-5-ADJCHG: Process ID, Nbr [ip-address] on Port-

error message, what does SeqNumberMismatch signify?

channel31 from FULL to EXSTART, SeqNumberMismatch

A. The OSPF neighbor was changed state from FULL to EXSTART because of the receipt of a Database Description (DBD) packet from the neighbor with an unexpected sequence number. means that a DBD packet during OSPF neighborship negotiation has been received that either:
SeqNumberMismatch

has an unexpected DBD sequence number unexpectedly has the Init bit set has an Options field differing from the last Options field received in a Database Description packet.

Q. What is the maximum number of OSPF processes (VRF aware) on 7600/6500 platforms?

A. Cisco IOS has a limit of 32 routing processes. Two of these are saved for static and directly connected routes. The Cisco 7600 router supports 28 OSPF processes per VRF.