which devices support pix 7
TRANSCRIPT
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 1/41
Which devices support PIX 7.x?
A. PIX 515, PIX 515E, PIX 525, PIX 535 and all of the Cisco
ASA 5500 Series Adaptive Security Appliances (ASA 5510,ASA 5520, and ASA 5540) support software version 7.x andlater.
The PIX 501, PIX 506E, and PIX 520 Security Appliances arenot supported in software version 7.x.
Q. I have a PIX 515/515E model that runs on softwareversion 6.x, and I want to upgrade to 7.x. Is thispossible?
A. Yes, it is possible provided you have the necessarymemory modules. Refer to Cisco PIX 515/515E SecurityAppliance Memory Upgrade for PIX Software version 7.0 forthe exact memory requirements before you upgrade PIX515/515E.
Q. What are the changes and new features in PIX 7.0?When I upgrade from version 6.x to 7.x, are the old
features taken care of automatically?
A. Refer to Changes in PIX Security Appliance Version 7.0 for details related to the changes and new features in PIX7.0.
Most changed and deprecated features and commands areconverted automatically when PIX Security Appliance 7.xboots on your system. A few features and commands
require manual intervention before or during the upgrade.Refer to Changed and Deprecated Features andCommands for more information.
Configuration Issues
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 2/41
Q. How do you perform a basic configuration forSecurity Appliances running 7.x?
A. Refer to the Configuring Basic Settings section of CiscoSecurity Appliance Command Line Configuration Guide,Version 7.1 .
Q. How do I configure the interfaces in PIX 7.x?
A. PIX/ASA 7.0 is set up to resemble the router and switchCisco IOS ® as closely as possible. In PIX/ASA 7.0, theconfiguration reads like this:
interface Ethernet0description Outside Interfacespeed 100duplex fullnameif outsidesecurity-level 0ip address 10.10.80.4 255.255.255.0 standby
10.10.80.6Refer to Configuring Interface Parameters on PIX 7.0. formore information.
Q. How do I create an access list (ACL) on the ASA orPIX?
A. An access list is made up of one or more Access ControlEntries (ACE) with the same access list ID. Access lists areused to control network access or to specify traffic formany features to act upon. In order to add an ACE, use thecommand access-list <ID> extended in globalconfiguration mode. In order to remove an ACE, use the noform of this command. In order to remove the entireaccess list, use the clear configure access-listcommand.
This access-list command allows all hosts (on theinterface to which you apply the access list) to go throughthe security appliance:
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 3/41
hostname(config)# access-list ACL_IN extendedpermit ip any any
If an access list is configured to control traffic through thesecurity appliance, it must be applied to an interface withthe access-group command before it takes effect. Onlyone access list can be applied to each interface in eachdirection.Enter this command in order to apply an extended accesslist to the inbound or outbound direction of an interface:
hostname(config)# access-group access_list_name{in | out} interface interface_name[per-user-override]
This example shows an inbound access list applied to theinside interface that allows the network 10.0.0.0 /24through the security appliance:
hostname(config)# access-list INSIDE extendedpermit ip 10.0.0.0 255.255.255.0 anyhostname(config)# access-group INSIDE in interfaceinside
This example shows an inbound access list applied to theoutside interface that allows all hosts on the outside of thesecurity appliance to have web access through the securityappliance to the server at 172.20.1.10:
hostname(config)# access-list OUTSIDE extendedpermit tcp any host 172.20.1.10 eq wwwhostname(config)# access-group OUTSIDE ininterface outside
Note: Access lists contain an implicit "deny" at the end. This means that once an ACL is applied, all traffic not
explicitly permitted by an ACE in the ACL is denied.
Q. Can I use the management0/0 interface on the ASA inorder to pass traffic like any other interface?
A. Yes. Refer to the management-only command formore information.
Q. What does Security Context in Security Appliancemean?
A. You can partition a single hardware PIX into multiplevirtual devices, known as Security Contexts. Each contextbecomes an independent device, with its own securitypolicy, interfaces, and administrators. Multiple contexts are
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 4/41
similar to having multiple standalone devices. Manyfeatures are supported in multiple context mode andinclude routing tables, firewall features, IPS, andmanagement. Some features are not supported, includingVPN and dynamic routing protocols.
Q. How do I configure the VPN user group-lock featureon the ASA or PIX?
A. In order to configure group lock, send the group policyname in the class attribute 25 on the RemoteAuthentication Dial-In User Service (RADIUS) server andchoose the group in order to lock the user within the policy.
For example, in order to lock the Cisco 123 user into theRemoteGroup group, define the Internet Engineering
Task Force (IETF) attribute 25 class OU=RemotePolicy forthis user on the RADIUS server.
Refer to this configuration example in order to configuregroup lock on an Adaptive Security Appliance (ASA)/PIX:
group-policy RemotePolicy internalgroup-policy RemotePolicy attributesdns-server value x.x.x.xgroup-lock value RemoteGroup
tunnel-group RemoteGroup type ipsec-ratunnel-group RemoteGroup general-attributesaddress-pool ciscoauthentication-server-group RADIUS-Groupdefault-group-policy RemotePolicy
Note: OU sets the group policy, and the group policy locksthe user into the preferred tunnel-group.In order to set up your Cisco Secure ACS for Windows ,RADIUS server to lock a user into a particular groupconfigured on the ASA.
Q. How can I capture packets in PIX/ASA?
A. Packets can be captured in PIX/ASA if you use thePacket Capture feature. Refer to ASA/PIX/FWSM: PacketCapturing using CLI and ASDM Configuration Example for
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 5/41
more information on how to configure the Packet Capturefeature.
Q. How can I redirect HTTP traffic to HTTPS on ASA?
A. Issue the http redirect command in globalconfiguration mode in order specify that the securityappliance redirect HTTP connections to HTTPS.
hostname(config)# http redirect interface [port]
Software Upgrade Issues
Q. I upgraded my PIX from 6.x to 7.x. After the upgradeI noticed 8-10% higher CPU usage for the sameamount of traffic? Is this increase normal?
A. PIX 7.0 has three times more syslogs and new featuresthan the 6.x versions. Increased CPU usage compared to6.x is normal.
Connectivity issues
Q. I am unable to ping outside of the outside interfacewhile using Security Appliance 7.0. How do I fixthis?
A. There are two options in PIX 7.x that allow inside usersto ping outside. The first option is to setup a specific rulefor each type of echo message. For example:
access-list 101 permit icmp any any echo-replyaccess-list 101 permit icmp any any source-quenchaccess-list 101 permit icmp any any unreachableaccess-list 101 permit icmp any any time-exceeded
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 6/41
access-group 101 in interface outside This allows only these return messages through the firewallwhen an inside user pings to an outside host. The othertypes of ICMP status messages might be hostile and thefirewall blocks all other ICMP messages.
Another option is to configure icmp inspection . Thisallows a trusted IP address to traverse the firewall andallows replies back to the trusted address only. This way,all inside interfaces can ping outside and the firewall allowsthe replies to return. This also gives you the advantage of monitoring the ICMP traffic that traverses the firewall.For example:
policy-map global_policyclass inspection_defaultinspect icmp
Q. I am unable to access the inside interface of theSecurity Appliance when connected via a VPNtunnel. How can I do this?
A. The inside interface of the Security Appliance cannot beaccessed from the outside, and vice-versa, unless themanagement-access is configured in global configurationmode. Once management-access is enabled, Telnet,SSH, or HTTP access must still be configured for the
desired hosts.pix(config)# management-access insidepix(config)# show running-config management-accessmanagement-access inside
Q. Why am I unable to connect IP Phone through VPNTunnel with ASA?
A. It can be an authentication issue. Verify that the IPphone user group has authentication (X-auth) enabled.
ASDM Related
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 7/41
Q. How do I enable/access the ASDM on ASA/PIX?
A. You need to enable the HTTPS server and allow HTTPS
connections to the security appliance in order to useASDM. All of these tasks are completed if you use thesetup command.
Refer to Allowing HTTPS Access for ASDM for moreinformation.
Supported Features
Q. What are the two modes of operations in SecurityAppliance?
A. The PIX Security Appliance can operate in two differentfirewall modes:
1. Routed mode —In routed mode, the PIX has IPaddresses assigned to its interfaces and acts as a
router hop for packets that pass through it. All trafficinspection and forwarding decisions are based onLayer 3 parameters. This is how PIX Firewall versionsearlier than 7.0 operate.2. Transparent mode —In transparent mode thePIX does not have IP addresses assigned to itsinterfaces. Instead it acts as a Layer 2 bridge thatmaintains a MAC address table and makesforwarding decisions based on that. The use of fullextended IP access lists is still available and thefirewall can inspect IP activity at any layer. In this
mode of operation the PIX is often referred to as a"bump in the wire" or "stealth firewall". There areother significant differences as to how transparentmode operates in comparison to routed mode:
o Only two interfaces are supported—inside and outsideo NAT is not supported or required sincethe PIX is no longer a hop.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 8/41
Note: NAT and PAT is supported in thetransparent firewall for ASA/PIX releases 8.0(2)and later.
Refer to PIX/ASA: Transparent Firewall Configuration
Example for more information on how to configure theSecurity Appliance in Transparent Mode.Note: Because transparent and routed modes usedifferent approaches to security, the running configurationis cleared when the PIX is switched to transparent mode.Be sure to save your routed mode running configuration toFlash or an external server.
Q. Does ASA support ISP load balancing?
A. No. Load balancing must be handled by a router thatpasses traffic to the security appliance.
Q. Is MD5 authentication with BGP supported throughASA?
A. No, MD5 authentication is not supported through ASA,but a workaround can be to disable it. Refer to ASA/PIX:BGP through ASA Configuration Example for moreinformation.
Q. Does PIX/ASA support EtherChannel/PortChannelinterfaces?
A. Yes, support for EtherChannel is introduced in ASAsoftware version 8.4. You can configure up to 48 802.3ad
EtherChannels of eight active interfaces each. For moreinformation, refer to Release Notes of ASA Version 8.4 .
Q. Can Anyconnect and Cisco VPN Client work togetheron ASA?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 9/41
A. Yes, because they are not interrelated. Anyconnectworks on SSL and Cisco VPN Client works on IPSEC.
Q. Is ASA/PIX is able to block Skype?
A. Unfortunately, the PIX/ASA is not able to block the skypetraffic. Skype has the capability to negotiate dynamic portsand to use encrypted traffic. With encrypted traffic, it isvirtually impossible to detect it as there are no patterns tolook for.
You could eventually use a Cisco Intrusion PreventionSystem (IPS). It has some signatures that are able to detecta Windows Skype Client that connects to the Skype server
to synchronize its version. This is usually done when theclient is initiated the connection. When the sensor picks upthe initial Skype connection, you can be able to find theperson who use the service, and block all connectionsinitiated from their IP address.
Q. Does ASA support SNMPv3?
A. Yes. Cisco ASA Software Release 8.2 supports SimpleNetwork Management Protocol (SNMP) version 3, thenewest version of SNMP, and adds authentication andprivacy options in order to secure protocol operations.
Q. Is there a way to log entries with a name instead of an IP address?
A. Use the names command in order to enable theassociation of a name with an IP address. You canassociate only one name with an IP address. You must firstuse the names command before you use the namecommand. Use the name command immediately after youuse the names command and before you use the writememory command.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 10/41
The name command allows you to identify a host by a textname and map text strings to IP addresses. Use the clearconfigure name command in order to clear the list of names from the configuration. Use the no namescommand in order to disable logging name values. Both
the name and names commands are saved in theconfiguration.
Q. Is the ip accounting command available in PIX/ASA7.x?
A. No.
Q. Does Security Appliance 7.0 support the Are YouThere (AYT) feature?
A. Yes. In an AYT scenario, a remote user has a personalfirewall installed on the PC. The VPN Client enforces thefirewall policy defined on the local firewall, and it monitorsthat firewall to make sure that is runs. If the firewall stopsrunning, the VPN Client drops the connection to the PIX orASA. This firewall enforcement mechanism is called Are
You There (AYT), because the VPN Client monitors thefirewall by sending it periodic "are you there?" messages. If no reply comes, the VPN Client knows the firewall is downand terminates its connection to the PIX SecurityAppliance. The network administrator might configurethese PC firewalls originally, but with this approach, userscan customize their own configurations.
Q. Is FTP with TLS/SSL supported through the SecurityAppliance?
A. No. In a typical FTP connection, either the client or theserver must tell the other what port to use for datatransfer. The PIX is able to inspect this conversation andopen that port. However, with FTP with TLS/SSL, thisconversation is encrypted and the PIX is unable to
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 11/41
determine what ports to open. Thus, the FTP with TLS/SSLconnection ultimately fails.
One possible workaround in this situation is to use an FTPclient that supports the use of a "clear command channel"
while still using TLS/SSL to encrypt the data channel. Withthis option enabled, the PIX should be able to determinewhat port needs to be opened.
Q. Does the Security Appliance support DDNS?
A. Yes, the Security Appliance support DDNS. Refer toConfiguring Dynamic DNS for more information.
Q. Does the PIX support WebVPN/SSL VPN?
A. No, but it is supported in the Cisco 5500 Series AdaptiveSecurity Appliance (ASA).
Q. Does the PIX support Cisco AnyConnect VPN Client?
A. No, it is supported only in the Cisco 5500 SeriesAdaptive Security Appliance (ASA).
Q. Does the PIX support any services modules like AIP-SSM and CSC-SSM?
A. No.
Q. Does the Cisco Security Appliance support IPsecManual Keying (manual encryption)?
A. No.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 12/41
Q. Does the ASA support password management withNT?
A. ASA does not support password management with NT.
Note: Security appliance supports password managementfor the RADIUS and LDAP protocols.
Q. Can Cisco 5500 Series ASA do a Policy Based Routing(PBR) like Cisco Router? For example, mail trafficshould be routed to first ISP while http trafficshould be routed to the second one.
A. Unfortunately, there is no way to do policy-basedrouting on the ASA at this time. It can be a feature that isadded to the ASA in the future.
Note: The route-map command is used to redistributeroutes between routing protocols, such as OSPF and RIP,with the use of metrics and not to policy route regulartraffic as in routers.
Q. Can I use ASA 5510 as an Easy VPN Client?
A. No. Easy VPN client configuration is only supported onASA 5505.
Q. Does ASA supports Asymmetric routing ?
A. ASA supports Asymmetric routing in version 8.2(1) andlater. It is not supported in ASA versions prior to 8.2(1).
Q. Does ASA support PPTP client?
A. No.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 13/41
Q. Does ASA support QOS marking the packet withDSCP value?
A. No, it supports only matching the DSCP traffic and passit to next hop devices without changing the DSCP values.Refer to DSCP and DiffServ Preservation for moreinformation.
Q. Which IPsec transforms (ESP, AH) are supported onthe ASA/PIX versions 7.0 and later?
A. Only IPsec Encapsulating Security Payload (ESP)encryption and authentication is supported. AuthenticationHeader (AH) transforms are not supported on the ASA/PIXversions 7.0 and later.
Q. Does ASA support Universal Plug and Play (UPnP)feature?
A. No, ASA does not support Universal Plug and Play
(UPnP) feature as of now.Q. Does ASA support source-based routing?
A. No.
Q. Does H.329 traffic pass through PIX/ASA 8.1 andlater?
A. No.
Q. Does ASA support H.460 protocol inspection?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 14/41
A. No.
Q. Does ASA support EXEC Authorization, which logs theuser directly into enable mode afterauthentication?
A. No, EXEC Authorization feature is not supported in ASA.
Q. Does ASA allow Broadcast traffic to pass through itsinterface?
A. No.
Q. Is it possible to configure two-factor L2L VPNauthentication between 5505 ASAs?
A. Two-factor authentication can be configured beginningwith ASA version 8.2.x only for AnyConnect and SSL VPN.
You cannot configure two-factor authentication for L2LVPN.
Q. Is it possible to add two phone proxies on the sameASA?
A. No. It is not possible to add two phone proxies on thesame ASA as ASA does not support this.
Q. Does the ASA support the NetFlow configuration?
A. Yes, this feature is supported in Cisco ASA version 8.1.xand later. For complete implementation details, refer to theCisco NetFlow Implementation Guides . For a completeconfiguration summary, refer to the ConfigurationExamples for NewFlow Secure Event Logging section of Configuring NetFlow Secure Event Logging .
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 15/41
Q. Does the ASA support the native L2TP/IPsec Client onAndroid devices?
A. The Android is not fully RFC compliant and supported byCisco ASA starting with version 8.4.1. For moreinformation, refer to Supported Clients .
Failover
Q. Can a Security Appliance with a failover license bepart of an active-active failover?
A. Security Appliance failover units can be used in anactive/active failover pair once they have a new failoveractive/active license upgrade installed (active/activerequires one UR model and one "FO active/active" model).Refer to Feature Licenses and Specifications for moreinformation on licensing.
Q. Does the ASA support SSL VPN when configured forfailover?
A. ASA supports SSL VPN only when configured forActive/Standby Failover and not in Active/Active Failover.For more information, refer to ASA Failover handling of SSLVPN application traffic and configurations .
Error Messages
Q. I am unable to configure failover when EZVPN isenabled on ASA 5505. Why does this error messageappear: error :- ERROR]] vpnclient enable * Disable failoverCONFIG CONFLICT: Configuration that would prevent successful Cisco
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 16/41
Easy VPN Remote operation has been detected, and is listed above.Please resolve the above configuration conflict(s) and re-enable ?
A. If ASA 5505 uses EasyVPN for remote users (Clientmode), failover works, but if you have the ASA configuredto use it with Easy VPN Client (Network-Extension Mode-NEM mode), then it does not work when Failover isconfigured. So Failover works only when ASA uses EZVPNfor remote users (Client mode), and so this errror occurs.
Q. I receive this error message when I configure thethird VLAN: :- ERROR: This license does not allow configuringmore than 2 interfaces with nameif and without a "no forward"command on this interface or on 1 interface(s) with nameif already
configured . How can I resolve this error?
A. This error has occurred due to a license limitation onASA. You must obtain the Security Plus license in order toconfigure more VLANs as in routed mode. Only three activeVLANs can be configured with the Base license, and up to20 active VLANs with the Security Plus license. You cancreate a third VLAN with the Base license, but this VLANonly has communication either to the outside or to the
inside but not in both directions. If you need to have thecommunication in both directions, then you need toupgrade the license. Also, if you use the Base license, allowthis interface to be the third VLAN and limit it frominitiating contact to one other VLAN with thehostname(config-if)# no forward interface vlannumber command. Thus the third VLAN can be configured.
Q. How can I resolve this error message: %ASA-6-110002:Failed to locate egress interface for UDP from outside:x.x.x.x/xxxx tox.x.x.x/xxxx ?
A. ASA gives this error message when VPN Client tries touse peer-to-peer program and that traffic goes into thetunnel, where the peer-to-peer server does not reside.Configure the split tunnel in order to resolve this issue sothat the traffic that needs to go out to the internet does
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 17/41
not travel through the Tunnel and the packet is notdropped by the firewall. Refer to ASA/PIX: Allow Split
Tunneling for VPN Clients on the ASA ConfigurationExample for more information on Split Tunnelingconfiguration in ASA.
Q. How can I resolve this error message: Error:execUpgradeSoftware: operation timed out with 0 out of 1 bytesreceived ?
A. When you attempt to upgrade the AIP-SSM with the FTP,it can timeout. Increase the FTP Timeout value in order toresolve the issue.
For Example:configure terminalservice hostnetwork-settingsftp-timeout 2700exit
Save Changes.
Q. How can I resolve this error message: %ASA-4-402123:CRYPTO: The ASA hardware accelerator encountered an error ?
A. In order to resolve this issue, try one of theseworkarounds:
• Disable the DTLS on ASA interfaces on which itis enabled.
In order to complete this solution, go to theAnyconnect profile on the ASDM, and remove the tickbeside the interface working for the Anyconnect. Formore information, refer to Enabling Datagram
Transport Layer Security (DTLS) with AnyConnect(SSL) Connections .
• Reload the ASA.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 18/41
This problem arises due to an error in the hardwareaccelerator of ASA. There are two bugs filedregarding this behavior. For more information, referto CSCsd43563 (registered customers only ) andCSCsc64621" (registered customers only ) .
Q. How can I resolve this error message: unable to sendauthentication message ?
A. The ASA does not support password management whenyou use LOCAL (internal) authentication. Remove thepassword management if configured in order to resolvethis issue.
Q. How can I resolve this error message that is receivedwhen testing the authentication on the ASA: ERROR:Authentication Server not responding: No error ?
ASA# test aaa-server authentication TAC_SRVR_GRP username testpassword test123Server IP Address or name: ACS-SERVERINFO: Attempting Authentication test to IP address <ACS-SERVER>(timeout: 12 seconds)ERROR: Authentication Server not responding: No error
A. Use any of these points to resolve this problem:
• Verify the connectivity from the ASA to the AAAserver through ping test and ensure that the AAAserver is reachable from the ASA.• Verify the AAA related configuration on the ASAand check whether the AAA server is mentionedproperly or not.
• ASA# show run aaa-server• aaa-server RAD_SRVR_GRP protocol radius• aaa-server RAD_SRVR_GRP host ACS-SERVER• key *• aaa-server TAC_SRVR_GRP protocoltacacs+• aaa-server TAC_SRVR_GRP host ACS-SERVERkey *
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 19/41
• Verify if the Radius is TACACS ports areblocked by any firewall in the path between the AAAserver and ASA. Ensure that corresponding ports areopened based on the protocol used.• Verify the parameters on the AAA server.•
Reload the AAA server.A successful test of the authentication looks like this:
ASA(config)# test aaa authentication topix host10.24.10.10 username test password test1234INFO: Attempting Authentication test to IP address<10.24.0.10> (timeout: 12 seconds)INFO: Authentication Successful
Q. How can I resolve this error message: %Error openingdisk0:/.private/startup-config (Read-only file system) Error executingcommand [FAILED] ?
A. Format the flash or FSCK command in ASA/PIX in orderto resolve this issue.
Q. How can I resolve this ASDM error message:Unconnected sockets not implemented ?
A. This issue occurs when ASDM version 5.0 or later runson the ASA, PIX, or FWSM, and uses Java 6 Update 10 orlater. While loading ASDM, this message appears:
ASDM cannot be loaded. Click OK to exit ASDM.Unconnected sockets not implemented.
In order to resolve this issue, uninstall Java 6 Update 10,and install Java 6 Update 7. For more information, refer toCSCsv12681 ( registered customers only ) .In order to get ASDM to load correctly with Java 6 Update10, update ASDM to ASDM 6.1(5)51. For detailedinformation, refer to the ASDM Client Operating System and Browser Requirements section of the Cisco ASDMRelease Notes Version 6.1(5) .
Q. How can I resolve this error message: %ASA-1-199010:Signal 11 caught in process/fiber(rtcli async executor process)/(rtcliasync executor) at address 0xf132e03b, corrective action at0xca1961a0 ?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 20/41
A. This issue might be caused when ASDM is used toaccess the ASA or when there is high CPU utilization on theASA. This message usually appears when the error
recovery mechanism prevents system from crashing.If there is no other issue with this message, it can beignored. It is a recoverable error that does not impactperformance.
Q. Oracle traffic does not pass through the firewall.How can I resolve this issue?
A. This issue is caused by the sqlnet inspection feature of the firewall. When it occurs, the connections are torn out.
The TCP proxy for sqlnet inspection engine was designedto handle multiple TNS frames in one TCP segment. Thesqlnet inspection handles many TNS frames in one packetrendering the code complex.
In order to resolve this issue, the inspection engine shouldnot handle multiple TNS frames in one packet. It isassumed that each TNS frame to be a different TCP packetand is inspected individually.
Software bugs have been filed for this behavior; for moreinformation, refer to CSCsr27940 ( registered customersonly ) and CSCsr14351 ( registered customers only ) .
The solution for this problem is given below.
Use the no inspect sqlnet command in classconfiguration mode in order to disable the inspection forsqlnet.
ASA(config)# class-map sqlnet-portASA(config-cmap)# match port tcp eq 1521ASA(config-cmap)# exitASA(config)# policy-map sqlnet_policyASA(config-pmap)# class sqlnet-portASA(config-pmap-c)# no inspect sqlnetASA(config-pmap-c)# exitASA(config)# service-policy sqlnet_policy interfaceoutside
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 21/41
For more information, refer to the SQLNet inspection section of the Cisco Security Appliance Command Reference, Version 8.0 .
Q. I am unable to copy the software image to the flash
of the ASA, and I receive an error message similarto this message: Error writing disk0:/asa8XX-XX.bin (Cannotallocate memory)
A. This issue might occur if the firewall is unable toallocate memory (RAM) to load the software image.
ASA buffers the entire image in RAM while it is transferedto the ASA. Until it completes writing to flash, there mustbe an available free memory block large enough to holdthe entire software image. One full memory block must beavailable to buffer the entire image before the ASA writes itto flash.
Memory usage is directly related to the features enabledon your ASA; these features are loaded each time your ASAis booted, regardless of how the image is loaded (vianetwork or flash). You can disable features that you are notcurrently using in order to reduce memory usage. Notethat WebVPN, SSLVPN, and threat detection tend toconsume a lot of memory.
You can also use ROM monitor (ROMmon) to copy theimage, or you can set your boot parameter to boot via tftpand then copy the image after the ASA has booted over thenetwork. Since ROMmon does not load the configuration, itdoes not load these features; therefore, you should notexperience the issue when you use this method to copy thefile.
Try these workarounds.
• Disable threat detection on the firewall.
Enter these commands in order to disable threatdetection:
conf t!
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 22/41
no threat-detection basic-threat
no threat-detection statistics tcp-interceptno threat-detection statistics
!
wr mem• Disable the WebVPN-related processes.• Use the ROMmon to copy the image.
For detailed information on how to use the ROMmonitor to load a software image, refer to Using theROM Monitor to Load a Software Image .
Q. How can I resolve this error message: [ERROR] threat-detection statistics host number-of-rate 0 threat-detection statistics
host number-of-rate 0 ^ % Invalid input detected at '^' marker ?
A. This error can occur while you use the threat detectionfeature in ASDM. Either use CLI to send the command ordowngrade the ASDM in order to resolve this issue.
Q. How can I resolve this error message: %ERROR: copying'disk0:/csco_config/97/customization/index.ini' to a temporary ramfsfile failed ?
A. This issue is due to the Cisco bug ID CSCsy77628 (registered customers only ) . In order to resolve this issue thecommand revert webvpn all command in privilegedEXEC mode to clear all WebVPN configurations.Reconfigure from scratch and then reload the ASA.
Q. How can I resolve this error message on the ASA:ERROR: mount: Mounting /dev/hda1 on /mnt/disk0 failed: Invalid
argument ?
A. Reformat the flash in order to resolve this issue. If thisdoes not resolve the issue then contact TAC for furtherassistance.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 23/41
Q. I receive this error message on the ASA when I try toadd non-English characters in a banner: The CLIgenerated has unsupported characters. ASA does not accept suchcharacters. The following line(s) has unsupported characters . Howcan I resolve this error?
A. This issue is due to Cisco bug ID CSCsz32125 (registeredcustomers only ) . In order to resolve this issue, upgrade theASA with software version 8.0(4.34).
Q. How can I resolve this error message on the ASA:%ASA-1-216005: ERROR: Duplex-mismatch on Et0/0 resulted intransmitter lockup. A soft reset of the switch was performed ?
A. This error message is seen when a duplex-mismatchexists between the specified port and the device that isconnected to it. Set both devices to either auto or hard-coding the duplex on both sides to be the same in orderto correct the duplex-mismatch. This resolves the issue.
Note: Cisco bug ID CSCsm87892 has been filed regardingthis problem, and the bug is moved to Resolved statenow. For more information, refer to CSCsm87892 (registered customers only ) .
Q. When I perform the recovery process on the AIP-SSMmodule and then the module repeatedly reboots, Ireceive this error message: Bad magic number (0x-682a2af) . How can I resolve this error message?
A. This issue happens when you use the wrong file for
recovery or reimaging. If you use the .pkg file instead of the .img , then this action causes this error. This error alsooccurs when .img file is good, but ASA is stuck in bootloop. The only way to resolve this issue is to reimage thesensor.
Q. Why does this error message appear when Idownload Global Correlations updates for AIP-SSM:
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 24/41
collaborationApp[530] rep/E A global correlation update failed: Faileddownload of ibrs/1.1/config/default/1236210407 : HTTP connectionfailed collaborationApp[459] rep/E A global correlation update failed:Failed download of ibrs/1.1/drop/default/1296529950 : URI does notcontain a valid ip address ?
A. This issue might occur due to URL filtering that isconfigured, which affects the traffic flow, and also due tothe management interface of the AIP-SSM module that cango through the ASA to get out to the Internet. Make surethat the URL filtering configured does not block the devices(AIP-SSM) from reaching the Global Correlations, whichresolves the issue. This issue occurs when there iscorruption in a previous GC update. This can usually becorrected by turning off the GC service and then turning itback on. In IDM, choose Configuration > Policies >Global Correlation > Inspection/Reputation . Then, setGlobal Correlation Inspection (and Reputation Filtering if On ) to Off . Apply the changes and wait for 0 minutes. Turnthe features back on and monitor.
Q. How can I resolve this error message on the ASA:Secure Connection Failed. An error occurred during a connection tox.x.x.x. Cannot communicate securely with peer: no commonencryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) ?
A. This issue is due to Cisco bug ID CSCtc37947 (registered customers only ) . In order to resolve this issue, remove thetemporary files created for auto update from the rootaccount on CSC, and then restart the services.
Q. How can I resolve this error message on the ASA forGrayware: GraywarePattern : Pattern Update: The download filewas unsuccessful for ActiveUpdate was unable to unzip thedownloaded patch packages. The zip file may be corrupted. This canhappen due to an unstable network connection. Please trydownloading the file again.. The error code is 24 ?
A. In order to resolve this issue, enter the 3DES activationkey or use this command on the ASA: ciscoasa(config)#ssl encryption aes256-sha1 aes128-sha1 3des-sha1
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 25/41
des-sha1 rc4-md5 . This command is used to specify theencryption algorithms that the SSL/TLS protocol uses.
Q. How can I resolve this error message that I receivedwhile configuring the interfaces on ASA 5505:ERROR: This license does not allow configuring more than 2interfaces with nameif and without a "no forward" command on thisinterface or on 1 interface(s) ?
A. This issue is due to the number of interfaces allowed tocommunicate based on the license present in the ASA. Formodels with a built-in switch, such as the ASA 5505, usethe forward interface command in interfaceconfiguration mode in order to restore connectivity for one
VLAN from initiating contact to another VLAN. In order torestrict one VLAN from initiating contact to another VLAN,use the no form of this command. You might need torestrict one VLAN depending on how many VLANs yourlicense supports.
Q. How can I resolve this error message on the ASA:%Error opening system:/running-config (No such device) ?
A. Reload the ASA in order to resolve this error message.
Q. I received this error: [ERR-PAT-0003] The update system cannotfind the required files in the decompressed set of update files, andcannot continue. This message is for diagnostic purpose only.Customers - please contact Technical Support. while upgrading to thelatest pkg file on CSC-SSM. Why does this error occur?
A. This issue is due to Cisco Bug ID CSCta99320 (registered
customers only ) . Refer to this bug for more information.
Q. I receive this error message on the ASA, and the ASAdoes not reboot: mempool: error 12 creating global sharedpool . Why does this issue occur, and how can it beresolved?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 26/41
A. This problem might occur when you try to install moreRAM than is appropriate for a particular platform. Forexample, if you try to install 4 GB of RAM in an ASA5540,
you might receive this error because the ASA5540 shouldnot run more than 2 GB of RAM.
Keep these items in mind when you install the new RAM:
• Only the new RAM is installed in the ASA. Theold RAM should be removed and NOT loaded in theextra RAM slots.• The new RAM should be installed in alternatingslot. For optimum performance, install the DIMMs inslots P13 and P15.
Q. I receive this error: %ASA-4-402125: CRYPTO: The ASA hardwareaccelerator Ipsec ring timed out (Desc= 0xD6AF25E0, CtrlStat=0xA000, ResultP= 0xD2D10A00, ResultVal= 186, Cmd= 0x10,CmdSize= 0, Param= 0x0, Dlen= 152, DataP= 0xD2D10974, CtxtP=0xD46E6B10, SWReset= 21) , when the ASA drops packetexhibiting severely degraded performance. Whydoes this issue occur?
A. This issue is due to Cisco bug ID CSCti17266 (registered customers only ) . Refer to this bug for more information.
Q. This error message is received on the ASA: 418001:Through-the-device packet to/from management-only network isdenied: icmp src In-DMZ:192.168.145.53 dst Mgt-Net:10.40.10.1(type 8, code 0) . How do I resolve this?
A. Remove the management-only command from the
interface where it is configured. In this specific case, fromthe above error message, remove the management-onlycommand from the Mgt-Net interface.
Q. How can I resolve this error message: %PIX|ASA-5-713137:Reaper overriding refCnt [ref_count] and tunnelCnt [tunnel_count] --deleting SA! ?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 27/41
A. This issue is due to Cisco bug ID CSCsq91271 (registered customers only ) . Refer to this bug for more information.
Why are loopbacks advertised as /32 host routes inOSPF?
A. Loopbacks are considered host routes in OSPF, and theyare advertised as /32. For more information, refer tosection 9.1 of RFC 2328 . In Cisco IOS Software Releases11.3T and 12.0, if the ip ospf network point-to-pointcommand is configured under loopbacks, OSPF advertisesthe loopback subnet as the actual subnet configured onloopbacks. ISDN dialer interface advertises /32 subnetinstead of its configured subnet mask. This is an expectedbehavior if ip ospf network point-to-multipoint isconfigured.
Q. How do I change the reference bandwidth in OSPF?
A. You can change the reference bandwidth in Cisco IOSSoftware Release 11.2 and later using the ospf auto-costreference-bandwidth command under router ospf . Bydefault, reference bandwidth is 100 Mbps. The ospf link-cost is a 16-bit number. Therefore, the maximum valuesupported is 65,535.
Q. How does OSPF calculate its metric or cost?
A. OSPF uses a reference bandwidth of 100 Mbps for costcalculation. The formula to calculate the cost is referencebandwidth divided by interface bandwidth. For example, in
the case of Ethernet, it is 100 Mbps / 10 Mbps = 10.Note: If ip ospf cost cost is used on the interface, itoverrides this formulated cost.
Q. What algorithm is used by OSPF if equal cost routesexist?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 28/41
A. If equal cost routes exist, OSPF uses CEF load balancing.For more information, refer to Troubleshooting LoadBalancing Over Parallel Links Using Cisco Express
Forwarding .
Q. Are OSPF routing protocol exchanges authenticated?
A. Yes, OSPF can authenticate all packets exchangedbetween neighbors. Authentication may be through simplepasswords or through MD5 cryptographic checksums. Toconfigure simple password authentication for an area, usethe command ip ospf authentication-key to assign a
password of up to eight octets to each interface attachedto the area. Then, issue the area x authenticationcommand to the OSPF router configuration to enableauthentication. (In the command, x is the area number.)
Cisco IOS Software Release 12.x also supports the enablingof authentication on a per-interface basis. If you want toenable authentication on some interfaces only, or if youwant different authentication methods on differentinterfaces that belong to the same area, use the ip ospf authentication interface mode command.
Q. What is the link-state retransmit interval, and whatis the command to set it?
A. OSPF must send acknowledgment of each newlyreceived link-state advertisement (LSA). It does this bysending LSA packets. LSAs are retransmitted until they areacknowledged. The link-state retransmit interval definesthe time between retransmissions. You can use thecommand ip ospf retransmit-interval to set theretransmit interval. The default value is 5 seconds.
Q. What is the purpose of the variable IP-OSPF-Transmit-Delay?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 29/41
A. This variable adds a specified time to the age field of anupdate. If the delay is not added before transmission overa link, the time in which the link-state advertisement (LSA)propagates over the link is not considered. The defaultvalue is 1 second. This parameter has more significance on
very low-speed links.
Q. Is it true that only the static option of the virtual link in OSPF allows discontiguous networks, regardlessof the mask propagation properties?
A. No, virtual links in OSPF maintain connectivity to thebackbone from nonbackbone areas, but they areunnecessary for discontiguous addressing. OSPF providessupport for discontiguous networks because every area hasa collection of networks, and OSPF attaches a mask to eachadvertisement.
Q. Are the multicast IP addresses mapped to MAC-levelmulticast addresses?
A. OSPF sends all advertisements using multicastaddressing. Except for Token Ring, the multicast IPaddresses are mapped to MAC-level multicast addresses.Cisco maps Token Ring to MAC-level broadcast addresses.
Q. Does the Cisco OSPF implementation support IP TOS-based routing?
A. Cisco OSPF only supports TOS 0. This means thatrouters route all packets on the TOS 0 path, eliminating the
need to calculate nonzero TOS paths.
Q. Does the offset-list subcommand work for OSPF?
A. The offset-list command does not work for OSPF. It isused for distance vector protocols such as Interior Gateway
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 30/41
Routing Protocol (IGRP), Routing Information Protocol (RIP),and RIP version 2.
Q. Can an OSPF default be originated into the systembased on external information on a router thatdoes not itself have a default?
A. OSPF generates a default only if it is configured usingthe command default-information originate and if thereis a default network in the box from a different process.
The default route in OSPF is 0.0.0.0. If you want an OSPF-enabled router to generate a default route even if it doesnot have a default route itself, use the command default-information originate always .
Q. Can I use the distribute-list in/out command withOSPF to filter routes?
A. The distribute-list commands are supported in OSPFbut work differently than distance-vector routing protocolssuch as Routing Information Protocol (RIP) and EnhancedInterior Gateway Routing Protocol (EIGRP). OSPF routescannot be filtered from entering the OSPF database. Thedistribute-list in command only filters routes fromentering the routing table; it does not prevent link-statepackets from being propagated. Therefore, this commanddoes not help conserve router memory, and it does not prohibit a router from propagating filtered routes to otherrouters.
Caution: Use of the distribute-list in command inOSPF may lead to routing loops in the network if not
implemented carefully. The command distribute-list out works only on theroutes being redistributed by the Autonomous SystemBoundary Routers (ASBRs) into OSPF. It can be applied toexternal type 2 and external type 1 routes, but not to intra-area and interarea routes.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 31/41
Refer to configuration example of distribute-list inOSPF,
Q. How can I give preference to OSPF interarea routesover intra-area routes?
A. According to section 11 of RFC 2328 , the order of preference for OSPF routes is:
• intra-area routes, O• interarea routes, O IA• external routes type 1, O E1• external routes type 2, O E2
This rule of preference cannot be changed. However, itapplies only within a single OSPF process. If a router isrunning more than one OSPF process, route comparisonoccurs. With route comparison, the metrics andadministrative distances (if they have been changed) of the OSPF processes are compared. Route types aredisregarded when routes supplied by two different OSPFprocesses are compared.
Q. Do I need to manually set up adjacencies for routers
on the Switched Multimegabit Data Service (SMDS)cloud with the OSPF neighbor subcommand?
A. In Cisco IOS Software releases earlier than Cisco IOSSoftware Release 10.0, the neighbor command wasrequired to establish adjacencies over nonbroadcastmultiaccess (NBMA) networks (such as Frame Relay, X.25,and SMDS). With Cisco IOS Software Release 10.0 andlater, you can use the ip ospf network broadcast
command to define the network as a broadcast network,eliminating the need for the neighbor command. If youare not using a fully meshed SMDS cloud, you must use theip ospf network point-to-multipoint command.
Q. When routes are redistributed between OSPFprocesses, are all shortest path first algorithm
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 32/41
(SPF) metrics preserved, or is the default metricvalue used?
A. The SPF metrics are preserved. The redistributionbetween them is like redistribution between any two IProuting processes.
Q. How does Cisco accommodate OSPF routing onpartial-mesh Frame Relay networks?
A. You can configure OSPF to understand whether it shouldattempt to use multicast facilities on a multi-accessinterface. Also, if multicast is available, OSPF uses it for itsnormal multicasts.
Cisco IOS Software Release 10.0 includes a feature calledsubinterfaces. You can use subinterfaces with Frame Relayto tie together a set of virtual circuits (VCs) to form avirtual interface, which acts as a single IP subnet. Allsystems within the subnet should be fully meshed. WithCisco IOS Software Releases 10.3, 11.0 and later, the ipospf point-to-multipoint command is also available.
Q. Which address-wild-mask pair should I use forassigning an unnumbered interface to an area?
A. When an unnumbered interface is configured, itreferences another interface on the router. When enablingOSPF on the unnumbered interface, use the address-wild-mask pair of interfaces to which the unnumbered interfaceis pointing.
Q. Can I have one numbered side and leave the otherside unnumbered in OSPF?
A. No, OSPF does not work if you have one side numberedand the other side unnumbered. This creates a discrepancy
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 33/41
in the OSPF database that prevents routes from beinginstalled in the routing table.
Q. Why do I receive the "cannot allocate router id" errormessage when I configure Router OSPF One?
A. OSPF picks up the highest IP address as a router ID. If there are no interfaces in up/up mode with an IP address, itreturns this error message. To correct the problem,configure a loopback interface.
Q. Why do I receive the "unknown routing protocol"error message when I configure Router OSPF One?
A. Your software may not support OSPF. This errormessage occurs most frequently with the Cisco 1600 seriesrouters. If you are using a 1600 router, you need a Plusimage to run OSPF.
Q. What do the states DR , BDR , and DROTHER mean in showip ospf interface command output?
A. DR means designated router. BDR means backupdesignated router. DROTHER indicates a router that isneither the DR or the BDR. The DR generates a NetworkLink-State Advertisement, which lists all the routers on thatnetwork.
Q. When I issue the show ip ospf neighbor command,why do I only see FULL/DR and FULL/BDR , with all otherneighbors showing 2-WAY/DROTHER ?
A. To reduce the amount of flooding on broadcast media,such as Ethernet, FDDI, and Token Ring, the routerbecomes full with only designated router ( DR) and backupdesignated router ( BDR), and it shows 2-WAY for all otherrouters.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 34/41
Q. Why do I not see OSPF neighbors as FULL/DR or FULL/BDRon my serial link?
A. This is normal. On point-to-point and point-to-multipointnetworks, there are no designated routers (DRs) or backupdesignated routers (BDRs).
Q. Do I need any special commands to run OSPF overBRI/PRI links?
A. In addition to the normal OSPF configuration commands,you should use the dialer map command. When using thedialer map command, use the broadcast keyword toindicate that broadcasts should be forwarded to theprotocol address.
Q. Do I need any special commands to run OSPF overasynchronous links?
A. In addition to the normal OSPF configuration commands,
you should use the async default routing command onthe asynchronous interface. This command enables therouter to pass routing updates to other routers over theasynchronous interface. Also, when using the dialer mapcommand, use the broadcast keyword to indicate thatbroadcasts should be forwarded to the protocol address.
Q. Which Cisco IOS Software release began support forper-interface authentication type in OSPF?
A. Per-interface authentication type, as described in RFC2178 , was added in Cisco IOS Software Release 12.0(8).
Q. Can I control the P-bit when importing externalroutes into a not-so-stubby area (NSSA)?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 35/41
A. When external routing information is imported into anNSSA in a type 7 link-state advertisement (LSA), the type 7LSA has only area flooding scope. To further distribute the
external information, type 7 LSAs are translated into type 5LSAs at the NSSA border. The P-bit in the type 7 LSAOptions field indicates whether the type 7 LSA should betranslated. Only those LSAs with the P-bit set aretranslated. When you redistribute information into theNSSA, the P-bit is automatically set. A possible workaroundapplies when the Autonomous System Boundary Router(ASBR) is also an Area Border Router (ABR). The NSSAASBR can then summarize with the not-advertisekeyword, which results in not advertising the translatedtype 7 LSAs.
Q. Why are OSPF show commands responding soslowly?
A. You may experience a slow response when issuing OSPFshow commands, but not with other commands. The mostcommon reason for this delay is that you have the ip ospf name-lookup configuration command configured on therouter. This command causes the router to look up thedevice Domain Name System (DNS) names for all OSPFshow commands, making it easier to identify devices, butresulting in a slowed response time for the commands. If you are experiencing slow response on commands otherthan just OSPF show commands, you may want to startlooking at other possible causes, such as the CPUutilization.
Q. What does the clear ip ospf redistribution commanddo?
A. The clear ip ospf redistribution command flushes allthe type 5 and type 7 link-state advertisements (LSAs) andscans the routing table for the redistributed routes. Thiscauses a partial shortest path first algorithm (SPF) in all therouters on the network that receive the flushed/renewed
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 36/41
LSAs. When the expected redistributed route is not inOSPF, this command may help to renew the LSA and getthe route into OSPF.
Q. Does OSPF form adjacencies with neighbors that are
not on the same subnet?
A. The only time that OSPF forms adjacencies betweenneighbors that are not on the same subnet is when theneighbors are connected through point-to-point links. Thismay be desired when using the ip unnumberedcommand, but in all other cases, the neighbors must be onthe same subnet.
Q. How often does OSPF send out link-stateadvertisements (LSAs)?
A. OSPF sends out its self-originated LSAs when the LSAage reaches the link-state refresh time, which is 1800seconds.
Q. How do I stop individual interfaces from developing
adjacencies in an OSPF network?
A. To stop routers from becoming OSPF neighbors on aparticular interface, issue the passive-interfacecommand at the interface.
In Internet service provider (ISP) and large enterprisenetworks, many of the distribution routers have more than200 interfaces. Configuring passive-interface on each of
the 200 interfaces can be difficult. The solution in suchsituations is to configure all the interfaces as passive bydefault using a single passive-interface defaultcommand. Then, configure individual interfaces whereadjacencies are desired using the no passive-interfacecommand. For more information, refer to Default PassiveInterface Feature .
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 37/41
There are some known problems with the passive-interface default command. Workarounds are listed inCisco bug ID CSCdr09263 (registered customers only ) .
Q. When I have two type 5 link-state advertisements
(LSAs) for the same external network in the OSPFdatabase, which path should be installed in the IProuting table?
A. When you have two type 5 LSAs for the same externalnetwork in the OSPF database, prefer the external LSA thathas the shortest path to the Autonomous System BoundaryRouter (ASBR) and install that into the IP routing table. Usethe show ip ospf border-routers command to check thecost to the ASBR.
Q. Why is it that my Cisco 1600 router does notrecognize the OSPF protocol?
A. Cisco 1600 routers require the Plus feature set image of Cisco IOS Software to run OSPF. Refer to Table 3: Cisco1600 Series Routers Feature Sets in the Release Notes for
Cisco IOS Release 11.2(11) Software Feature Packs forCisco 1600 Series Routers for more information.
Q. Why is it that my Cisco 800 router does not runOSPF?
A. Cisco 800 routers do not support OSPF. However, theydo support Routing Information Protocol (RIP) andEnhanced Interior Gateway Routing Protocol (EIGRP). You
can use the Software Advisor (registered customers only ) toolfor more information on feature support.
Q. Should I use the same process number whileconfiguring OSPF on multiple routers within thesame network?
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 38/41
A. OSPF, unlike Border Gateway Protocol (BGP) orEnhanced Interior Gateway Routing Protocol (EIGRP), doesnot check the process number (or autonomous systemnumber) when adjacencies are formed betweenneighboring routers and routing information is exchanged.
The only case in which the OSPF process number is takeninto account is when OSPF is used as the routing protocolon a Provider Edge to Customer Edge (PE-CE) link in aMultiprotocol Label Switching (MPLS) VPN. PE routers markOSPF routes with the domain attribute derived from theOSPF process number to indicate whether the routeoriginated within the same OSPF domain or from outside it.If the OSPF process numbering is inconsistent on PErouters in the MPLS VPN, the domain-id OSPF modecommand should be used to mark that the OSPF processeswith different numbers belong to the same OSPF domain.
This means that, in many practical cases, you can usedifferent autonomous system numbers for the same OSPFdomain in your network. However, it is best to useconsistent OSPF-process numbering as much as possible.
This consistency simplifies network maintenance andcomplies with the network designer intention to keeprouters in the same OSPF domain.
Q. I have a router that runs Cisco Express Forwarding(CEF) and OSPF, who does load-balancing whenthere are multiple links to a destination?
A. CEF works by performing the switching of the packetbased on the routing table which is populated by therouting protocols such as OSPF. CEF does the load-balancing once the routing protocol table has beencalculated. For more details on load balancing, refer toHow does load-balancing work ?
Q. How does OSPF use two Multilink paths to transferpackets?
A. OSPF uses the metric aCost, which is related to thebandwidth. If there are equal cost paths (the same
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 39/41
bandwidth on both multilinks), OSPF installs both routes inthe routing table. The routing table tries to use both linksequally, regardless of the interface utilization. If one of thelinks in the first multilink fails, OSPF does not send all thetraffic down the second multilink. If the first multilink peaks
100%, OSPF does not send any traffic down the secondmultilink because OSPF tries to use both links equally,regardless of the interface utilization. The second is usedfully only when the first multilink goes down.
Q. How can you detect the topological changes rapidly?
A. In order to have a rapid fault detection of topologychanges, the hello timer value needs to be set to 1 second.
The hold timer value, which is is four times that of the hellotimer, also needs to be configured. There is a possibility of more routing traffic if the hello and hold timer values arereduced from their default values.
Q. Does the 3825 Series Router support the OSPF Stubfeature?
A. Yes, the 3800 Series Router that runs AdvancedIPServices image supports the OSPF Stub feature.
Q. What does the error message %OSPF-4-FLOOD_WAR:Process process-id re-originates LSA ID ip addresstype-2 adv-rtr ip address in area area id means?
A. The error message is due to the some router that isflushing the network LSA because the network LSA
received by the router whose LSA ID conflicts with the IPaddress of one of the router's interfaces and flushes theLSA out of the network. For OSPF to function correctly theIP addresses of transit networks must be unique. If it is notunique the conflicting routers reports this error message.In the error message the router with the OSPF router IDreported as adv-rtr reports this message.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 40/41
Q. Can we have OSPF run over a GRE tunnel?
A. Yes, refer to Configuring a GRE Tunnel over IPSec with
OSPF .
Q. Is there a way to manipulate and prefer the Type 3LSAs to originate from two different areas sent tothe non-backbone area?
A. Type 3 LSA is originated by the Area Border Router(ABR) as a summary route. Manipulating the summaryroute is not possible in an ABR router.
Q. Is there a drop/flap of an OSPF neighborship whenchanging an OSPF area type from nssa no-summaryto nssa?
A. When the NSSA ABR is configured to move from nssano-summary to nssa, the OSPF neighborship does not flap.
Q. In the %OSPF-5-ADJCHG: Process ID, Nbr [ip-address] on Port-channel31 from FULL to EXSTART, SeqNumberMismatch errormessage, what does SeqNumberMismatch signify?
A. The OSPF neighbor was changed state from FULL toEXSTART because of the receipt of a Database Description(DBD) packet from the neighbor with an unexpectedsequence number.
SeqNumberMismatch means that a DBD packet during OSPFneighborship negotiation has been received that either:
• has an unexpected DBD sequence number• unexpectedly has the Init bit set• has an Options field differing from the lastOptions field received in a Database Descriptionpacket.
8/3/2019 Which Devices Support PIX 7
http://slidepdf.com/reader/full/which-devices-support-pix-7 41/41
Q. What is the maximum number of OSPF processes(VRF aware) on 7600/6500 platforms?
A. Cisco IOS has a limit of 32 routing processes. Two of these are saved for static and directly connected routes.
The Cisco 7600 router supports 28 OSPF processes perVRF.