Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Cisco ASA 5525X to Version 9.4.1. How?

June 29 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Failover problem on Cisco ASA 5525x after upgrade to version 9.4.1

A user of Cisco ASA 5525x shared his experience of Failover problem on Cisco ASA 5525x after upgrade to version 9.4.1. What’s his problem and how to solve the problem? Let’s have a look.

The man faced with problem after he has done upgrade from 8.6.1 to 9.4.1 on Cisco ASA 5525x with IPS software in Active/Standby configuration.

One of his customers asked him to upgrade to verion 9.4.1 his Active/Standby Cisco ASAs. The man read release notes for this version and started with upgrade. As mentioned in release notes he did upgrade to version 9.0.4 first. Upgrade finished without any problems! All interface were in monitoring state, failover was in perfect state, no errors no issues, everything was as should be. Then started with upgrade to required version 9.4.1. He did everything as before, download image and ASDM, changed boot config, and did failover reload-standby.

After standby unit rebooted he expected standby ready state. But state of standby unit was-Other host: Secondary-Failed

ASA-Firewall# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failoverlink GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
failover replication http
Version: Ours 9.0(4), Mate 9.4(1)
Last Failover at: 14:42:17 AZDT Jun 5 2015
This host: Primary - Active
Active time: 3542 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.0(4)) status (Up Sys)
Interface inside (10.34.10.254): Normal (Waiting)
Interface outside (xx.132.xx.xxx): Normal (Waiting)
Interface management (10.34.7.252): Normal (Waiting)
slot 1: IPS5525 hw/sw rev (N/A/7.1(9)E4) status (Up/Up)
IPS, 7.1(9)E4, Up
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.4(1)) status (Up Sys)
Interface inside (10.34.10.253): Unknown (Waiting)
Interface outside (xx.132.xx.xxx): Unknown (Waiting)
Interface management (10.34.7.251): Unknown (Waiting)
slot 1: UNKNOWN hw/sw rev (N/A
/) status (Unresponsive)

He did investigtion, checked everything (e.g. interface, config, show commands and so on). He was confused how it can be, he did upgrade till version 9.0.4 for 5 minutes but on version 9.4.1 I stuck. After more deep investigation he thought he found the reason of this problem. He connected to active and standby unit and execute comand:

On Standby ASA-Firewall# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH18037CSR
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH18037CSR
cxsc Unknown N/A FCH18037CSR
sfr Unknown N/A FCH180
37CSR

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 18e7.282e.8bbd to 18e7.282e.8bc6 1.0 2.1(9)8 9.4(1)
ips 18e7.282e.8bbb to 18e7.282e.8bbb N/A N/A 7.1(9)E4
cxsc 18e7.282e.8bbb to 18e7.282e.8bbb N/A N/A
sfr 18e7.282e.8bbb to 18e7.282e.8bbb N/
A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(9)E4
sfr Unknown No Image Present Not Applica
ble

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
cxsc Unresponsive Not Applicable Not powered on completely
sfr Unresponsive Not Appli
cable

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled perpetu
al

AND THE SAME ON ACTIVE

On Active ASA-Firewall# show module

Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525 FCH17517QRK
ips ASA 5525-X IPS Security Services Processor ASA5525-IPS FCH17517
QRK

Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 3c08.f6d9.9278 to 3c08.f6d9.9281 1.0 2.1(9)8 9.0(4)
ips 3c08.f6d9.9276 to 3c08.f6d9.9276 N/A N/A 7.1(9
)E4

Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(9)
E4

Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up
Up

Mod License Name License Status Time Remaining
--- -------------- --------------- ---------------
ips IPS Module Enabled perpetu
al

We know that ASA failover algorithm do a lot of ckecks and one of this check is to monitor modules. As we can see on the output after upgrade to version 9.4.1 NEW module appears on standby unit: cxsc and sfr as we can see. On Active unit there are no such modules. May be standby unit can’t check the state, or Active unit cant interpret standby unit messages, I dont know realy (

He had questions:

1) Why this new modues appeared, for what for, how they work...?

2) Can I upgrade my Cisco ASAs till that version?

3) What I shuld do to upgrdade? I need this upgrade very much, because I need Policy Based Routing functionality?

4) Can I do upgrade without interruption ?

Someone solved it and answered like this: “Yes, complete your upgrade on the active unit and it will show the same unknown status for the cxsc and sfr modules. Once you do that successfully, you should have a healthy HA pair.

Support for cxsc and sfr as module types was introduced in versions 9.1(1) and 9.2(2) respectively.

You can stick with your ips (classic IPS module) as long as it's meeting your needs. It is end of sales now (as is the CX module shortly) and both are deprecated in favor of the newer "sfr" or FirePOWER module. More about FirePOWER is on the product data sheet (and elsewhere).”

What’s your ideas, welcome to share here…

The Case From https://supportforums.cisco.com/discussion/12526776/failover-problem-cisco-asa-5525x-after-upgrade-version-941

More Related

Cisco ASA 5506-X with Version 9.4.1–Policy Based Routing

Why Cisco ASA Clustering?

What are the Considerations While Buying a Cisco Next-Generation Firewall?

Read more

Cisco Changes? Upping its game in SDN, IoT and Wi-Fi

June 25 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Cisco Changes? Upping its game in SDN, IoT and Wi-Fi

Cisco Changes? Upping its game in SDN, IoT and Wi-Fi

As the world’s largest maker of switches and routers, Cisco is upping its game in three of the hottest areas in wireless: SDN, “Internet of Things” and Wi-Fi now.

Cisco has already staked its claim with carriers that are working to virtualize network functionality. Verizon Wireless and AT&T have both named Cisco as a partner in their respective SDN/NFV initiatives.

Also at Cisco Live2015, the company unveiled new cloud software and partnerships with 35 independent software vendors to help customers leverage the Internet of Things. The company says its intercloud fabric has already won more than 100 customers and 65 partners worldwide.

Wi-Fi was also in the spotlight at Cisco Live. Cisco is the world’s leading vendor of Wi-Fi access points.

Cisco said it is seeing broad enterprise adoption of 802.11ac Wi-Fi standard, which is deployed in the 5 GHz spectrum band. The company said that education has been the lead vertical, but that all enterprise sectors are seeing the need for robust and seamless connectivity solutions. Cisco said its new Wave 2 solutions are designed to help enterprise handle the demands of multiple devices at once.

MU-MIMO is a key feature of Cisco’s new access points. The company also has added two new service controllers (Cisco 8540 & 5520 Services Controller) and two new switches (Catalyst 6840-X and Catalyst 3850 10G Series Switch), one of which includes a programmable data plane, enabling the deployment of software-defined networking services.

More Related Cisco Topics

Migrating to Wave 2? …Definitely

NEW Cisco Aironet 1850 Series Access Points Focus on Wave 2 Wifi

Read more

Picking Out Your Core Switch

June 23 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

If you want to design data center or campus LAN with Cisco products, Cisco has many options for you. So it’s not easy to select the right one according to your actual needs. In this article, we just give you some look on this. Go and find more information for your own special case. (Note: In this article it is gravitated towards having L3 features incorporated as well (not an L2-only implementation).

Nexus 5500

We take this option of Nexus 5500 here in the beginning anyway. Nexus 5500 (5548P, 5548UP, 5596UP) supports all 4094 VLANs and all the ports are 10G with 1G ability as well. When equipped with L3 forwarding module it has the features that are enough for many situations. 5548 has 32 fixed ports (one module slot for 16-port module) and 5596 has 48 fixed ports (three slots for 16-port modules). With Nexus 5500 you at least know in advance how many ports you can get when you by them (compared to the modular switches that have different port densities in different line cards in different oversubscription levels in different generations).

In Nexus family the important advantage is the FEX selection: remote line cards in top of the rack implementations. That also brings one major limitation: with current software (NX-OS 5.1(3)N1) only 8 FEXes are supported when L3 module is used. If you single-home your FEXes then you can have a total of 16 FEXes with each Nexus 5500 pair (you implement core switches in pairs, right?). When dual-homing the FEXes then the maximum total number is of course 8 because all FEXes are seen by both Nexus 5500.

Nexus 5500 switches only have one supervisor but Cisco still boasts that it supports ISSU (In-Service Software Upgrade). However, ISSU is not supported with L3 module installed. Depending on your environment (and FEXing style [can you say that?]) that may or may not be an important factor for you. When dual-homing everything it may not be so big deal after all.

Also, when comparing Nexus 5500 L3 features with bigger core switches you need to make sure that you know your route and MAC address limitations, as always.

Cisco Catalyst 6500

Catalyst 6500 is the good old DC and campus core switch. With modern supervisors and line cards it can really kick the frames through the rich services it provides in the same box. Plenty of chassis choices for different installations and requirements, as well as line cards and service modules. Do I need to say more? You can “dual-everything”, use VSS to combine two chassis together and so on. Cat6500 can do almost anything you can imagine. It may not be absolutely the fastest, but hey, if you needed the ultimate raw speed you would have selected Nexus 7000 anyway, you remember? Btw, 160 gigs per slot was announced to be coming for Cat6500 so that gives some picture of the situation.

Catalyst 4500

How about Catalyst 4500? A user said like that: “I don’t know Catalyst 4500 very well in core use. My first experiences from Catalyst 4000 were with a separate 4232-L3-whatever module, and it was horrible to configure (CatOS on the supervisor, IOS on the L3 module, internal GEC trunk between those). And Catalyst 4500 (or should I say 4500E?) is totally different: supervisors worth of 7 or so generations (running IOS or IOS-XE), line cards almost as many generations, different chassis generations, and so on. Current maximum bandwidth per slot seems to be 48 Gbps per slot with Sup7E. The supervisor still does all the forwarding for the line cards. Catalyst 4500 does not provide any separate service modules but it provides a set of IOS features. There are also various chassis sizes. In short: not very exciting option for a LAN core but may work well for you.” Well, what’s your experience about Catalyst 4500? Share with us, please!

Catalyst 4500-X

The newcomer in Catalyst family is Catalyst 4500-X. They are 1U switches with a small expansion module slot. The base ports (16 or 32) are 1G/10G ports and the expansion module is promised to have 40G ports available later. (But again, your DC is apparently not needing those.) Cat4500-X runs IOS-XE and supports VSS to cluster two switches together. If your access layer is not very wide you could run your core with Cat4500-X.

And then there is more DC-grade stuff:

  • Nexus 3000: L2/L3 10G switch but more oriented to low-latency implementations with no special feature requirements
  • Catalyst 4948, Catalyst 4900M, and so on: The features are similar to Catalyst 4500 but in smaller box with limited number of interfaces available.

…In fact, we can talk more about the Cisco’s Core Switches. If you have any ideas and experience about the Cisco Core Switches, it’s so excited that you can share them with us.

More about Cisco switches’ topics you can read here: http://blog.router-switch.com/category/reviews/cisco-switches/

Read more

Migrate to a 40-Gbps Data Center…with Cisco QSFP BiDi Technology

June 10 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Cisco Modules & Cards

Cisco40G BiDi

Cisco40G BiDi

Cisco’s QSFP 40G BiDi (bidirectional) transceiver, allows zero-cost fiber migration by reusing the current 10-Gbit/sec cabling for 40-Gbit/sec device connectivity. With duplex LC ports, it enables 100 meters of 40G transmission over OM3, 125 meters over OM4 fiber, and 150 meters over certain “OM4+” fibers.

Migrate to a 40-Gbps Data Center with Cisco QSSFP BiDi Technology? Cisco makes the case for its transceiver technology, taking direct aim at “the need for a major upgrade of the cabling infrastructure” when transitioning from 10G to 40G, “which can be too expensive or disruptive to allow data centers to quickly adopt and migrate to the 40-Gbit/sec technology.”

“Existing short-reach transceivers for 40-Gbit/sec connectivity in a QSFP form factor … use independent transmitter and receiver sections, each with 4 parallel fiber strands. For a duplex 40-Gbit/sec connection, 8 fiber strands are required.

Both QSFP SR4 and QSFP CRS4 use MPO 12-fiber connectors. As a result, 4 fiber strands in each connection are wasted.

“With existing QSFP transceivers, each direct connection between two devices requires an MPO-to-MPO 12-fiber cable. In the case of structured cabling with patch panels and fiber trunks, a 40-Gbit/sec connection needs MPO-to-MPO fibers between devices and patch panels, and 4 duplex multimode fibers in the fiber trunk.

“In most of today’s data center networks, the aggregation fiber infrastructure is built for 10Gbit/sec connectivity that either supports direct connections between devices over LC-to-LC multimode fiber or uses LC-to-LC fibers to attach devices to patch panels and provides one duplex multimode fiber in the fiber trunk for each 10-Gbit/sec connection.

“40-Gbit/sec connectivity using traditional 40-Gbit/sec transceivers cannot reuse directly connecting LC-to-LC fibers. It also requires four to six times greater fiber density in the fiber trunks to meet the requirements of a 40-Gbit/sec connection. These characteristics make it expensive for customers to migrate from 10-Gbit/sec connectivity to 40-Gbit/sec connectivity in their existing data centers.

“The Cisco QSFP BiDi transceiver addresses the challenges of fiber infrastructure by providing the capability to transmit full-duplex 40 traffic over one duplex multimode fiber cable with LC connectors. In other words, the Cisco QSFP BiDi transceiver allows 40-Gbit/sec connectivity to reuse the existing directly connecting 10-Gbit/sec fibers and the existing fiber trunk without the need to add any fibers.”

The technical paper details two deployment scenarios/case studies to emphasize the savings accomplished by eliminating the parallel-optic cabling infrastructure. The first scenario is a 288x40G setup with unstructured cabling. The second is a 384x40G setup with structured cabling. In this second scenario, the paper explains, “Cisco QSFP BiDi technology allows the existing cabling system—including the patch cables, patch panels with MTP/MPO LC modules, and fiber trunks—to be repurposed for 40-Gbit/sec connectivity. In contrast, QSFP SR4 transceivers require new patch cables and patch panels because the connector types differ and the size of the fiber trunk needs to be quadrupled.”

From http://www.cablinginstall.com/articles/2014/03/cisco-qsfp-bidi.html

Migrate to a 40-Gbps Data Center with Cisco QSFP BiDi Technology” you can read the full paper report at

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-729493.pdf

More benefits you can get from migrating to 40-Gbps Data Center with Cisco QSFP BiDi Technology

Benefits

• Reuse existing 10GE fiber infrastructure for 40GE migration

• Lower CapEx and installation labor costs

• Minimal disruption to the data center during migration

• Four times the bandwidth over the same fiber plant

• Up to 70% savings over other current solutions

Cisco’s innovative 40-Gbps Quad Small Form-Factor Pluggable (QSFP) bidirectional (BiDi) transceiver is a pluggable optical transceiver with a duplex LC connector interface for short-reach data communication and interconnect applications. By using the existing 10 Gigabit Ethernet duplex MMF fiber infrastructure for 40 Gigabit Ethernet, the Cisco BiDi transceiver offers significant cost savings and simplifies data center upgrading.

The Cisco BiDi transceiver supports link lengths of 100m and 150m on laser-optimized OM3 and OM4 multimode fibers. It complies with the QSFP MSA specification, enabling customers to use it on all QSFP 40-Gbps platforms to achieve high-density 40 Gigabit Ethernet networks.

Use Your Existing 10 Gigabit Ethernet Fiber for 40 Gigabit Ethernet

Whether your cable plant is structured or unstructured, Cisco’s BiDi transceiver delivers significant savings and a smooth migration to 40 Gigabit Ethernet. The Cisco BiDi transceiver enables the use of an existing 10 Gigabit Ethernet fiber plant infrastructure for 40 Gigabit Ethernet, delivering four times the bandwidth over the same fiber plant and up to 70% savings over other current solutions.

For building out new data centers, deploying 40 Gigabit Ethernet for aggregation and core is no longer an option but a requirement to meet today’s data demands. Designing new cable plants using Cisco’s BiDi transceivers offers:

• 75% less fiber and MPO requirements

• Reduced cable sprawl and rack footprints

• Cost savings with the industry’s lowest-priced 40 Gigabit Ethernet transceiver

•Investment protection with future support for 100 Gbps over duplex fiber

Designing your new fiber cable plant with Cisco’s 40 Gigabit Ethernet BiDi transceiver allows you to reduce your fiber requirements and CapEx and OpEx while future proofing your data center for 100 Gigabit Ethernet.

Cisco’s QSFP 40 Gigabit Ethernet BiDi technology removes 40-Gbps cabling cost barriers for migration from 10-Gbps to 40-Gbps connectivity in data center networks. Cisco’s BiDi transceivers provide simpler and less expensive 40-Gbps connectivity compared to other 40-Gbps transceiver solutions. The Cisco QSFP BiDi transceiver allows organizations to migrate their existing 10-Gbps cabling infrastructure to 40 Gbps with little capital investment.

http://www.cisco.com/c/dam/en/us/products/collateral/interfaces-modules/40-gigabit-modules/at-a-glance-c45-732908.pdf

More Related: Move to 40G Today? Yes!

Read more