Wednesday, June 17, 2015

cisco ASA 9.4.1/9.3.1 woes

I ran into a  few problem with a ASA 5558-X reading a simple USB disk undre 9.3.1.

 Here's a  ASA 9.4.1 usb-disk and it's filesystem.

9.4.1


9.3.1




The 2nd problem ospf  ospf table was populated with ospf learned routes in another  ASA after we had the cluster split running 9.4.1 and 9.3.1.

************WARNING****WARNING****WARNING********************************
   Mate version 9.4(1) is not identical with ours 9.3(1)
************WARNING****WARNING****WARNING********************************
*****


Funny thing all ospf-routes where in the correct multi-context route table but NO ospf neighbors shown or existed.

note: I'm also running a dual  ospf process between the outside external and inside internal

We had to immediately reboot the  stand-by 9.3.1 cluster to bring it up to 9.4.1 and allow the  2 cisco ASA to re-sync.

That by far was the weirdest issues that I ever  seen during any upgrades. I would have open a cisco TAC ticket, but I'm sure cisco TAC would have just stated to upgrade to 9.4.1 to begin with.

The 9.4.1 upgrade strategy allows you to upgrade to 9.4.1 directly from 9.3x, but I never would have expect the OSPF database to get corrupted.


A upgrade to  9.4.1 fixed the issues.

NOTE: I found a interesting command option that I never knew.
You can query ospf routes per ospf directly by specifying the ospf-process ID

e.g ( proc 44 vrs 45 )


FWMAcontext2/act/FWMAFW1# show  route ospf 44 | inc 0.0.0.0
Gateway of last resort is 192.0.2.17 to network 0.0.0.0
O*IA  0.0.0.0 0.0.0.0 [110/11] via 192.0.2.17, 00:06:29, EXTERNAL02
FWMAcontext2/act/FMAFW1#


FWMAcontext2/act/FWMAFW1# show  route ospf 45 | incl 10.2.2.0
O        10.2.2.0 255.255.255.0
FWMAcontext2/act/FWMAFW1#
 

I hope this helps someone else.  If you don't specify the proc-ID you get ALL ospf route for that context.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \



Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

No comments:

Post a Comment