Buggy ASA-X code asa984-25

Started by Dieselboy, February 07, 2021, 08:27:08 PM

Previous topic - Next topic

Dieselboy

I've been running asa984-25 for a while. I've had some minor issues that I've been keeping an eye on such as random VPN disconnections that I attributed to brief loss of internet service. While actually, the ASA 5515-X HA pair that I have seems to have an problem. When looking at "show fail" output, there are messages being dropped between the HA pair. While nothing has changed except code upgrades.

Stateful Failover Logical Update Statistics
        Link : FAILOVER GigabitEthernet0/1 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         13076790   0          65410      18019
        sys cmd         20892      0          20892      0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        2579048    0          7300       426  ->>>>>>>>>>>>>>>>>
        UDP conn        10371792   0          36767      17566 ->>>>>>>>>>>>>
        ARP tbl         47062      0          206        0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    11         0          1          0
        VPN IKEv1 P2    11         0          1          0
        VPN IKEv2 SA    55364      0          170        0
        VPN IKEv2 P2    548        0          13         0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     868        0          12         0
        SIP Tx  217        0          10         0
        SIP Pinhole     217        0          10         0
        Route Session   759        0          27         27 ->>>>>>>>>>>>>>>
        Router ID       1          0          1          0
        User-Identity   0          0          0          0
        CTS SGTNAME     0          0          0          0
        CTS PAC         0          0          0          0
        TrustSec-SXP    0          0          0          0
        IPv6 Route      0          0          0          0
        STS Table       0          0          0          0


I don't have access to ASA code at the moment either  :twitch:

deanwebb

Given the constantly-arriving slew of Cisco security advisories, my first go-to is "upgrade?" Is that a possibility?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Looking to replace them in the near future. I think the only way to get the code is with smartnet which is lacking.

Otanx

We use 5515x for VPN as well. I am showing a similar output. I don't have any failures on Route Session. I don't have any issues with VPN. Can regularly stay connected all day. If you don't have Smartnet you should be able to get an upgraded firmware if you can identify a security bug that is present in your current version. My understanding is you can open a request with Cisco, and they will give you a link to download the fixed release without Smartnet. I have not had to do it, but it might be worth a try.

-Otanx