Restart a single context on an ASA with virtual instances

The Cisco ASA firewall can run as virtual host for multiple virtual ASA’s known as contexts.  We recently ran into an issue where a memory leak made one context inoperable.  Rather than reload the entire ASA and take out the other contexts we wanted to only restart the context that was having problems.  Unfortunately there is no way to reboot an individual context as the reload command does not exist inside a context.  The solution is to delete the context and recreate it.  This may sound daunting, but it takes a few seconds and your config is restored.  First login to the ASA and change to the context that’s having problems and save the config.  In our case the context named “transparent” was the one that stopped working.  (You may not want to save the config if a configuration issue broke the context.  If so this step is optional.) login as: admin admin@10.10.10.1’s password: Type help or ‘?’ for a list of available commands. ASA5525/admin> ASA5525/admin> en Password: ************ ASA5525/admin# changeto context transparent ASA5525/transparent# wr mem Then switch to the system context (the hypervisor layer) and show the context information.  In our case we have three contexts: admin, customer and transparent. ASA5525/transparent# changeto system ASA5525# show run context ! admin-context admin context admin   allocate-interface GigabitEthernet0/0   allocate-interface GigabitEthernet0/1   allocate-interface GigabitEthernet0/1.2   allocate-interface Management0/0   config-url disk0:/admin.cfg ! context customer   allocate-interface GigabitEthernet0/0   allocate-interface GigabitEthernet0/1.499   config-url disk0:/customer.cfg ! context transparent   allocate-interface GigabitEthernet0/3 outside   allocate-interface GigabitEthernet0/4 inside   config-url disk0:/transparent.cfg ! Copy the config for the context causing you problems.  Then remove the context. ASA5525# conf t ASA5525(config)#...

Upgrading IOS-XE firmware on a 4000 series router

Had an issue where I was not able to successfully upgrade the IOS firmware on a Cisco 4351 router.  This model of router runs IOS-XE and has some slight differences in feature set compared to legacy IOS.  For example “ip dns server” was not an available command in the version the customer was running and so we needed to upgrade to the latest version which had support for running a DNS server. I had uploaded the firmware (which was a whopping 470MB) to the flash and then entered in: boot system flash isr4300-universalk9.03.16.00c.S.155-3.S0c-ext.SPA.bin I then saved and rebooted the device, but the old firmware was still loaded.  I discovered that the proper syntax for this series of router needs to be: boot system bootflash:/isr4300-universalk9.03.16.00c.S.155-3.S0c-ext.SPA.bin After a save and reboot we were on the new firmware and sure enough “ip dns server” was now a supported...

NetFlow setup for 3750x with C3KX-SM-10G

The Cisco 3750x switch does not support NetFlow natively, but the C3KX-SM-10G module has ASICs that support NetFlow.  With the C3KX-SM-10G module, NetFlow can only be run on the 4 interfaces in the module — this does not add NetFlow on the entire switch. It is however possible to capture the switch’s traffic and port mirror (SPAN) it over to one of the C3KX-SM-10G interfaces so that it can be exported for NetFlow.  The problem is that in order to mirror traffic to a port and export NetFlow, the port must be in an UP state.  In order to force the port up we took an LC fiber patch cable and split apart the plastic end and pulled the cable apart so that we had 2 single fiber strands.  Then we plugged in an SFP and connected the port into itself by looping the single fiber back to the same SFP.  Use caution with this as it will create a loop — it might be better to setup the mirror first as it will put the port in an UP/DOWN state that I’ll mention later. First setup the port mirroring selecting the source VLANs or interfaces.  Also point the SPAN at the interface where the fiber loop is on the C3KX-SM-10G. monitor session 5 source vlan 1 - 5 , 7 , 100 monitor session 5 destination interface Gi4/1/2 Then setup the NetFlow export.  Start by defining the flow monitoring records. flow record NETFLOW  match datalink source-vlan-id  match datalink dot1q priority  match datalink mac source-address  match datalink mac destination-address  match ipv4 version  match ipv4 tos  match ipv4 ttl  match ipv4 protocol  match ipv4 source address  match ipv4 destination address  match transport source-port  match...

Adding PoE to a Cisco 890 Series Router – (C891FW-A-K9)

In order to add PoE to an 891 router, the datasheet says you need “800-IL-PM-4 with 125W PSU.”  I had to use the Cisco Commerce Workspace to generate a config starting with the 800-IL-PM-4= part number and then added the 125W power supply there.  The following is what was shipped: The 800-IL-PM-4= part is a daughter-card that is installed onto the motherboard of the 891 router. The 125W power supply had the Cisco part number of PWR-125W-AC.  The power supply is a LiteOn unit, model PA-2121-1-LF or 341-0502-01 (both were listed) putting out 12V, 3.5A of DC power on one rail and 53.5V, 1.55A on the other. Lastly, there were three baggies with hardware. 50-1807-02-A0 - 2 standoffs with two notches 50-1700-01-A0 - standoff with one notch 48-0421-01-A0 - 3 screws  ...

Packet capture from a Cisco device and export it to Wireshark

Ran into a situation where I needed to perform a packet capture on the WAN interface of a router that was facing an ISP.  The site was rather remote and so putting a hub in between the router and ISP and capturing the packets via Wireshark was going to be very time consuming.  Here is how to perform a packet capture right on the router and then export the capture to Wireshark for analysis. Create the capture buffer monitor capture buffer holdpackets monitor capture buffer holdpackets size 2048 max-size 1024 Create capture profile.  (This will capture everything on the router, but you can use an access-list to filter this down) monitor capture point ip process-switched capturepackets both Associate the profile with the buffer monitor capture point associate capturepackets holdpackets Start the capture monitor capture point start capturepackets Generate traffic you want to capture and then view the buffer to verify captured packets (optional) show monitor capture buffer all parameters Stop the capture monitor capture point stop capturepackets Export the capture via TFTP for viewing in Wireshark monitor capture buffer holdpackets export tftp://10.1.1.11/capture.pcap Clear the buffer and start the capture over again at step 4 to repeat monitor capture buffer holdpackets clear Here is the Cisco document that goes into further detail:  https://supportforums.cisco.com/docs/DOC-5799...