AWS to ASA VPN Issues

ASA to AWS VPN Drops Traffic

Friday July 20, 2018


I’ve been working with a company that integrates with several partners. One of these partners uses AWS to host their services and allows connection through site-to-site VPN only.

That shouldn’t be a problem at all of course. The company in question has ASA’s running Firepower Threat Defence, which supports site-to-site VPN’s in a very similar manner to the traditional ASA.

So, I configured an ‘always on’ policy-based VPN (No VTI support in FTD yet), which seems to work fine. Well, for a while anyway.

Continue reading “AWS to ASA VPN Issues”

High CPU in Firepower

High CPU Usage in Firepower

Friday June 22, 2018

The Symptoms

I use Firepower Management Center quite a bit. Recently, I started getting health monitoring alerts. It looked something like this:

Health Monitor Alert from Critical Module: CPU Usage

Description: Using CPU05 95.34%

These alerts were spamming me every 5 minutes for a few hours.

One of our ASA’s running Firepower Services was having a bad time.

Continue reading “High CPU in Firepower”

BGP With a Service Provider

BGP With a Service Provider

Tuesday December 19, 2017


So you want to peer with a service provider. Never done it before? Overwhelmed? Don’t know where to start? If this sounds familiar, then this article is for you! We’re going to have a look at the process of peering with an ISP. We’re not going to look too deeply into the technical details. Rather, we’ll focus more on the process.

Continue reading “BGP With a Service Provider”

vPC and LAG Convergence

vPC and LAG Convergence

Thursday November 16, 2017


Recently Cisco released NXOS 7.0(3)I7(1) for the Nexus 9000 series switches. This brings two new features, called vPC Fast Convergence and LACP Convergence. These are also available on the 7000 series switches.

There wasn’t a lot of information readily available, so I’m going to share what I’ve learned here. I’d like to take a moment to thank Amith Ronad from Cisco for helping me to understand these features.

Continue reading “vPC and LAG Convergence”

Hitless vPC Role Change

Hitless vPC Role Change

Thursday October 19, 2017


“Always two there are; no more, no less. A vPC primary and a vPC secondary.”Yoda (paraphrased)


Like Yoda says, there has always been a primary and secondary in a vPC relationship. But, they’ve always been non-preemptive. That means that a secondary will not automatically become primary unless there’s a failure of some sort.

Continue reading “Hitless vPC Role Change”

Dynamic Routing and FEX

Dynamic Routing and Fabric Extenders

Wednesday August 30, 2017


The Problem

A few weeks ago I was working on a customer’s network when I found an OSPF problem. For some reason, an ASA wouldn’t peer with a Nexus switch. To make it a bit weirder, the problem only happened on the default VRF, and only with OSPFv3. On the Nexus side, I could see the ASA neighbour, but it was stuck in INIT. On the ASA side, I couldn’t see the neighbour at all.

Continue reading “Dynamic Routing and FEX”

Cisco Live Melbourne 2017 – Day 1

Cisco Live Melbourne 2017 – Day 1

Tuesday March 7, 2017


We all want to be better at what we do. You wouldn’t be reading this if you didn’t. In the IT industry, we go to vendor events, where we get to broaden our horizons, and network woth potential colleagues.

I was one fortunate man in a crowd of many who just attended day 1 of Cisco Live in Melbourne.

Continue reading “Cisco Live Melbourne 2017 – Day 1”