1. Home
  2. Cisco Systems
  3. ASA 5510 Issue

ASA 5510 Issue

Hi Group,

I have an ASA 5510 7.2(2) code.

Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135 for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration

0:00:01 bytes 39928 TCP FINs Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside

I am having some issues with intermittent traffic flow problem, what I am finding is as shown above, the translation for a connection is being torn down and the next log entry is then denied because the translation was deleted but was in fact the same connection/translation, like there was more data to be sent. This is causing some mail flow issues where email is leaving the senders network and is seen hitting mine but the email never shows up to the mail server. I have a TAC case open but have not been to successful with them as of yet.

: Saved : ASA Version 7.2(2) ! hostname aof-fw-01 domain-name blah.local enable password * encrypted names dns-guard ! interface Ethernet0/0 description Connection to the Internet speed 100 duplex full nameif outside security-level 0 ip address x.x.187.177 255.255.255.240 ! interface Ethernet0/1 description Connection to Internal Network speed 100 duplex full nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd * encrypted boot system disk0:/asa722-k8.bin boot system disk0:/asa721-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS domain-name blah.local dns server-group Internal_DNS name-server 192.168.0.240 domain-name amone.local access-list outside_access_in extended permit icmp any host x.x.187.177 echo-reply access-list outside_access_in extended permit icmp any host x.x.187.177 time-exceeded access-list outside_access_in extended permit ip any host x.x.187.181 access-list outside_access_in extended permit ip any host x.x.187.182 access-list outside_access_in extended permit tcp any host x.x.187.189 eq smtp access-list outside_access_in extended permit tcp any host x.x.187.188 eq https access-list outside_access_in extended permit tcp host 70.91.116.209 host x.x.187.188 eq smtp access-list outside_access_in extended permit tcp any host x.x.187.188 eq www access-list outside_access_in extended permit tcp any host x.x.187.188 eq pop3 access-list SSL_VPN standard permit 192.168.0.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0

255.255.255.0 192.168.51.0 255.255.255.0 pager lines 24 logging enable logging trap debugging logging from-address snipped-for-privacy@blah.com logging recipient-address snipped-for-privacy@blah.com level errors logging host inside 192.168.0.241 mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool VPN_POOL 192.168.51.1-192.168.51.254 mask 255.255.255.0 no failover monitor-interface outside monitor-interface inside monitor-interface management icmp unreachable rate-limit 1 burst-size 1 icmp deny any outside asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.0.0 255.255.255.0 static (inside,outside) tcp x.x.187.188 https 192.168.0.245 https netmask 255.255.255.255 static (inside,outside) tcp x.x.187.188 www 192.168.0.245 www netmask 255.255.255.255 static (inside,outside) tcp x.x.187.188 pop3 192.168.0.245 pop3 netmask 255.255.255.255 static (inside,outside) tcp x.x.187.188 smtp 192.168.0.245 smtp netmask 255.255.255.255 static (inside,outside) x.x.187.181 192.168.0.179 netmask 255.255.255.255 static (inside,outside) x.x.187.182 192.168.0.178 netmask 255.255.255.255 static (inside,outside) x.x.187.189 192.168.0.246 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.187.190 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy SSL_VPN internal group-policy SSL_VPN attributes dns-server value 192.168.0.240 192.168.0.245 vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none split-tunnel-policy tunnelspecified split-tunnel-network-list value SSL_VPN split-dns value blah.local address-pools value VPN_POOL webvpn functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix svc required svc keep-installer installed username cmahoney password * encrypted privilege 15 username cmahoney attributes vpn-group-policy SSL_VPN webvpn functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.51.0 255.255.255.0 outside http 192.168.1.0 255.255.255.0 management http 192.168.0.0 255.255.255.0 inside http x.x.x.x 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no service resetoutbound interface outside no service resetoutbound interface inside crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto isakmp enable outside tunnel-group SSL_VPN type webvpn tunnel-group SSL_VPN general-attributes address-pool VPN_POOL default-group-policy SSL_VPN tunnel-group SSL_VPN webvpn-attributes hic-fail-group-policy SSL_VPN nbns-server 192.168.0.240 master timeout 2 retry 2 group-alias SSL_VPN enable dns-group Internal_DNS telnet timeout 5 ssh x.x.x.x 255.255.255.255 outside ssh 192.168.51.0 255.255.255.0 outside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 60 console timeout 0 management-access inside dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect esmtp ! service-policy global_policy global ntp authenticate ntp server 193.162.159.97 source outside prefer webvpn port 4100 enable outside enable inside svc image disk0:/stc.pkg 1 svc enable tunnel-group-list enable smtp-server 192.168.0.246 192.168.0.245 prompt hostname context Cryptochecksum:81fc86e75f175aa1034e32718b20ba0e : end asdm image disk0:/asdm-522.bin no asdm history enable
Reply to
Chad Mahoney
Loading thread data ...

snip

Chad,

This rings a big alarm bell. Could be off radar here but we had massive problems recently with the same typer of issue.

Our problem on 7.2(2) turned out to be a duplex issue. We had to change from a hard coded 100 full to auto duplex auto speed. Since we have done this no more problems.

I know the Cisco preference is to hard code but in the end we had to change it to get it fixed.

Hope that helps.

Regards

Darren

Reply to
Darren Green

Darren,

Thanks for the reply, which side are you talking about the inside,outside or both? Also I should elaborate more, in talking with Cisco TAC we found the issue could be because our multilink T-1's to a Cisco 2600, I am currently looking at that config to see if anything stands out:

aof-rtr-01#sh conf Using 1331 out of 29688 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname aof-rtr-01 ! boot-start-marker boot-end-marker ! logging buffered 10000 debugging no logging console enable secret 5 * enable password 7 * ! no aaa new-model ip subnet-zero ! ! ! ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Multilink1 ip address x.x.187.202 255.255.255.252 no cdp enable ppp multilink ppp multilink fragment delay 10 ppp multilink group 1 ! interface FastEthernet0/0 ip address x.x.187.190 255.255.255.240 speed 100 full-duplex no cdp enable no mop enabled ! interface Serial0/0 description T1 to USLEC S0/0 no ip address encapsulation ppp no ip mroute-cache no fair-queue no cdp enable ppp multilink ppp multilink group 1 ! interface Serial0/1 description T1 to USLEC S0/1 no ip address encapsulation ppp no ip mroute-cache no fair-queue no cdp enable ppp multilink ppp multilink group 1 ! no ip http server ip classless ip route 0.0.0.0 0.0.0.0 x.x.187.201 ! ! logging trap debugging logging x no cdp run ! ! snmp-server community * RO bridge 1 protocol ieee ! ! ! ! line con 0 line aux 0 line vty 0 4 password 7 06545678491E5A1D0C4446 login ! ntp server 192.43.244.18 ! end

If any has any suggestions I am certainly open to them, as I am no router guru.

Reply to
Chad Mahoney

Chad,

We had a mail server sat off a Cisco 2950 on the DMZ port of the ASA. All ports - inside, outside and DMZ were hard coded to 100 full. Our issues were resolved when we modified the interface where the server sat i.e. DMZ to auto auto.

I have noticed a number of drops on the inside interface also - again recently I modified this to auto auto and am keeping an eye on things presently.

I must say the debug output you enclosed originally was uncannily similar from memory.Connections opened and reset within one or less seconds - many times over.

If it turns out to be something else let us know.

Regards

Darren

Reply to
Darren Green

Chad,

Something else that I recall reading a while ago in this group posted originally by Brian V. See link below:

formatting link
Title: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email

Regards

Darren

Reply to
Darren Green

Wow.... This is Wild!!!!

I had the same issue. My asa5510 would just stop processing data. It wouldn't crash, just stopped passing data. I worked with Cisco for a couple of days and we found the following:

The ASA or Switch (HP in this case) would not negogiate properly. Even though both were hard coded to 100Full I was seeing CRC errors. I've since moved them both to auto and have not had a problem. I too am running version 7.2.2 ...

Darren Green wrote:

Reply to
garrisb

Well I have found this is not an issue with the duplex settings, it appears after some sniffing of traffic, that the reason for this error appears when you have 2 T-1 lines in a Multilink setup, the router is not assembling packets/frames in the proper order, so the firewall is dropping the connection forcing the packets to be retransmitted over and over again, I am running some loopback tests on my router tonight to find out if the router is the issue or the carrier is the issue.

Thanks for the reply....

Chad

garrisb wrote:

Reply to
Chad Mahoney

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.