topic Re: I found Internet Issue with ASA5515 in Network Security

I found Internet Issue with ASA5515

pichai-chai — Fri, 27 Nov 2020 08:39:35 GMT

I used ASA5515 and I found problem with Internet Connection lost.

For example.

I'm able to access the internet and sometime I found internet has lost.

Please find the details below.

I can ping ASA5515

I can remote to ASA5515

I can ping LAN (inside) interface of ASA5515

I can ping LAN network from ASA5515

I can ping 8.8.8.8 from ASA5515

but
I can't ping 8.8.8.8 from Client

And next 5 minutes I can access internet.
I can ping 8.8.8.8 from my laptop.
I don't know what's happened.

Re: I found Internet Issue with ASA5515

balaji.bandi — Fri, 27 Nov 2020 10:07:06 GMT

This could you be your NAt issue where this was translating.

what kind of bandwidth and how many Clients. have you looked at the NAT translation and Logs in ASA at the time of Loss ?

provide from ASA

show version

other information related to translation

Re: I found Internet Issue with ASA5515

pichai-chai — Fri, 27 Nov 2020 10:41:13 GMT

bandwidth = 200 Mbps

Client = 50 users

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)

Re: I found Internet Issue with ASA5515

balaji.bandi — Fri, 27 Nov 2020 11:14:25 GMT

5515 should be capable of handling the information your provided. do you have any other Addons enabled Like IPS ?

can you post show version as requested along with your config and translation to understand the issue ?>

Re: I found Internet Issue with ASA5515

pichai-chai — Sat, 28 Nov 2020 00:20:36 GMT

Yes, I think it's enough performance for our internet usage.
I've no IPS on this firewall.

Please find attached for the config below.

============

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.61.x.x 255.255.254.0

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

object network Internal

subnet 10.61.0.0 255.255.0.0

access-list inside_to_outside extended permit tcp any any

access-list inside_to_outside extended permit icmp any any

access-list inside_to_outside extended permit udp any any

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network Internal

nat (inside,outside) dynamic interface

access-group inside_to_outside in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside 10.61.0.0 255.255.0.0 10.xx.xx.247 1

Re: I found Internet Issue with ASA5515

Marius Gunnerud — Sat, 28 Nov 2020 08:13:45 GMT

Are you using separate physical interfaces for inside and outside interfaces or is it a port-channel?

Have you check the logs on the ASA and the switch it connects to?

Next time the issue occurs, also check the connection table (show conn). The output can be big so make sure your terminal emulator buffer is large enough to handle it. Check that, for example, when pinging 8.8.8.8 from a client, the connection is between inside and outside interface and not being sent to another interface or being black-holed.

Re: I found Internet Issue with ASA5515

balaji.bandi — Sat, 28 Nov 2020 08:35:14 GMT

as requested before pleas post - can you post show version as requested along with your config and translation to understand the issue ?>

Also for testing, if you can arrange a device to bypass FW and check if you have an issue, on that PC to eliminate what causing the issue.

there is couple issue i can think of now - may be your TCP multiplexing conn overflow, so no NAT taking place. this may be due to any device compromised network and sending huge traffic out or randomly

Re: I found Internet Issue with ASA5515

pichai-chai — Sun, 29 Nov 2020 00:27:59 GMT

Hi Bud

I've one lan cable is connect from L3 to ASA, no etherchannel function.

========================================

I took the step when I found the issue.

ping asa from client = okay

ping 8.8.8.8 from client = not okay

telnet asa from client = okay

ping 8.8.8.8 from asa = okay

I think this is a ASA issue but I don't know what's happened?

sometime internet is work fine all day but sometime the internet is loss in 15 minutes or every 1 hour.

Re: I found Internet Issue with ASA5515

pichai-chai — Sun, 29 Nov 2020 00:26:34 GMT

Dear Bud

When I found the issue I do telnet to ASA and I've ping to 8.8.8.8 from ASA, yes I can ping but the client can not ping 8.8.8.8.

I agreed with you about NAT translation and TCP multiplexing conn overflow but how I can prove this issue?

Please advise me.

Re: I found Internet Issue with ASA5515

Aref Alsouqi — Sun, 29 Nov 2020 03:27:52 GMT

Do you only have that NAT rule applied to the ASA? if not, can you please post the output of the sh run nat command for review?

Re: I found Internet Issue with ASA5515

balaji.bandi — Sun, 29 Nov 2020 07:13:33 GMT

here is the step by step instructions :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Since you have an issue to resolve i also suggest to setup an SYSLOG Server for some time or Long Term send the Logs.

Make some script as soon as you hit the connection limit or any other issue you get an email from out of the box monitor system.

you can use EEM script example :

https://thwack.solarwinds.com/t5/NPM-Discussions/Monitoring-Cisco-router-NAT-translations/m-p/246895

Re: I found Internet Issue with ASA5515

pichai-chai — Fri, 04 Dec 2020 09:05:18 GMT

No, I have not.

Re: I found Internet Issue with ASA5515

pichai-chai — Fri, 04 Dec 2020 09:06:11 GMT

I found this issue when I've changed the firewall to Fortigate. It's the same.