topic Re: ASA stops forwarding traffic in Network Security

ASA stops forwarding traffic

jfnk — Wed, 01 Oct 2025 15:24:30 GMT

Hi all

We have a pair of ASA5516-X devices, running as an active/standby pair. Several times a day, the active device will stop forwarding traffic so all users lose connectivity to all data, applications and services. There is no error message in the ASA log, and all networks remain up - that is to say it's still possible to connect to the ASA, and on the ASA you can verify that the Internet connection is still up and running - but the ASA simply stops forwarding traffic between networks. The failures do not occur after a set time, it is an intermittent (but too frequent) issue.

The fix is to switch the active ASA off (or do a reload) so the standby device takes over as active. Connectivity is restored but a few hours later the same happens and we repeat the process.

This is a problem we have had in the past but the devices have been stable since March, around the time we upgraded to 9.16(4)82. This weekend I upgrade to 9.16(4)85, as recommended, and the problem returned. We have rolled back to 9.16(4)82, but the problem remains.

I have a case open with TAC, but they don't have any immediate idea so it's just a case of gathering info when the problem happens (but can't spend long doing that as we need to restore the service qiuckly)

Anyone had a similar issue?

Thanks

Re: ASA stops forwarding traffic

balaji.bandi — Wed, 01 Oct 2025 15:53:06 GMT

What kind of traffic is this ASA processing?

When you have an issue, have you collected any Logs from the device?

show processes cpu-usage

show blocks

show perfmon

show conn count

show xlate count (if nat involved)

Also, check the troubleshooting guide :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113185-asaperformance.html

When you failover, the issue is resolved, and at that time, the secondary becomes active (after some time, it also stops processing traffic).

Check on the connected switches, also any Logs, and check any interface drops

Re: ASA stops forwarding traffic

ahollifield — Thu, 02 Oct 2025 17:36:55 GMT

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744798.html

Re: ASA stops forwarding traffic

jfnk — Fri, 03 Oct 2025 09:45:02 GMT

Thanks for your replies.

We stopped forwarding traffic to the sfr module, and disabled the module itself, yesterday morning and I believe this has resolved the issue.

Pretty sure had shut the module down in a previous attempt to resolve the same issue some months ago, but didn't remove the forwarding (no sfr fail-open) that time.

Re: ASA stops forwarding traffic

balaji.bandi — Fri, 03 Oct 2025 10:10:32 GMT

glad all good and resolved.