topic What does the output of "show in Network Security

NAT Problem

marcio.tormente — Tue, 12 Mar 2019 07:41:07 GMT

Hello folks!

I have 02 ASA 5555X in H.A and the very strange thing is happening.

I have many NAT configured, but only NAT to internet stop to work and return only after reboot.

ASA IOS: asa952-smp-k8.bin

Anyone know something about this problem?

Thanks

Marcio

Hi Marcio,

Kanwaljeet Singh — Thu, 28 Apr 2016 19:40:20 GMT

Hi Marcio,

Any logs during the problem? Do you notice all users getting affected or only few users? Could be a nat pool exhaustion problem?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi Fnu,

marcio.tormente — Thu, 28 Apr 2016 19:55:14 GMT

Hi Fnu,

Thanks for your support.

There is no log about, only stop to work and for all users.

In this ASA there are 02 links and both stop.

I don´t believe the problem is exhaustion, unless ASA is worst then Checkpoint, because one month ago I migrate from checkpoint to ASA and this problema never happened while the client was using Checkpoint.

Hi Marcio,

Kanwaljeet Singh — Thu, 28 Apr 2016 20:19:00 GMT

Hi Marcio,

Thank you for your reply.

Are you able to ping the default gateway during the problem i.e from the firewall its default gateway? How about ARP status on both gateway and ASA?

Can you share your configuration? Can you do clear asp drop and then take couple of outputs of "show asp drop" and see which counter is increasing?

Can we take pcaps on inside and outside interface for one user and see if the packets are making it from inside to outside interface ?

What is the logging level set on ASA? Can you increase it to debug level during the problem and see what you get ? If firewall is dropping it, it must log the reason for it.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

What does the output of "show

Tristan Cober — Thu, 28 Apr 2016 20:24:44 GMT

What does the output of "show conn count" and "show xlate count" look like when the problem is happening?

Please also check with your ISP if they block any ports.

Hi Fnu,

marcio.tormente — Thu, 28 Apr 2016 20:51:16 GMT

Hi Fnu,

Follow the configuration attached.

Yes, is possible to ping the ASA, everything remain working, only the NAT to internet that stop.

The problem is not happening now, but when happen, I have no time enoght to collect information. The client want to service orking ASAP, then, reboot is the best option.

I made many clear comand, such as xlate, but didn´t work.

Hi Marcio,

Kanwaljeet Singh — Thu, 28 Apr 2016 20:58:12 GMT

Hi Marcio,

Thank you for the configuration.

Please tell me which NAT rule stops working? Also, is it random or happens at a specific time or after sometime?

How often the issue happens? Since we are pressed for time, can we at least take two instances of show tech during the problem before reload is performed?

Also, if the recurrence of issue is pretty frequent, can we bump up the logging level and wait for the next occurrence?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hello Tristan,

marcio.tormente — Thu, 28 Apr 2016 20:59:15 GMT

Hello Tristan,

The problem is not happening now, for this reason the show is normal, but I´m trying to undertand why suddenly its happen.

ASA-SSP-Pri# sh conn count
2583 in use, 3380 most used!

ASA-SSP-Pri# sh xlate count
2274 in use, 3258 most used

Hi Fnu,

marcio.tormente — Thu, 28 Apr 2016 21:03:59 GMT

Hi Fnu,

This problem happens in random time, since I made the migration (last month) its happen 03x in diffentes days and hours of the day.

I can take the show take next time when happen.

Hi Marcio,

Aditya Ganjoo — Fri, 29 Apr 2016 07:30:09 GMT

Hi Marcio,

Please specify which traffic is affected ?

Also what NAT is being used for it.

Take the following outputs:

sh nat detail

sh asp drop ( continuous outputs after an interval of few seconds)

show cpu

show blocks

show memory

show process cpu-usage non-zero sorted

Regards,

Aditya

Please rate helpful posts.

Hi Aditya.

marcio.tormente — Fri, 29 Apr 2016 13:25:24 GMT

Hi Aditya.

Thanks for your support

All the network that is behind Internal interface who whant to access the internet is affected.

For this networks I´m using Network object Nat.

Follow attached the commands.

Thanks

Hi Marcio,

Aditya Ganjoo — Fri, 29 Apr 2016 13:31:16 GMT

Hi Marcio,

Is this taken at the time of the issue ?

Also when the issue is there please clear asp drop and take multiple outputs of show asp drop.

Regards,

Aditya

Hi Aditya,

marcio.tormente — Fri, 29 Apr 2016 13:45:03 GMT

Hi Aditya,

No, at this time, everything is normal.

In 30 days thys problem happen 03 times, I just want understand why and avoid this happen again.

Thanks