topic Jouni Forss , thanks for the in Network Security

ASA 5510 - Disallowing new connections

abcdefghi123 — Tue, 12 Mar 2019 04:33:41 GMT

Hi,

I'm in need of some help here. We lost internet connection. I checked ASA syslog, I found that ASA was displaying disallowing new connections on the ASDM syslog:

Syslog ID: 201008: Disallowing new connections

I did a google search and didn't yield any good results. Any help would greatly be appreciated.

Need to know why and what caused this error, and what is the fix. Thanks.

Hi, I think we had this

Jouni Forss — Thu, 31 Jul 2014 19:56:42 GMT

Hi,

I think we had this problem when we enabled TCP based Syslog to a Syslog server (instead of the default UDP traffic). Unknown to us at that time was that if for any reason the Syslog server was not reached through that TCP connection the ASA would stop allowing new connections through it.

I then found out that to avoid this situation you had to have this command enabled

logging permit-hostdown

This command essentially allows the ASA to perform normally even if the Syslog server had become unreachable. Our problem in this case was related to misunderstanding on what the TCP port used should have been.

We added this command after the problem had started on a Security Context in a Multiple Context mode ASA and we found out also that adding this command later did not help with the situation. We went as far as removing all logging configurations and even the interface through which the Syslog server had been configured originally. None of this helped. In the end we had to remove the whole Security Context and enter it again in the System Context to get connections going through that particular Security Context.

So I kind of wonder if you have configured TCP based Syslog messages on the ASA and the server has become unreachable and you dont have the above mentioned command enabled?

Hope this helps

- Jouni

Yes, TCP is enabled for

abcdefghi123 — Thu, 31 Jul 2014 21:56:26 GMT

Yes, TCP is enabled for syslog server.

I have also enabled "Allow user traffic to pass when TCP syslog server is down". Hoping this will resolve the issue.

Will test the firewall again tomorrow evening to see if this solves the problem.

Jouni Forss , thanks for the

TomElkins3rd — Thu, 15 Jan 2015 14:52:05 GMT

Jouni Forss , thanks for the posting, we lost link to syslog server, and the same thing happened.

logging permit-hostdown Worked great while we restore the link.

Hi

arickenbach — Tue, 03 May 2016 16:27:10 GMT

I know it's an older post, but it's still a problem 🙂

If the command:

logging permit-hostdown

not helps, you're hitting a bug which is not public. The bug is related to context firewalls.

To fix the problem, the only solution is to re-create the context again. A reboot doesn't help.

Here's a short instruction (repeat for every context):

remove tcp syslog server configuration

changeto contex XYZ
conf t
no logging host inside x.x.x.x tcp/xxx

save new configuration

changeto system
wr mem all

check configuration (optional)

more xyz.cfg | in logging

check context file:

sh run context XYZ
context XYZ
<snip>
 config-url disk0:/xyz.cfg

remove context configuration

changeto context XYZ
clear configure all

Use context file again:

changeto sys
context XYZ
conf t
config-url disk0:/xyz.cfg

If you have a failover pair, I recommend to remove the configuration of the secondary ASA and built up the failover cluster again.

Regards Andrin

Re: Hi

ferginator1 — Thu, 30 May 2024 20:41:59 GMT

Thank you so very much, this was the fix for my issue with Cisco 5585 multi-context configuration ASA.

Re: ASA 5510 - Disallowing new connections

Jerioux — Thu, 15 Aug 2024 14:34:23 GMT

10 Years later this post is still useful !