https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426199#M730031 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>Thanks for your reply.</P><P>The information was useful</P><P>Will check that......</P><P></P><P>Regards</P><P>Arulkumar</P></BODY></HTML> Mon, 22 Feb 2010 06:11:53 GMT arulkumar80 2010-02-22T06:11:53Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426195#M730027 <P>Hi,</P><P>Most of the time everything works fine on the firewall and all the required traffic is passing through the firewall as expected by the configuration.</P><P></P><P>Sometimes some of the users are not able to a)go online, b)access&nbsp; the servers.</P><P>the users&nbsp; facing this issue are able to work with the existing connections but if they try to open a new connection to any servers they fail.</P><P>At that time users are not able to go online either. I am able to ping that time but i am not able to telnet.</P><P></P><P>servers are in one security level and users are in different security level.</P><P></P><P>If they user remove the lan cable and refix it everthing works normal for that user.</P><P></P><P>Regards</P><P>Arulkumar</P> Mon, 11 Mar 2019 17:12:38 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426195#M730027 arulkumar80 2019-03-11T17:12:38Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426196#M730028 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Don't have any logs from the time when the problem happened?</P><P></P><P>Are you reaching the limit of connections permitted?</P><P></P><P>Federico.</P></BODY></HTML> Sat, 20 Feb 2010 20:47:36 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426196#M730028 Federico Coto Fajardo 2010-02-20T20:47:36Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426197#M730029 <HTML><HEAD></HEAD><BODY><P>Don't have any logs from the time when the problem happened?</P><P></P><P>Are you reaching the limit of connections permitted?</P><P></P><P>Federico.</P><P></P><P>Hi Federico,</P><P>Thanks for your reply.</P><P>How can i check if ASA is reaching the limit of connections permitted. (any command to check that)</P><P></P><P>Regards</P><P>Arulkumar</P></BODY></HTML> Sun, 21 Feb 2010 08:49:16 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426197#M730029 arulkumar80 2010-02-21T08:49:16Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426198#M730030 <HTML><HEAD></HEAD><BODY><P> The ''show conn count'' will show you amount of connections at a certain point, you can compare this number to the max. connections that your specific model can handle.</P><P></P><P>Also, for the servers, they have a limit on the amount of embryonic connections and total connections as well on the STATIC command. (The same applies for dynamic NAT).</P><P></P><P>If the problem is with the amount of traffic, a temporary solution is to change the timeouts for the XLATEs and connections:&nbsp; ''sh run timeout''</P><P></P><P>Federico.</P></BODY></HTML> Sun, 21 Feb 2010 14:57:00 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426198#M730030 Federico Coto Fajardo 2010-02-21T14:57:00Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426199#M730031 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>Thanks for your reply.</P><P>The information was useful</P><P>Will check that......</P><P></P><P>Regards</P><P>Arulkumar</P></BODY></HTML> Mon, 22 Feb 2010 06:11:53 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426199#M730031 arulkumar80 2010-02-22T06:11:53Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426200#M730032 <HTML><HEAD></HEAD><BODY><P><SPAN style="background-color: #f8fafd;">Hi,</SPAN></P><P><SPAN style="background-color: #f8fafd;">from <STRONG>sh conn</STRONG> i see that device can handle more number of connection.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">will reducing the timeout for xlate and connection work?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">because the only some of the hosts are not able to connect to a servers or go online and it is happening sometimes only sometimes </SPAN></P><P><SPAN style="background-color: #f8fafd;">after few minutes the hosts are able to connect to severs and go online normally.</SPAN></P><P><SPAN style="background-color: #f8fafd;">when the issue is occuring ping works fine</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">and if the host"s lan cable is unlugged and relugged back the issue is resolved, they are able to connect to servers an able to go online.</SPAN></P><P><SPAN style="background-color: #f8fafd;">Servers are connected in 1 interface and internet is on another interface</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">hope my explanation is clear.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Your help is much appreciated.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Regards</SPAN></P><P><SPAN style="background-color: #f8fafd;">Arulkumar</SPAN></P></BODY></HTML> Mon, 22 Feb 2010 14:03:24 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426200#M730032 arulkumar80 2010-02-22T14:03:24Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426201#M730034 <HTML><HEAD></HEAD><BODY><P>Will be a good test to try lowering the timeouts for the translation and connections...</P><P></P><P>Just make sure, the XLATE timeout should be greater than the CONN timeout.</P><P></P><P>Let's see the results...</P><P></P><P>Federico.</P></BODY></HTML> Mon, 22 Feb 2010 21:30:31 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426201#M730034 Federico Coto Fajardo 2010-02-22T21:30:31Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426202#M730036 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>tried lowering the timeouts for the translation and connections, no good....</P><P>please advise.</P><P></P><P>Regards</P><P>Arulkumar</P></BODY></HTML> Fri, 26 Feb 2010 05:28:55 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426202#M730036 arulkumar80 2010-02-26T05:28:55Z https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426203#M730037 <HTML><HEAD></HEAD><BODY><P>Arulkumar,</P><P>We just can't manipulate the timeout not knowing what the cause it.</P><P></P><P>What do the logs say when these hosts can't go out?</P><P>Can they ping the firewall's IP address?</P><P>Can they get name resolution when they ping yahoo.com or google.com</P><P>Can they load the page by IP address and not name?</P><P>Can they ping an outside IP through the firewall?</P><P>Only TCP breaks? ICMP works?</P><P></P><P>enable logging on the firewall</P><P></P><P>conf t</P><P>logging buffered 7</P><P>sh logg | i x.x.x.x</P><P></P><P>where x.x.x.x is the host that cannot got out. Explain what protocol (http ?) breaks. You are trying a telent x.x.x.x 80 to verify?</P><P></P><P>-KS</P></BODY></HTML> Fri, 26 Feb 2010 13:58:08 GMT https://community.cisco.com/t5/network-security/traffic-not-passing-through-firewall-at-sometimes-for-some-users/m-p/1426203#M730037 Kureli Sankar 2010-02-26T13:58:08Z