cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1245
Views
0
Helpful
5
Replies
mattwoida
Beginner

v3.3.1 - system diagnostic on ASA fails with session disconnected

Upgraded to v3.3.1.  SSH connection to ASA (5545 ver 9.3(3)7) works fine.  Unused Policy tool works most of the time without session disconnect (although I have seen this once already).  Running the System Diagnostic tool results in session disconnect every time.  I have tokens available so I am assuming the tool should run and complete without issue.  Any thoughts/ideas .... ?

1 ACCEPTED SOLUTION

Accepted Solutions

Also, What is your connection path to your ASA? Is it direct connect or are you going through a comm server? Also, are you on Windows?

When connecting to ASA versions previous to 9.5.2(2) from the Windows client we've seen rare occurrences when a lot of data is flowing from ASA a disconnect can occur. This maybe due to the Windows TCP buffer being overrun. A TCP zero window" occurs and consequently a TCP RST occurs and the session terminates. Note the CLI Analyzer consumes data slower than other applications.
The above is assuming its not a network connectivity issue.

View solution in original post

5 REPLIES 5
John Bollier
Cisco Employee

Hi Matt,

    Can you try connecting to another ASA that is similar in software/model version within another portion of your network to see if the problem follows? Please run the same tools a few times.I tested in  our lab and unable to duplicate. Also if you can please ping both ASA's and share the latency for comparison purposes.

Thanks,

John

John,

I have three 5540 (ver 9.1(6)11).  One worked (ran system diagnostics without session disconnect) fine without issue, second needed a second attempt as the first was a session disconnect.  The 3rd completed after 3 or 4 attempts.  The original (5545) still will not complete a run.

5540_1:

Ping statistics for 10.50.98.41:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

5540_2:


Ping statistics for 10.50.98.42:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 4ms, Average = 4ms

5540_3:

Ping statistics for 10.50.98.43:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 4ms, Average = 4ms

5545: (less then 1ms)

Ping statistics for 10.10.99.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Also, What is your connection path to your ASA? Is it direct connect or are you going through a comm server? Also, are you on Windows?

When connecting to ASA versions previous to 9.5.2(2) from the Windows client we've seen rare occurrences when a lot of data is flowing from ASA a disconnect can occur. This maybe due to the Windows TCP buffer being overrun. A TCP zero window" occurs and consequently a TCP RST occurs and the session terminates. Note the CLI Analyzer consumes data slower than other applications.
The above is assuming its not a network connectivity issue.

View solution in original post

kevwilso,

Windows direct connect - no comm server.  Four ASA's tested are running versions previous to 9.5.  Wireshark error for TCP window size full "Expert Info (Warning/Sequence): TCP window specified by the receiver is now completely full".  Packet capture confirms ASA sends a TCP RST.  Do you know of a workaround for this issue (other than ASA upgrade)?  I assume equivalent is to do the 'file analysis' instead of using the system diag tool?

You may be able to adjust/increase your TCP Window Size using the below instructions:

https://www.experts-exchange.com/questions/28353794/How-TCP-IP-Sliding-Window-is-configured-on-Win7-hosts.html

Note when they mention HKLM in the article, they really mean "HKEY_LOCAL_MACHINE".

This widget could not be displayed.