Re: Connection inconsistency on cisco ASA 5k

BrendonFranca · ‎07-18-2023

Hey guys!
I hope this message finds everyone well.

I have a problem where an ASA 5525 is showing inconsistency in the connections.
at random times VPN Client connections via anyconnect are dropped and the firewall stops responding and forwarding packets to the WAN. The connection only returns after we start a "ping" from the ASA to the outside or outside to the firewall's WAN.
I already created a task to trigger a ping to the google dns through the WAN and a LAN IP through the packet-tracer but it didn't solve the problem.
Does anyone have any idea what it could be or if it could be a version bug? The firmware we are using is Cisco Adaptive Security Appliance Software Version 9.13(1)

MHM Cisco World · ‎07-18-2023

can you share the log message

BrendonFranca · ‎07-18-2023

Hi,

This is also a problem, no error codes or logs appear.
The WAN interface simply stops responding to packets as if it went into standby and only returns after ICMP sessions.
The only error message that appears is when trying to login to anyconnect "Connection attempt has timed out. Please verify internet connectivity"
Despite the error message mentioning a local connection failure, the problem is in the ASA's own WAN interface which simply dies.

MHM Cisco World · ‎07-18-2023

standby <<- your run ASA HA ?

BrendonFranca · ‎07-18-2023

No, it's only 1 firewall.
Sorry if I expressed myself wrong. When I said "standby" I meant that the interface stops delivering packets as if it weren't in production or with the protocol down.
The interface only works again when we send ICMP packets.

MHM Cisco World · ‎07-18-2023

You use PPPoE for WAN ?

BrendonFranca · ‎07-18-2023

No.
WAN connection is done via VLAN ID for a VIP.

MHM Cisco World · ‎07-18-2023

VIP of HSRP,
it seem that ASA drop G-ARP
solution
1- use sla monitor always there is ping
2- use static arp VIP-Vmac