Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
0
Helpful
1
Replies

cisco asa dropping connections seemingly at random

Jody Sudbury
Level 1
Level 1

‎06-04-2015 09:40 AM - edited ‎03-11-2019 11:03 PM

I've got a pair of ASA 5505s at work that at random intervals (that seem more frequent during the higher usage of business hours), drop all connections. I noticed it first with VPN sessions dropping. HAving said that, CPU is under 40%, and memory is under 50%, so I don't think it's performance limited. Also not hitting connection limits of platform. show conn count shows max used of 8500 (max is 10000). Max throughput harder to gauge over so many interfaces but don't think that's issue either. I did some big file transfers across a couple interfaces to see if I could recreate the problem, and I couldn't..

 

The problem was initially noticed due to dropping vpn sessions. As far as VPN goes, when I turned on client-side debugging of vpn, I noticed that dead peer detection would be working for a while and then, for a period of 30-50 seconds, it would stop receiving responses to DPD from ASA and initiate a tear down their own session (this showed up as an administrator reset on the ASA side).

 

I then took a closer on ASA side look by doing packet dumps of the outside interface of the ASA. Sure enough, the DPD packets were coming in, but eventually, the ASA would stop replying to them for 30-50 seconds. After that time elapsed, VPN sessions would re-establish, the # of connections per second (which had dropped to 0) on the ASDM interface graph would shoot back up, etc.

 

Other symptoms of the problem include downloads being interrupted and if you click on a webpage link while in that 30-50 second period, you get a "page not found" error.

 

I've turned on all sorts of debugging on the ASA and don't see any significant log messages. These ASAs are part of a mirrored pair and so I failed over to make sure it wasn't hardware related and the same behavior does happen on both in the pair.

 

Has anyone ever seen anything like this? It's been going on for a few software versions apparently so i'm not sure that just doing an upgrade will change anything.

 

thx

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Professor_Pickles
Level 1
Level 1

‎12-18-2017 09:18 AM

This appears to be an old post, but I just wanted to post that I too see this issue on my ASA-5545. We see a high number of Anyconnect VPN drops with the error "Reason: Administrator Reset". 

 

My speculation at the moment is that because our ASA's outside interface sits behind a Checkpoint firewall and that Checkpoint appears to be experiencing the some packet discard that this, maybe due to overload or other, that this is triggering the Anyconnect VPN drops. 

 

Thoughts anyone?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card