cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


862
Views
0
Helpful
12
Replies
Beginner

Comcast and Cisco ASA 5510

I have this problem and Comcast is not a help in resolving.

We just changed  over to Comcast Business and after changing the outside interface to new IP and setting static route.

I have access to internet and everythig appears to be good,

However asdm will never fully load, alway stuck at 17% or 77%, and I always see "parsing running config"

When I do a show run it will not fully load either, always stop at certain out put.

5 seconds after pulling the Comcast cable out both asdm and running config will load fine

Can any one help?

1 ACCEPTED SOLUTION

Accepted Solutions

Comcast and Cisco ASA 5510

Hello Duong,

CPU at 100% there is our problem!!!

Your box is on fireeeee... Let me know when you have access to the box so we can work on this

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 REPLIES 12

Comcast and Cisco ASA 5510

Hello Duong,

Any logs from the ASA that you can share with us while the issue happens?

Check memory, CPU while using the COMCAST connection

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Comcast and Cisco ASA 5510

Merry Christmas Brother!  Thanks for answering!

For some reason cpu is 100 percent and traffic bandwidth is 500kbps.

I am not on site so I cant see the log file right now.

BTW my site to site tunnel didn't work, I used your instructions:

So only do the following: Lets say new ip is 4.4.4.4

clear configure tunnel-group 2.2.2.2

tunnel-group  4.4.4.4 type ipsec-l2l

tunnel-group 4.4.4.4 ipsec-attributes

pre-shared key x.x.x.x

no crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set peer 4.4.4.4

--

Comcast and Cisco ASA 5510

Hello Duong,

CPU at 100% there is our problem!!!

Your box is on fireeeee... Let me know when you have access to the box so we can work on this

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Beginner

Comcast and Cisco ASA 5510

I am curious why its at 100 percent, nothing is plugged in beside Comcast Box.

Will you be available to help me Wednesday?  If so what is the best time for you?

Comcast and Cisco ASA 5510

Hello Duong,

I guess, let me know on wednesday

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Comcast and Cisco ASA 5510

I was able to see the log today.

It is filled with these exact lines.

7|Dec 25 2012|11:27:55|609001|172.16.121.11||||Built local-host outside:172.16.121.11

7|Dec 25 2012|11:27:55|609001|172.16.121.11||||Built local-host outside:172.16.121.11

7|Dec 25 2012|11:27:55|609001|172.16.121.11||||Built local-host outside:172.16.121.11

7|Dec 25 2012|11:27:55|609001|172.16.121.11||||Built local-host outside:172.16.121.11

7|Dec 25 2012|11:27:55|609001|172.16.121.11||||Built local-host outside:172.16.121.11

7|Dec 25 2012|11:27:55|609001|172.16.121.11||||Built local-host outside:172.16.121.11

How to stop this?

Beginner

Comcast and Cisco ASA 5510

Hi Bro.

I found and deleted that connection.

CPU now down to 5%

Please help me with site to site, then I can rest for Christmas.

Comcast and Cisco ASA 5510

Hello,

Looks like that host is eating your network...

Why is he trying to build that much connections??

While you have it down to 5 % can you access it?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Comcast and Cisco ASA 5510

Yes I can connect now and have full access to FW

Comcast and Cisco ASA 5510

As expected

Who is 172.16.121.11 and what is he doing ??

sh local | in host|count/limit

That command will help you finding the amount of connections per host

This might be a computer with a virus or a bad application,etc,etc but the thing is that you could not access it because the ASA was overwhelmed by that PC.

So the problem is the PC,

That solves our paradigm,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Comcast and Cisco ASA 5510

That IP belonged to the consultant the company hired before I was employed.

He is their firewall guy.

There was  a VPN tunnel to that IP address.

I want to learn FW to take over that position and further my career.

Comcast and Cisco ASA 5510

Hello,

Good to know that

Well that is why we are here, In order to keep learning,

Regards,

Julio Carvajal.S

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC