Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
5
Helpful
4
Replies

Connections remain when static route removed - ASA

startx001
Level 1
Level 1

‎06-11-2018 05:52 AM - edited ‎02-21-2020 07:51 AM

Hi , 

Noticed strange issue on ASA 5585-X SSP20.

Connections on ASA stays active after static route is removed from ASA, and then traffic is droped . 

Only when i cleared connections traffic started to flow how it should , until then traffic was dropped. 

Version on ASA is 9.7(1)8 .

 

Someone noticed similar problem ?

 

KR
VZ

Labels:
0 Helpful
4 Replies 4

Octavian Szolga
Level 4
Level 4

‎06-11-2018 08:01 AM - edited ‎06-11-2018 08:01 AM

Hi,

Do you have any track on the route? If the route is down because your interface is down, I don't see any reason for the connections to remain in the conn table.

 

If the route is not removed because of an interface down reason, I'd look at this:

 

-----------------------------------

Routing convergence & connection timers

 

(config)#timeout floating-conn 0:00:00

(config)#timeout conn-holddown 0:00:15

 

timeout floating-conn hh:mm:ss—When multiple routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the  connection never times out). To make it possible to use better routes, set the timeout to a value between 0:0:30 and 1193:0:0.

 

timeout conn-holddown hh:mm:ss—How long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the  connection is freed. The purpose of the connection holddown timer is to reduce the effect of route flapping, where routes might come up and go down quickly. You can reduce the holddown timer to make route convergence happen more quickly. The default is 15 seconds, the range is 00:00:00 to 00:00:15.

 

-----------------------------------

 

Thanks,
Octavian

startx001
Level 1
Level 1
In response to Octavian Szolga

‎06-12-2018 01:25 AM

Hi , 

 

No , no , no interface down , i did not say that .

When removing static route.

 

0 Helpful

startx001
Level 1
Level 1
In response to startx001

‎06-19-2018 01:28 AM

Noone ?

0 Helpful

Florin Barhala
Level 6
Level 6
In response to startx001

‎06-19-2018 01:41 AM

Can you post some timeline here:
- show route & show clock
- "conf t/interface "outside"/shutdown & show clock
- show conn ..... & show clock
- after 20s again: show conn ..... & show clock

Except this is there any other ongoing issue on this firewall? Is it standalone or HA?
How're CPU and memory usage during your "interface shutdown" test?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card