Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
3
Replies

Firewall & Internet Router Issue

Saeedullah Khan
Level 1
Level 1

‎07-25-2015 02:37 AM - edited ‎03-11-2019 11:19 PM

Hi Guys,

 

I need to discuss one important matter with you guys as might be you faced in your past experienced.

 

In our Data Center our "Internet Router" is connected with our ASA and last time i faced an issue, my internet router were faulty due to SDRAM but what i seen after EVERY 3-5 minutes i was receiving "request timeout" on our all interfaces i.e. Inside Interface, DMZ Interface etc and obviously my outside interface connected with the Router so after my troubleshooting steps i found the issue when i remove/shutdown the "outside interface" the problem was resolved.

 

My main concern about this issue is how to control this issue when the device got faulty it will not effect on the firewall.

 

Saeed

 

 

 

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎07-25-2015 03:14 AM

At least communication between inside and DMZ should never be effected by a faulty internet-router. I would assume that there are some problems in your network-design and/or with your firewall/router-config. It would help if you could share detailed diagrams and your config.

0 Helpful

Saeedullah Khan
Level 1
Level 1
In response to Karsten Iwen

‎08-04-2015 03:53 AM

Hi Karsten,

Sorry for very late reply and as per my understanding there is not any issue with our design/config etc.

Actually what i have seen on the ASA 5510 device when checking the firewall as our device is security plus bundle licensed enabled (concurrent session connection 130K) and the firewall was running exceeds the connections so that's the reason the firewall behaving abnormal/request timeout the connectivity on the inside, dmz end.

I have already configured on the outside interface to limit the connection i.e. tcp connection but the router continuously checking the POST test and giving the sdram error (kindly check an attached snapshot).

But my simple question is when the router itself restarting then how is it possible to exhaust the connection sessions (i.e. 130K). is there any way to do to control this type of issue and any body can easily facing this type of issue.

Hope to getting my point.

Preview file
100 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to Saeedullah Khan

‎08-04-2015 03:01 PM

Perhaps, it could be related to the connection setup-rate. After the internet-router (which indeed is a candidate for replacement or a TAC-case if under support) returned to normal opperation, there are many connections that have to be buildt. With a connection setup-rate of 9k/s, the ASA could just be overloaded and that causes also trouble with internal connections.

But if you already exceed the max connections, it's time to upgrade your ASA to a 5516-X or even 5525-X.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card