01-15-2011 04:53 AM - edited 03-11-2019 12:35 PM
Hello All,
I am experiencing an issue with two ASA 5505 devices that I have on my network.
The devices are both running version 8.2.2 OS.
With one of the devices anytime it is connected to the network I am unable to communicate with one of the hosts in particular. This is very strange since the host in question does not have to have the ASA 5505 set as its gateway for the issue to occur.
With the second ASA 5505 I realize that anytime that a host uses the ASA 5505 as its default gateway frequent connection resets occur. For instance I have a web server that uses the ASA 5505 as its gateway and there are frequent connection resets (This is indicated by the an error message in the web browser) when browsing sites hosted on the web server. This issue only occurs with internal clients. Clients browsing to the websites using the external interface do not have this issue.
Thank you in advance,
Quincy.
01-15-2011 06:55 AM
When the problem happens, have you looked at the arp cache on the webserver? Does that show the GW of the ASA505 and its MAC address
at it should?
You are running a code where this defect is resolved.
When the problem is happening need to gather the following:
1. ping from the webserver to the ASA
2. ping form the ASA to the webserver
3. sh arp on the ASA
4. sh arp on the webserver
5. what do you do to resolve the issue? or does it resolve on its own?
6. collect wireshark capture on the server and see what might be going on when it has the problem.
7. capture on the ASA would help as well
cap capin int inside match ip host x.x.x.x any
where x.x.x.x is the ip address of the server. You can issue " sh cap capin det" to view the capture.
you can save it as a .pcap file with this command https://ip_address_of_the_asa/capture/capin/pcap
-KS
01-15-2011 07:09 AM
Hi,
I tried to access the Bug Toolkit but I got an error message indicating that my guest login is not permitted to use the toolkit.
Are you saying that this is a known issue that has already been resolved? I tried to upgrade to 8.2.3 but after I did the upgrade I got an error message saying that I did not have enough memory (I only have 256MB installed) to run the new OS. Is there an alternative OS that can be used that does not require the memory upgrade?
In the case of the web server I normally press F5 (to refresh the page) a few times and it eventually comes up. However, this is not good for internal end users who may not have the same level of patience or knowledge and will just think that the website is down. Moreover, the second server that I am having the issue with is a domain controller/File server and it is causing serious issues with respect to communicating with it. I have been unable to connect to any of my shares and I am unable to connect using remote desktop.
Thank you,
Quincy.
01-15-2011 07:19 AM
If you are running 8.2 and upgraded to 8.2.3 - it should not require additonal memory.
Are you sure you didn't upgrade to 8.3.2?
Only 8.3 requires additional memory. If so pls. downgrade using the "downgrade" command.
downgrade /noconfirm disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/d2.html#wp2002627
Here is the RN from the bug notes:
Symptom:
Hosts directly connected to an ASA 5505 might be unable to resolve the MAC address of the ASA's interface. The directly connected devices will send arp requests but will receive no response from the firewall. The problem is that the ASA switchport is dropping the broadcast packets.
The output of 'show controller E0/x' (where x is the switchport that the device is plugged into) will show the counter 'In Filtered:' is increasing corresponding to the arp requests.
Conditions:
The firewall must be an ASA 5505 model; Other ASA models and any Pix model is not affected by this problem.
Enabling multicast, and then disabling it will cause the problem. Below is an example showing multicast being enabled, then disabled:
ciscoasa(config)# multicast-routing
ciscoasa(config)# no multicast-routing
After doing this, the asa will not respond to arp requests directed at its interface ip's.
Workaround:
Do one of the following:
1) Statically program the ARP entry in the adjacent devices. Once this is done, IP traffic will flow through the firewall normally.
2) Reboot the firewall.
If internal users are not able to reach the webserver using its internal address and rdc via the internal address then, I beleive the problem is with the webserver.
-KS
01-15-2011 09:15 AM
I think that it was 8.2.3 but I may be wrong. I am not at the office at the moment, but when I go in I will verify which it was. I already completed the downgrade process. However, I do remember there being only a single upgrade option (from within the ASDM interface).
On one of the ASAs there is only a single port in use so the servers are not directly connected to the ASA per se (It is connected to a Catalyst 2960 to which the servers are directly connected). What I find strange is that if I unplug this ASA everything works fine and when I plug it in again the error (unable to communicate with the domain controller machine) shows up.
I was reading another thread about hairpinning. Are you familiar with this and if so do you think that it could be an issue here?
Thanks for your assistance to this point. Once I get to the office I will let you know what the results of your suggestions are.
Regards,
Quincy.
01-17-2011 12:52 PM
Hello,
Just to follow up on the discussion from Saturday. I am presently running ASA 8.2.2 and I did attempt to upgrade to 8.3 and not 8.2.3.
What I have found today is that both ASA devices seem to be responding to ARP requests for the hosts that I am having trouble communicating with.
I realised this by checking the local ARP cache on the machine that I am using. Attached below is the ARP cache of the machine that I am using.
****************ARP LOCAL MACHINE 192.168.10.40****************
C:\Users\quincy.prentice>arp -a
Interface: 192.168.10.40 --- 0xb
Internet Address Physical Address Type
192.168.10.1 00-21-d8-01-72-5b dynamic
192.168.10.2 00-21-d8-01-72-5b dynamic
192.168.10.4 00-13-72-a7-59-9e dynamic
192.168.10.6 00-11-43-d6-8b-cd dynamic
192.168.10.7 00-1e-4f-1f-ce-75 dynamic
192.168.10.8 00-19-b9-f9-ba-99 dynamic
192.168.10.10 00-19-b9-c5-20-8f dynamic
192.168.10.11 00-19-b9-f9-b7-53 dynamic
192.168.10.12 00-1d-09-6c-a7-5f dynamic
192.168.10.17 00-00-aa-93-96-f0 dynamic
192.168.10.23 6c-62-6d-0e-e8-1e dynamic
192.168.10.29 00-27-0d-dc-c8-f2 dynamic
192.168.10.39 00-13-72-a6-c8-17 dynamic
192.168.10.121 00-09-6b-3a-22-ac dynamic
192.168.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
Of interest are the first two entries for 192.168.10.1 and 192.168.10.2 respectively. I realize that they have the same MAC address.
192.168.10.1 is the IP of the ASA 5505.
I did some checking and the MAC address of the server is 192.168.10.2 is actually 00:19:b9:c3:36:17.
A similar thing is happening with the other ASA 5505 and the web server. On the requests that are unsuccessful the IP of the web server (192.168.10.10) resolves to the MAC of the ASA ( 00:27:0d:dc:c8:f2). On the requests that are successful the IP of the web server resolves to the correct (its own) MAC address (00:19:B9:C5:20:8F).
******************ARP LOCAL MACHINE -- WEB SERVER REQUEST *********************
*******UNSUCCESSFUL REQUEST******************
C:\Windows\system32>arp -a
Interface: 192.168.10.40 --- 0xb
Internet Address Physical Address Type
192.168.10.1 00-21-d8-01-72-5b dynamic
192.168.10.2 00-21-d8-01-72-5b dynamic
192.168.10.3 00-1e-c9-35-23-38 dynamic
192.168.10.6 00-11-43-d6-8b-cd dynamic
192.168.10.7 00-1e-4f-1f-ce-75 dynamic
192.168.10.8 00-19-b9-f9-ba-99 dynamic
192.168.10.10 00-27-0d-dc-c8-f2 dynamic
192.168.10.11 00-19-b9-f9-b7-53 dynamic
192.168.10.12 00-1d-09-6c-a7-5f dynamic
192.168.10.17 00-00-aa-93-96-f0 dynamic
192.168.10.23 6c-62-6d-0e-e8-1e dynamic
192.168.10.56 00-1a-a0-e4-07-f3 dynamic
192.168.10.121 00-09-6b-3a-22-ac dynamic
192.168.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
**************SUCCESSFUL REQUEST*******************************
C:\Windows\system32>arp -a
Interface: 192.168.10.40 --- 0xb
Internet Address Physical Address Type
192.168.10.1 00-21-d8-01-72-5b dynamic
192.168.10.2 00-21-d8-01-72-5b dynamic
192.168.10.3 00-1e-c9-35-23-38 dynamic
192.168.10.6 00-11-43-d6-8b-cd dynamic
192.168.10.7 00-1e-4f-1f-ce-75 dynamic
192.168.10.8 00-19-b9-f9-ba-99 dynamic
192.168.10.10 00-19-b9-c5-20-8f dynamic
192.168.10.11 00-19-b9-f9-b7-53 dynamic
192.168.10.12 00-1d-09-6c-a7-5f dynamic
192.168.10.17 00-00-aa-93-96-f0 dynamic
192.168.10.23 6c-62-6d-0e-e8-1e dynamic
192.168.10.56 00-1a-a0-e4-07-f3 dynamic
192.168.10.121 00-09-6b-3a-22-ac dynamic
192.168.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
C:\Windows\system32>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide