cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2678
Views
0
Helpful
5
Replies

ASA 5505 Connection Reset Issue

qprentice
Level 1
Level 1

Hello All,

    I am experiencing an issue with two ASA 5505 devices that I have on my network. 

The devices are both running version 8.2.2 OS.

With one of the devices anytime it is connected to the network I am unable to communicate with one of the hosts in particular.  This is very strange since the host in question does not have to have the ASA 5505 set as its gateway for the issue to occur.

With the second ASA 5505 I realize that anytime that a host uses the ASA 5505 as its default gateway frequent connection resets occur.   For instance I have a web server that uses the ASA 5505 as its gateway and there are frequent connection resets (This is indicated by the an error message in the web browser) when browsing sites hosted on the web server.   This issue only occurs with internal clients. Clients browsing to the websites using the external interface do not have this issue.

Thank you in advance,

Quincy.

5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

When the problem happens, have you looked at the arp cache on the webserver? Does that show the GW of the ASA505 and its MAC address
at it should?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk27085

You are running a code where this defect is resolved.

When the problem is happening need to gather the following:

1. ping from the webserver to the ASA

2. ping form the ASA to the webserver

3. sh arp on the ASA

4. sh arp on the webserver

5. what do you do to resolve the issue? or does it resolve on its own?

6. collect wireshark capture on the server and see what might be going on when it has the problem.

7. capture on the ASA would help as well

cap capin int inside match ip host x.x.x.x any

where x.x.x.x is the ip address of the server. You can issue " sh cap capin det" to view the capture.

you can save it as a .pcap file with this command https://ip_address_of_the_asa/capture/capin/pcap

-KS

Hi,

I tried to access the Bug Toolkit but I got an error message indicating that my guest login is not permitted to use the toolkit.

Are you saying that this is a known issue that has already been resolved?   I tried to upgrade to 8.2.3 but after I did the upgrade I got an error message saying that I did not have enough memory (I only have 256MB installed) to run the new OS.  Is there an alternative OS that can be used that does not require the memory upgrade?

In the case of the web server I normally press F5 (to refresh the page) a few times and it eventually comes up.  However, this is not good for internal end users who may not have the same level of patience or knowledge and will just think that the website is down.  Moreover, the second server that I am having the issue with is a domain controller/File server and it is causing serious issues with respect to communicating with it.   I have been unable to connect to any of my shares and I am unable to connect using remote desktop.

Thank you,

Quincy.

If you are running 8.2 and upgraded to 8.2.3 - it should not require additonal memory.

Are you sure you didn't upgrade to 8.3.2?


Only 8.3 requires additional memory.  If so pls. downgrade using the "downgrade" command.

downgrade /noconfirm disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/d2.html#wp2002627

Here is the RN from the bug notes:

Symptom:

Hosts directly connected to an ASA 5505 might be unable to resolve the MAC address of the ASA's interface. The directly connected devices will send arp requests but will receive no response from the firewall. The problem is that the ASA switchport is dropping the broadcast packets.

The output of 'show controller E0/x' (where x is the switchport that the device is plugged into) will show the counter 'In Filtered:' is increasing corresponding to the arp requests.

Conditions:

The firewall must be an ASA 5505 model; Other ASA models and any Pix model is not affected by this problem.

Enabling multicast, and then disabling it will cause the problem. Below is an example showing multicast being enabled, then disabled:

ciscoasa(config)# multicast-routing
ciscoasa(config)# no multicast-routing

After doing this, the asa will not respond to arp requests directed at its interface ip's.

Workaround:

Do one of the following:
1) Statically program the ARP entry in the adjacent devices. Once this is done, IP traffic will flow through the firewall normally.
2) Reboot the firewall.


If internal users are not able to reach the webserver using its internal address and rdc via the internal address then, I beleive the problem is with the webserver.

-KS

I think that it was 8.2.3 but I may be wrong.  I am not at the office at the moment, but when I go in I will verify which it was.  I already completed the downgrade process.  However, I do remember there being only a single upgrade option (from within the ASDM interface).

On one of the ASAs there is only a single port in use so the servers are not directly connected to the ASA per se (It is connected to a Catalyst 2960 to which the servers are directly connected). What I find strange is that if I unplug this ASA everything works fine and when I plug it in again the error (unable to communicate with the domain controller machine) shows up. 

I was reading another thread about hairpinning.  Are you familiar with this and if so do you think that it could be an issue here? 

Thanks for your assistance to this point.  Once I get to the office I will let you know what the results of your suggestions are.

Regards,

Quincy.

Hello,

   Just to follow up on the discussion from Saturday.   I am presently running ASA 8.2.2 and I did attempt to upgrade to 8.3 and not 8.2.3.

What I have found today is that both ASA devices seem to be responding to ARP requests for the hosts that I am having trouble communicating with.

I realised this by checking the local ARP cache on the machine that I am using.  Attached below is the ARP cache of the machine that I am using.

****************ARP LOCAL MACHINE 192.168.10.40****************

C:\Users\quincy.prentice>arp -a

Interface: 192.168.10.40 --- 0xb

  Internet Address      Physical Address      Type

  192.168.10.1          00-21-d8-01-72-5b     dynamic

  192.168.10.2          00-21-d8-01-72-5b     dynamic

  192.168.10.4          00-13-72-a7-59-9e     dynamic

  192.168.10.6          00-11-43-d6-8b-cd     dynamic

  192.168.10.7          00-1e-4f-1f-ce-75     dynamic

  192.168.10.8          00-19-b9-f9-ba-99     dynamic

  192.168.10.10         00-19-b9-c5-20-8f     dynamic

  192.168.10.11         00-19-b9-f9-b7-53     dynamic

  192.168.10.12         00-1d-09-6c-a7-5f     dynamic

  192.168.10.17         00-00-aa-93-96-f0     dynamic

  192.168.10.23         6c-62-6d-0e-e8-1e     dynamic

  192.168.10.29         00-27-0d-dc-c8-f2     dynamic

  192.168.10.39         00-13-72-a6-c8-17     dynamic

  192.168.10.121        00-09-6b-3a-22-ac     dynamic

  192.168.10.255        ff-ff-ff-ff-ff-ff     static

  224.0.0.22            01-00-5e-00-00-16     static

  224.0.0.252           01-00-5e-00-00-fc     static

  239.255.255.250       01-00-5e-7f-ff-fa     static

Of interest are the first two entries for 192.168.10.1 and 192.168.10.2 respectively.  I realize that they have the same MAC address. 

192.168.10.1 is the IP of the ASA 5505.

I did some checking and the MAC address of the server is 192.168.10.2 is actually 00:19:b9:c3:36:17.

A similar thing is happening with the other ASA 5505 and the web server.  On the requests that are unsuccessful the IP of the web server (192.168.10.10) resolves to the MAC of the ASA ( 00:27:0d:dc:c8:f2).  On the requests that are successful the IP of the web server resolves to the correct (its own) MAC address (00:19:B9:C5:20:8F).

******************ARP LOCAL MACHINE -- WEB SERVER REQUEST *********************

*******UNSUCCESSFUL REQUEST******************

C:\Windows\system32>arp -a

Interface: 192.168.10.40 --- 0xb

  Internet Address      Physical Address      Type

  192.168.10.1          00-21-d8-01-72-5b     dynamic

  192.168.10.2          00-21-d8-01-72-5b     dynamic

  192.168.10.3          00-1e-c9-35-23-38     dynamic

  192.168.10.6          00-11-43-d6-8b-cd     dynamic

  192.168.10.7          00-1e-4f-1f-ce-75     dynamic

  192.168.10.8          00-19-b9-f9-ba-99     dynamic

  192.168.10.10         00-27-0d-dc-c8-f2     dynamic  

  192.168.10.11         00-19-b9-f9-b7-53     dynamic

  192.168.10.12         00-1d-09-6c-a7-5f     dynamic

  192.168.10.17         00-00-aa-93-96-f0     dynamic

  192.168.10.23         6c-62-6d-0e-e8-1e     dynamic

  192.168.10.56         00-1a-a0-e4-07-f3     dynamic

  192.168.10.121        00-09-6b-3a-22-ac     dynamic

  192.168.10.255        ff-ff-ff-ff-ff-ff     static

  224.0.0.22            01-00-5e-00-00-16     static

  224.0.0.252           01-00-5e-00-00-fc     static

  239.255.255.250       01-00-5e-7f-ff-fa     static

**************SUCCESSFUL REQUEST*******************************

C:\Windows\system32>arp -a

Interface: 192.168.10.40 --- 0xb

  Internet Address      Physical Address      Type

  192.168.10.1          00-21-d8-01-72-5b     dynamic

  192.168.10.2          00-21-d8-01-72-5b     dynamic

  192.168.10.3          00-1e-c9-35-23-38     dynamic

  192.168.10.6          00-11-43-d6-8b-cd     dynamic

  192.168.10.7          00-1e-4f-1f-ce-75     dynamic

  192.168.10.8          00-19-b9-f9-ba-99     dynamic

  192.168.10.10         00-19-b9-c5-20-8f     dynamic

  192.168.10.11         00-19-b9-f9-b7-53     dynamic

  192.168.10.12         00-1d-09-6c-a7-5f     dynamic

  192.168.10.17         00-00-aa-93-96-f0     dynamic

  192.168.10.23         6c-62-6d-0e-e8-1e     dynamic

  192.168.10.56         00-1a-a0-e4-07-f3     dynamic

  192.168.10.121        00-09-6b-3a-22-ac     dynamic

  192.168.10.255        ff-ff-ff-ff-ff-ff     static

  224.0.0.22            01-00-5e-00-00-16     static

  224.0.0.252           01-00-5e-00-00-fc     static

  239.255.255.250       01-00-5e-7f-ff-fa     static

C:\Windows\system32>

Review Cisco Networking for a $25 gift card