ASA 5505 Intermittent Denies From Internal

moises.ruiz · ‎03-25-2013

Hi,

I'm completely illiterate with Cisco appliances but I'm taking care of an ASA 5505 that is configured as a firewall and it has been working for the last years. All of the sudden we are experiencing intermittent connection problems from the workstations. You can be browsing the internet and suddently you'll get a server not found error but you refresh it and it works. This is also intermittent, out no apparent reason it will start working normally again.

I am seeing a bunch of errors like this in the logs:

4 Mar 25 2013 14:34:49 106023 66.235.119.5 69.70.15.61 Deny icmp src outside:66.235.119.5 dst inside:69.70.15.61 (type 8, code 0) by access-group "inbound" [0x0, 0x0]

4 Mar 25 2013 14:41:07 106023 92.87.131.62 69.70.15.58 Deny tcp src outside:92.87.131.62/4153 dst inside:69.70.15.58/445 by access-group "inbound" [0x0, 0x0]

4 Mar 25 2013 14:45:46 106023 190.203.171.168 69.70.15.61 Deny tcp src outside:190.203.171.168/1092 dst inside:69.70.15.61/445 by access-group "inbound" [0x0, 0x0]

Could someone please help me understand what's happening and how I can fix the issue?

Remember that I'm a complete noob with Cisco appliances...

I've attached my current running config.

Jouni Forss · ‎03-25-2013

Hi,

To me the logs messages displayed only seem like random scanning to your public IP addresses that the ASA firewall correctly denies according to its ACL attached to its "outside" interface. so these might not be related to the the problem at all.

Then again if there is so much traffic destined to your network and your servers that its taking all the bandwith then naturally this might show as connection problems for your internal hosts.

Have you compared to the bandwith usage through the ASA to the actual bandwith of your Internet connection? I imagine this would be the easiest to check though the ASDMs through its different graphs and statistics.

- Jouni

moises.ruiz · ‎03-25-2013

Thank Jouni,

Then I don't know what's going on, how can I check the bandwith?

Would you have any other suggestions? Should I export the logs and put them here?

Jouni Forss · ‎03-25-2013

Hi,

I imagine you have taken those logs using the graphical user interface called ASDM.

The ASDM should already list in its default Home window all the ASAs interface. By clicking on the interface on the right hand side of the Home view you should already see some statistics on the bandwith usage on the ASAs interfaces. There should also be bandwith graphs shown in the same Home view.

I dont know really if the logs with tell what the problem is.

You can always check there is no errors on the physical ports of the devices you manage. You can also ask your ISP to confirm that there is no problem on your actual connection. (perhaps they can even check your bandwith usage)

- Jouni

moises.ruiz · ‎03-25-2013

Yes Jouni, I'm not comfortable with the commands of the ASA so I'm looking at the ASDM.

The traffic and the status all seem ok on the ASDM.

I've did some tests now that the office is closed and I believe there has to be something in the ASA configuration.

I disconnected the switch and I plugged a computer directly into the same port of the ASA and I'm experiencing the same problem. I also tried some of the other ports in the ASA with the same result. It is also happening on the other interface of the ASA.

It's strange because it is so intermittent that the email server is not affected, it's just while browsing the web that sometimes it looses the connection but a refresh of the page most of the times fixes it.

I've read on another post somebody with similar symptoms (https://supportforums.cisco.com/message/3533593#3533593) and Julio suggested a TCP-bypass state but I don't know what would that do, if it would help and how to apply it. Any suggestions?

The worse thing is that it looks like it's getting worst. Last Monday the same thing happened but the issue resolved by itself around 11AM.

Any help would be greatly appreciated.