ASA 5585-X stuck traffic blocked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2018 03:46 AM - edited 02-21-2020 08:17 AM
Dear Experts,
we have an ASA 5585-X (Hardware: ASA5585-SSP-40, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 2 CPUs) used as edge firewall to protect our datacenter.
The firmware version is:
Cisco Adaptive Security Appliance Software Version 9.4(4)5
Device Manager Version 7.9(1)
Compiled on Thu 30-Mar-17 21:52 PDT by builders
System image file is "disk0:/asa944-5-smp-k8.bin"
We have also an IPS module installed:
show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5585-X Security Services Processor-40 w ASA5585-SSP-40 JAF1535DEGE
1 ASA 5585-X IPS Security Services Processor-4 ASA5585-SSP-IPS40 JAF1525DALJ
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 7081.055a.3b24 to 7081.055a.3b2f 1.2 2.0(12)5 9.4(4)5
1 e8b7.48fd.4dfc to e8b7.48fd.4e07 1.1 2.0(7)2 7.2(2)E4
Mod SSP Application Name Status SSP Application Version
---- ------------------------------ ---------------- --------------------------
1 IPS Up 7.2(2)E4
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
The ASA is configured in transparent mode and pass the traffic to IPS:
policy-map ips_policy
class ips_class
ips inline fail-open
This night the firewall stuck and all the traffic has been blocked.
No response from management interface or console.
We restored the normal activity with an hardware reboot.
The IOS is 9.4.4(5). We have scheduled an IOS upgrade to 9.8.2(20) but we are worried about this issue.
Do you have suggestion for us?
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2018 03:56 AM
Hello,
Can you check the output of show crashinfo output if any. Usually these issues happens if the CPU is high enough for the device to stop responding. Or a memory leak but ideally that could have caused the device to reboot. The CPU looks like like a probable cause. If you have the syslogs just before this happened, it could throw some light.
Maybe there was some abnormal traffic or routing loop etc.
If you have decided to upgrade, better go for a stable version. If you go for cisco.com download page for the product, there is a star marked over the stable and recommend versions. Just checked and found that 9.8.2 is a recommended version, so better go for 9.8.2.38 which is the latest interim release.
HTH
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2018 06:15 AM
Hi, thanks for your quick reply. I've added the crash.txt file downloaded from firewall flash. To be honest the file was created in june. It's not a fresh file but if someone wants analyze it I'll appreciate this.
The stuck happened at 1:30 AM. During this period the CPU was very low. This is a graph of CPU utilization collected via SNMP:
Now we have changed the configuration of how the firewall pass traffic to the IPS module. The current configuration is:
policy-map ips_policy
class ips_class
ips promiscuous fail-open
We have also updated the firmware but we are worried about this blocking.
Can someone suggest us something?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2018 06:15 AM
Hi, thanks for your quick reply. I've added the crash.txt file downloaded from firewall flash. To be honest the file was created in june. It's not a fresh file but if someone wants analyze it I'll appreciate this.
The stuck happened at 1:30 AM. During this period the CPU was very low. This is a graph of CPU utilization collected via SNMP:
Now we have changed the configuration of how the firewall pass traffic to the IPS module. The current configuration is:
policy-map ips_policy
class ips_class
ips promiscuous fail-open
We have also updated the firmware but we are worried about this blocking.
Can someone suggest us something?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2018 06:16 AM
Hi, thanks for your quick reply. I've added the crash.txt file downloaded from firewall flash. To be honest the file was created in june. It's not a fresh file but if someone wants analyze it I'll appreciate this.
The stuck happened at 1:30 AM. During this period the CPU was very low. This is a graph of CPU utilization collected via SNMP:
Now we have changed the configuration of how the firewall pass traffic to the IPS module. The current configuration is:
policy-map ips_policy
class ips_class
ips promiscuous fail-open
We have also updated the firmware but we are worried about this blocking.
Can someone suggest us something?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2018 11:19 PM
Hello,
Just checked the crashinfo file for any clear text errors/indications but does not throw anything unusual. The crashinfo needs to be decoded which TAC can do. You can open a TAC case for detailed analysis and they can suggest a bug. But If you don't have that option somehow, I would recommend upgrade as a quick fix. Chances are that if its a software bug, it will be fixed.
HTH
AJ
