Thanks for reply

When it freeze , i have to wait for 2-3 Min ,after that i can log in with ssh.

This behaviour is also from lan.At that time i can not ping to ASA.

I will try by configure telnet ....

Hi Prashant,

Telnet should be a good test to proceed with.

For ssh i would suggest to try regenerating the RSA keys and increasing the ssh timeout to 60.

cry key gen rsa mod 1024   //NOTE- this would regerate all the keys in asa - Other keys would get erased,.

ssh timeout 60 // increase the ssh timeout  -- can be verified by - sh run ssh.

if issue persist please collect the following additional outputs from a console session during the event.

show resource usage

show ssh sessions

show asp table socket

sh cpu/sh memory // -- to rule out performace based issue.

i did some bug scrubbing and we might be running into

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl77907

we had noticed this behaviour in 8.2 ios version before.

if possible please share the sh tech output of the asa collected during the event.

Regards,

Jesu Kumar Bose

Engineer-Customer Support(SECURITY)

Cisco Systems Inc.

E-Mail  : jebose@cisco.com

Hi Jesu,

Thanks for reply

i can not confiure and test telnet as i manage this firewall remotely(over internet by ssh).To do that i have to create Ipsec VPN.

One more this when this event occur i can not even ping my firewall.(request time out )

i have send the show tech output to your mail id

output of other command

show resource usage

Resource              Current         Peak      Limit        Denied Context

SSH                         2            2          5             0 System

Conns                       2           73     280000             0 System

Hosts                       2           22        N/A             0 System

show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username

0   202.x.202.x  2.0     IN   aes256-cbc sha1     SessionStarted   xxxx                                                                                     

                            OUT  aes256-cbc sha1     SessionStarted   xxxx

1   202.x.202.x  2.0     IN   aes256-cbc sha1     SessionStarted  xxxx                                                                                   

                            OUT  aes256-cbc sha1     SessionStarted   xxxx                                                                             

show asp table socket

Protocol  Socket    Local Address               Foreign Address         State

SSL       0000251f  192.168.1.1:443             0.0.0.0:*               LISTEN

SSL       00005d0f  14.x.90.x:443           0.0.0.0:*               LISTEN

TCP       0000ce6f  14.x.90.x:22            0.0.0.0:*               LISTEN

TCP       001aee28  14.x.90.x:22            202.x.202.x:50318    ESTAB

TCP       001b6a08  14.x.90x:.22            202.x.202.x:50512    ESTAB

sh memory

Free memory:      1882253576 bytes (88%)

Used memory:       265230072 bytes (12%)

-------------     ----------------

Total memory:     2147483648 bytes (100%)

Regards,

Prashant

Good Morning Prashant,

This is what i noticed in shtech and requested outputs.

sh asp table socket - shows we are listening on port 22

show resource usage - we have not maxed out of ssh sessions.

sh tech  - asa is not displaying any performance realted issues.

ssh timeout 20 -- Would suggest to change this to 60.

i think we might be running into the following caveat.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf01287

To confirm the same i would suggest to follow the following action plan.

1.Add captures in asa's outside interface

    cap 1 interface outside match tcp any any eq 22

2. Take simultaneous syslogs.

3. Verify if asa is resetting the connection.

while doing the bug scrubbing i found several caveats related to ssh in 8.2 ios version and

i am sure upgarding the asa to the latest interim of the code should fix this.

Regards,

Jesu Kumar Bose

Hi Jesu,

Thanks for your time.

at last i have already open a tac case with cisco.

They suggested to first check at ISP side.

for test purpose i have connected a laptop directly to isp modem.

And i am getting Packet drop at some interval.

Let ISP resolve this issue then we move to firewall side.

Thanks a lot

Prashant

hi Prashant,

Thnaks for the update.

Let me know if you require further assistance.

Regards,

Jesu Kumar Bose

Thanks a lot jesu

Hi Jesu,

Issue was from ISP side they were using MODEM for internet(so latency and drop was there in Link.)

ISP changed the Modem and now everything is working fine.

Thanks for your support.