05-14-2012 02:24 AM - edited 03-11-2019 04:06 PM
Hi Guys,
Actually we have two ASA 5520 in active/passive. We are losing random icmp packets between hosts located at different ASA’s interfaces or zones so; random icmp packets are losed when cross the firewalls.
asa# sh interface | i errors
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
94 input errors, 0 CRC, 0 frame, 94 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 2 interface resets
2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
0 output errors, 0 collisions, 0 interface resets
asa# show conn count
7924 in use, 7934 most used
asa# show resource usage
Resource Current Peak Limit Denied Context
SSH 2 2 5 0 System
ASDM 1 3 5 0 System
Syslogs [rate] 444 1295 N/A 0 System
Conns 7284 8000 280000 0 System
Xlates 2728 3063 N/A 0 System
Hosts 3155 3403 N/A 0 System
Conns [rate] 195 946 N/A 0 System
Inspects [rate] 20 280 N/A 0 System
asa# sh processes cpu-usage non-zero
PC Thread 5Sec 1Min 5Min Process
081a86c4 c91afa08 56.9% 45.1% 37.5% Dispatch Unit
08c15df6 c91a93a8 1.3% 1.3% 1.2% Logger
08190627 c91a4ec0 0.0% 0.1% 0.0% tmatch compile thread
084b6fa1 c91a40f8 0.3% 0.6% 0.6% IKE Daemon
083ccbfc c91a17a0 0.1% 0.1% 0.1% fover_health_monitoring_thread
08405637 c91a13b0 0.0% 0.1% 0.1% ha_trans_data_tx
085345ae c91a09d8 0.5% 0.3% 0.3% ARP Thread
088c038d c918f248 2.3% 2.2% 2.3% Unicorn Admin Handler
08bde96c c9189ba8 0.2% 0.4% 0.2% ssh
Solved! Go to Solution.
05-15-2012 09:42 AM
Hello Oscar,
Thanks for the information.
I think our best suggestion here would be to create captures on both interfaces on the ASA involded on this communication and then check all the packets captured on both interfaces.
Also do a ASP capture that will show us all the packets being dropped by the ASA algorithm ( Acelerated Security Path).. We will need to see the ICMP packets in this list in order to make sure the ASA is the device causing the problem.
Regards,
Do rate all the helpful posts.
Julio