08-02-2024 01:59 PM
I have one ASA-5545 that occasionally stops functioning properly. L2L VPN tunnels stay up and work just fine, but inbound traffic fails. It is still possible to establish a connection with AnyConnect, but there is no connectivity via the connection. I usually reboot to get things working again as there isn't much time to troubleshoot when it is down.
The ASA is running 9.12(4)67, and the Firepower module is running 6.6.7.1. I have a few other ASAs running the same ASA OS, but they are still on Firepower version 6.6.5. They do not have the same problem.
Has anyone come across this? I'm wondering if it is the Firepower software. I saw there is a newer version available, but the fixes mentioned do not match what I'm seeing. I will apply it anyway.
08-02-2024 07:15 PM
@jaysoo hi, as you mentioned try with newer version. also check the firewall logs to see why traffic is dropping. you can see if that related to firepower restriction or ASA ACL or other reason.
08-02-2024 09:21 PM
i have seen all kinds of problems over the years, but it is hard to say which one you are running into..
what about outbound traffic ? does that work ?
when you are having the problem, you may want to do a capture with trace option
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3020.pdf
Also get syslog during the event with warning level might show us something.
Also try the latest version to rule out any bugs.. the bug descriptions or headers may not always indicate the problem clearly as they are not always documented well..
08-05-2024 11:28 AM
Thanks for your reply.
I see a lot of syn timeouts during these events where legit connections are terminated. Also a lot of Reset-I and Reset-O. I had another episode today, and one on Saturday, but they both resolved without interaction from me. There was a spike in CPU utilization during that time.
I'm wondering whether this is a DoS type thing, or maybe a bug. I see some traffic from Stark Industries which is apparently some pro-Russian organization, but the volume doesn't seem to be sufficient to cause problems. They seem to be mostly trying to establish a VPN connection with brute force attacks. That's pretty common on all our firewalls.
I noticed a message I've never seen before on some lines: <snp_drop_none>. No idea what that means, and a search seems to indicate no one else does either. I don't know if it is relevant to this issue.
I also get a fair bit of this kind of thing: Aug 05 2024 12:24:51: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4728. That's not unusual though, I see that fairly often on all our firewalls.
I saw this bug listed by Cisco regarding TCP syn timeouts but it is for version 9.16: https://bst.cisco.com/bugsearch/bug/CSCvz55395?rfs=qvlogin
I'm running 9.12, so it is probably unrelated.
I appreciate any thoughts you might have.
08-05-2024 12:28 PM
https://bst.cisco.com/bugsearch/bug/CSCsj40681?rfs=qvlogin
that explain a little what happened
the IPsec is flapping and this make ASA send Reset -I -O for tcp connection
check the idle timeout suggest in bug I share
MHM
08-05-2024 03:45 PM
Thanks, but the L2L stuff is fine. It is not affected by this issue. That bug is pretty ancient anyway, it's talking about PIX.
08-05-2024 03:59 PM
That why I ask you check l2l vpn when issue appear
1- check the tcp log you receive reset -I -O it for traffic seucre by l2l vpn ?
2- check show vpn-sessiondb l2l check life of ipsec is it old or new
When l2l vpn is flapping the asa send huge number of tcp reset and this make cpu little spike.
Check above and update me
So thanks
MHM
08-03-2024 04:52 AM
if it only for VPN L2L then let check
show crypto ipsec sa <<- we need to see if the decrypt count increase or not
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide