Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
7
Replies

ASA periodically stops passing some traffic

jaysoo
Level 1
Level 1

‎08-02-2024 01:59 PM

I have one ASA-5545 that occasionally stops functioning properly. L2L VPN tunnels stay up and work just fine, but inbound traffic fails. It is still possible to establish a connection with AnyConnect, but there is no connectivity via the connection. I usually reboot to get things working again as there isn't much time to troubleshoot when it is down.

The ASA is running 9.12(4)67, and the Firepower module is running 6.6.7.1. I have a few other ASAs running the same ASA OS, but they are still on Firepower version 6.6.5. They do not have the same problem.

Has anyone come across this? I'm wondering if it is the Firepower software. I saw there is a newer version available, but the fixes mentioned do not match what I'm seeing. I will apply it anyway.

0 Helpful
7 Replies 7

Kasun Bandara
VIP
VIP

‎08-02-2024 07:15 PM

@jaysoo hi, as you mentioned try with newer version. also check the firewall logs to see why traffic is dropping. you can see if that related to firepower restriction or ASA ACL or other reason.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

ccieexpert
Spotlight
Spotlight

‎08-02-2024 09:21 PM

i have seen all kinds of problems over the years, but it is hard to say which one you are running into..

what about outbound traffic ? does that work ?

when you are having the problem, you may want to do a capture with trace option

https://community.cisco.com/t5/security-knowledge-base/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889

 

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3020.pdf

Also get syslog during the event with warning level might show us something.

Also try the latest version to rule out any bugs.. the bug descriptions or headers may not always indicate the problem clearly as they are not always documented well..

0 Helpful

jaysoo
Level 1
Level 1
In response to ccieexpert

‎08-05-2024 11:28 AM

Thanks for your reply.

I see a lot of syn timeouts during these events where legit connections are terminated. Also a lot of Reset-I and Reset-O. I had another episode today, and one on Saturday, but they both resolved without interaction from me. There was a spike in CPU utilization during that time.

I'm wondering whether this is a DoS type thing, or maybe a bug. I see some traffic from Stark Industries which is apparently some pro-Russian organization, but the volume doesn't seem to be sufficient to cause problems. They seem to be mostly trying to establish a VPN connection with brute force attacks. That's pretty common on all our firewalls.

I noticed a message I've never seen before on some lines: <snp_drop_none>. No idea what that means, and a search seems to indicate no one else does either. I don't know if it is relevant to this issue.

I also get a fair bit of this kind of thing: Aug 05 2024 12:24:51: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4728. That's not unusual though, I see that fairly often on all our firewalls.

I saw this bug listed by Cisco regarding TCP syn timeouts but it is for version 9.16: https://bst.cisco.com/bugsearch/bug/CSCvz55395?rfs=qvlogin

I'm running 9.12, so it is probably unrelated.

I appreciate any thoughts you might have.

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to jaysoo

‎08-05-2024 12:28 PM

https://bst.cisco.com/bugsearch/bug/CSCsj40681?rfs=qvlogin

that explain a little what happened
the IPsec is flapping and this make ASA send Reset -I -O for tcp connection 
check the idle timeout suggest in bug I share 
MHM

0 Helpful

jaysoo
Level 1
Level 1
In response to MHM Cisco World

‎08-05-2024 03:45 PM

Thanks, but the L2L stuff is fine. It is not affected by this issue. That bug is pretty ancient anyway, it's talking about PIX.

0 Helpful

MHM Cisco World
VIP
VIP
In response to jaysoo

‎08-05-2024 03:59 PM

That why I ask you check l2l vpn when issue appear 

1- check the tcp log you receive reset -I -O it for traffic seucre by l2l vpn ?

2- check show vpn-sessiondb l2l check life of ipsec is it old or new 

When l2l vpn is flapping the asa send huge number of tcp reset and this make cpu little spike.

Check above and update me 

So thanks 

MHM

0 Helpful

MHM Cisco World
VIP
VIP

‎08-03-2024 04:52 AM

if it only for VPN L2L then let check

show crypto ipsec sa <<- we need to see if the decrypt count increase or not 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card