09-03-2013 01:35 PM - edited 03-11-2019 07:33 PM
Our network has slowed to a crawl and upon investigation it looks as if the ASA5505 is blocking returning traffic. The syslog is full of these from legitimate sites:
2013-08-30 16:58:01 local4.critical 192.168.1.254 Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK on interface outside\n
2013-08-30 16:58:03 local4.critical 192.168.1.254 Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK on interface outside\n
I'm not really sure where to go next so any help would be appreciated.
2013-08-30 16:58:01 local4.critical 192.168.1.254 Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK on interface outside\n
2013-08-30 16:58:03 local4.critical 192.168.1.254 Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK on interface outside\n
We are also using Websense. I have a 'filter except' exception for the above examples (207.131.246.15) for both http and https. I have also reduced MTU to 1472 on the outside just to test. I also upgraded from 256 to 512 memory thinking maybe it was being stressed.
It seems to work for a while and then out of nowhere shuts everyone down from wherever they are browsing and then about 20 seconds to a minute later it starts up again.
I'm not really sure where to go next.
I have attached (what I hope is) a scrubbed config.
Thank you.
09-06-2013 06:11 AM
Are there all sites affected or only the one mentioned?
Do you have 2 uplinks and running into asymmetric routing error?
https://supportforums.cisco.com/docs/DOC-14491
Michael
Please rate all helpful posts
09-06-2013 08:09 AM
I looked for asymmetric routing. We have one other router attached to the internet but that just does VPN to a datacenter and has a specific route set up on the gateway for it. Nothing else should be getting to it other than the single IP address routed to it.
It seems to be affecting any ip address that needs a persistant connection. As an example I had to download Chrome to a PC this morning and it kept losing connection about 50% through the download. So from my experiments what I can tell is that it makes the first connection no problem, but quickly dies after that and a new connection has to be made. Also when this happens the IP address being accessed shows up in the "SYN Attack" list in ADSM. I have attached an image of the issue. The number one item on the list is a website we use all day long.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide