04-02-2007 09:33 AM - edited 03-11-2019 02:54 AM
We are experiencing an issue where once or twice a month our DSL connection takes a hit, and then the ASA5505 device will not function. In the past the only way to resolve this has been to shut the device down and then bring it back up about 10 minutes later. I thought it might be an ARP cache problem but it's not I tried clearing that and no luck. The ASA is using a static IP address and the connection is maintained by the DSL modem.
The activity light on the modem is flashing all the time as is the activity light on the outside interface of the ASA, but I can not access the ASA remotely via SSH or VPN. The configuration has not changed so Im not sure why this is occuring. Does anyone have any ideas, besides the obvious of convincing them to get a dedicated circuit?
04-02-2007 10:52 AM
Hi turlockpoker,
We would need to get some troubleshooting information from the time when you were having a problem. A good start is to get the syslogs and show tech output.
I would attempt to ping from the ASA to the default router and verify that is working. If not, then check L2 (is the ARP entry correct for next hop)? Clear arp, then re-try.
For outbound connections, do you see the connection built? If so, then check the conn flags ("show conn") to see if the connection completes or if you only see the SYN.
Finally, a packet capture on the outside would reveal more as to what is going on as well.
Sincerely,
David.
04-03-2007 05:05 PM
I will share that I have seen connection sessions exceed 10000 count on our asa5505, which caused the box, on 7.2.2 to require reboots about once/month. We upgraded to the interim release 7.2.2(8) and the problem stopped. We are currently running 7.2.2(14).
David is absolutely correct on conducting sniffer traces, and you can use the asa to capture packets on the interfaces and export them in pcap format for review in a protocol analyzer.
Next time you run into your problem, before you power cycle/reload your ASA, if you can console on to the box, do a show conn and check your sessions.
Hope this helps,
-Scott
04-03-2007 08:03 PM
The ASA's have software imposed connection limits. For the 5505 (without the Plus license) that is 10,000 as you saw. At that time you should get a syslog indicating the connection limit was reached. No new connections (over 10,000) will be allowed. All existing 10,000 connections would continue to work.
It sounds like you had a different issue whereby the connections were not getting torn down, resulting in the high conn count?
Sincerely,
David.
04-04-2007 08:02 AM
Agreed on the high connection count. I was sharing that this was a bug I found on code prior to 7.2.2(8) that caused our firewall to hang and require a reboot. Not sure if this problem was related to the original poster's problem, but his symptoms sounded similar (firewall no longer passes traffic after ~1 month).
04-04-2007 09:17 AM
This actually seems like it may be the issue, I am going to apply the interim build (18) and see if we experience it again.
04-24-2007 04:50 PM
I am having this same issue. However, when i logged in, i am having issued trying to find the correct ios version. Can you post the actual file name so i can do the advance search and dowload it from my cisco support.
Thanks,
Rick
04-24-2007 04:59 PM
sorry guys, already figured it out, just one of those days,
I have 7.2 (2) running with plus pack and still have the same issues you guys are seeing. once a month sometimes every 2 weeks or so.
so i am doing an upgade and see if that fixes the issue.
04-24-2007 06:53 PM
Once I updated the software I have not seen the issue again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide