08-18-2013 06:24 AM - edited 03-11-2019 07:27 PM
Hi All,
Anyone face problem with their ASA5512 with the following behaviour?
The firewall hang after a period of time like 15days and above & required to reboot the firewall. All interface is still PING able from either outside, inside & DMZ. However, site-to-site VPN & other functionality is not working. Firewall is not accessable from ASDM or SSH but console is working.
-FW# sh ver
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
Compiled on Thu 09-May-13 16:20 PDT by builders
System image file is "disk0:/asa912-smp-k8.bin"
Config file at boot was "startup-config"
FW up 1 day 5 hours
Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
ASA: 2048 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0024
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is b0fa.eb97.39ea, irq 11
1: Ext: GigabitEthernet0/0 : address is b0fa.eb97.39ee, irq 10
2: Ext: GigabitEthernet0/1 : address is b0fa.eb97.39eb, irq 10
3: Ext: GigabitEthernet0/2 : address is b0fa.eb97.39ef, irq 5
4: Ext: GigabitEthernet0/3 : address is b0fa.eb97.39ec, irq 5
5: Ext: GigabitEthernet0/4 : address is b0fa.eb97.39f0, irq 10
6: Ext: GigabitEthernet0/5 : address is b0fa.eb97.39ed, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is b0fa.eb97.39ea, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: XXXXXXXXX
Running Permanent Activation Key: 0xf527cd6f 0x9438f324 0x0d813108 0xc5a07c10 0x 8a19c495
Configuration register is 0x1
Configuration has not been modified since last system restart.
FW#
I've just tried removing the preconfigured xlate config for testing purpose & will continue to monitor.
08-18-2013 10:51 PM
Hello Derict,
For this kind of issues that requires grabing severala outputs at the time of the issue I will recommend to open a TAC case, if that is not a option go for the following output commands when the issue happens and post them here
-show memory
-show cpu usage
-clear interface
-show interface | include errors
5 minute later
-show interface | include errors
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-18-2013 11:19 PM
Hi Julio,
I only have the outputs prior to rebooting the firewall as per below;
------------------ show memory ------------------
Free memory: 1543018512 bytes (72%)
Used memory: 604465136 bytes (28%)
------------- ------------------
Total memory: 2147483648 bytes (100%)
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 1%; 1 minute: 1%; 5 minutes: 1%
------------------ show interface ------------------
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address b0fa.eb97.39ee, MTU 1500
IP address 203.106.220.178, subnet mask 255.255.255.248
29690333 packets input, 5345029381 bytes, 1095562688 no buffer
Received 36078 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
45379500 packets output, 17904678063 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (3/0)
output queue (blocks free curr/low): hardware (456/438)
Traffic Statistics for "outside":
29690333 packets input, 4808533022 bytes
45379500 packets output, 17086360858 bytes
31514 packets dropped
1 minute input rate 1 pkts/sec, 94 bytes/sec
1 minute output rate 1 pkts/sec, 66 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 84 bytes/sec
5 minute output rate 0 pkts/sec, 49 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address b0fa.eb97.39eb, MTU 1500
IP address 10.10.100.10, subnet mask 255.255.255.192
725602 packets input, 179205020 bytes, 103099458 no buffer
Received 398960 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
334245 packets output, 87710880 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 206 collisions, 1 interface resets
737 late collisions, 1897 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (462/91)
output queue (blocks free curr/low): hardware (496/446)
Traffic Statistics for "inside":
725602 packets input, 165974237 bytes
334982 packets output, 82206259 bytes
370611 packets dropped
1 minute input rate 0 pkts/sec, 58 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 49 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 4
Interface config status is active
Interface state is active
Interface GigabitEthernet0/2 "dmz", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address b0fa.eb97.39ef, MTU 1500
IP address 30.30.30.29, subnet mask 255.255.255.252
41935416 packets input, 15056251264 bytes, 2540621364 no buffer
Received 3 broadcasts, 0 runts, 0 giants
15343 input errors, 0 CRC, 0 frame, 15343 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
28969597 packets output, 3437060437 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
1 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (448/0)
output queue (blocks free curr/low): hardware (449/444)
Traffic Statistics for "dmz":
41935343 packets input, 14222685374 bytes
28969597 packets output, 2873020428 bytes
568855 packets dropped
1 minute input rate 19 pkts/sec, 4318 bytes/sec
1 minute output rate 0 pkts/sec, 2 bytes/sec
1 minute drop rate, 19 pkts/sec
5 minute input rate 17 pkts/sec, 3884 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 17 pkts/sec
Control Point Interface States:
Interface number is 5
Interface config status is active
Interface state is active
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide