Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
49933
Views
14
Helpful
97
Replies

ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX AND FWSM

ciscomoderator
Community Manager
Community Manager

‎01-03-2011 08:03 AM - edited ‎03-11-2019 12:29 PM

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar.  Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 14, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

1 person had this problem
Labels:
0 Helpful
97 Replies 97

Kelvin Willacey
Level 4
Level 4
In response to Kureli Sankar

‎01-12-2011 06:43 AM

Hi Poonguzhali,

I hope you can help me. I have a L2 WAN link with six sites. Five of the sites have 2900 routers and the sixth site was deployed with an ASA 5505, traditional IPSec is configured with each site having a VPN tunnel to every site. The ASA 5505 is able to connect to every site except one, when I do a ping from the ASA to the WAN interface of that router 10.18.5.3 I get no response and there is no entry in the ARP table. However when I ping from that router to the ASA which is 10.18.5.6 I do not get a response however there is an entry in the ARP table.

When I debug ARP on the router I can see it respondig to the ASA but the ASA never seems to get the response or processes it. This does not seem to be a service provider issue because if I attach a laptop to the service provider's CPE I am able to ping 10.18.5.3. I have even put in another ASA (can't be used as it does not have the required license) I am able to ping 10.18.5.3. So I am thinking it may be configuration related, which I just can't see or hardware related, which to me means it should not be able to connect to any site. I have even went as far as to statically enter the ARP entry on the ASA and still no luck.

Any ideas?

78552-debug.txt.zip
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Kelvin Willacey

‎01-12-2011 04:42 PM

You have pretty much done what I would have suggested . Not much left to do.

If you configure this port for vlan 2 and connect a laptop to it and give it an IP address 10.18.5.5?. Would it be able to ping the vlan2 interface 10.18.5.6? Let me know

conf t

interface Ethernet0/4
switchport access vlan 2

no shut

Also, issue "sh asp table routing | i identity" and make sure you see one for 10.18.5.6 (the vlan2 IP address). If it is missing then re-issue the ip address under the vlan2 interface.

-Kureli

0 Helpful

Kelvin Willacey
Level 4
Level 4
In response to Kelvin Willacey

‎01-13-2011 11:04 AM

Kureli can you offer some assitance with my issue, thanks. Your profile says Poonguzhali so that's why I greeted you as such with my initial problem.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Kelvin Willacey

‎01-13-2011 11:49 AM

I did . You didn't see my posting from yesterday?

My first name is a very long name so, I made a short one out of the long name that I go by that people find very easy to say and spell.

-Kureli

0 Helpful

Kelvin Willacey
Level 4
Level 4
In response to Kureli Sankar

‎01-13-2011 12:26 PM

Oh I apologize I must be blind, thanks for responding. However I am not able to do that without affecting the other site because all the IP addresses in the subnet are in use. I am able to ping 10.18.5.1,2.4, and 5 without any issues, I just can't get to 10.18.5.3. If I plug the WAN link into a laptop or another ASA which we had at the time I could ping fine to all sites. It alsod does show up in the asp table

PICA-BOSCOBEL# sh asp table routing
in   255.255.255.255  255.255.255.255 identity
in   127.0.0.1            255.255.255.255 identity
in   192.168.56.1      255.255.255.255 identity
in   10.18.5.6          255.255.255.255 identity

in   10.10.25.1        255.255.255.255 identity

I'm at a loss

0 Helpful

srkrehlik
Level 1
Level 1
In response to Kureli Sankar

‎01-12-2011 07:23 AM

Kureli,

I did not have the opportunity that day to capture output. I had a few mintes between tasks to take a look at the firewall but the project we were doing took precedence.

I realize that unit is EOL, it will be replaced shortly but still serves it's purpose quite well.

Throughout the day I made multiple attempts to connect with the same results each time. Client software would go through Phase I and Phase II, showing connected. I know traffic flows to the firewall were good because we were being assigned an IP address from the units local pool along with other client data (DNS server addresses and route updates). For all practical purposes I considered the tunnel to be 'up' with the exception of the lacking connectivity to the remainder of the LAN.

To say the least it was strange behavior. I wish I had the time to capture more - would have been interesting to look at in detail now that the project is done.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to srkrehlik

‎01-12-2011 04:35 PM

Sascha,

I know what you mean! Many times when we get cases, seeking root cause analysis without much data. Everyone is in a panic and they reload the unit and erase all the forensics and ask for a root cause. In those cases we only wish we had a magic wand! If we have seen the issue in the past, we could atleast give them a list of things that could have gone wrong to have caused the issue. In your case, although very interesting, the specialists whom I talked to - none of them have seen this issue. I guess this will be an unsolved mystery .

-Kureli

0 Helpful

srkrehlik
Level 1
Level 1
In response to Kureli Sankar

‎01-13-2011 12:17 PM

Kureli,

I completely understand. I was looking for an answer only if this was a known issue. I realize that once the evil 'reload' was confirmed all relevant data would be gone. Sad but true fact of life in a production environment. If I get another chance at it I will get debugs. Thanks for assisting.

  - Sascha

0 Helpful

sding2006
Level 1
Level 1

‎01-12-2011 07:02 AM

Hi Kureli

Is there any command/policy to limit tcp/udp connection per IP address in FWSM or ASA/PIX? I am talking about a large number of IP addresses passing thru FWSM/ASA/PIX, so per static nat limitation will now scale.

Thanks,

Shiling

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to sding2006

‎01-12-2011 07:46 AM

Oh absolutely! The command options differ between platforms.

Here is it for ASA:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

access-list limit-traffic permi ip 10.10.10.0 255.255.255.0 any

class-map limit-conn

match access-list limit_traffic
policy-map limit-traffic-policy
  class limit-conn
   set connection per-client-max 5

Here it is for FWSM:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/s1.html#wp2723264

example:

access-list limit-traffic permi ip 10.10.10.0 255.255.255.0 any

class-map limit-conn

match access-list limit_traffic
policy-map limit-traffic-policy
  class limit-conn
   set connection conn-max 256 conn-rate-limit 50 random-seq disable


-KS

0 Helpful

sding2006
Level 1
Level 1

‎01-12-2011 07:52 AM

Can we limit for every IP passing thru the FWSM/ASA/PIX? For example, I have transparent mode on a context for a inside network(10.10.10.0/24), can we limit every IP in the 10.10.10.0/24 to have certain conn limit? I knew we can do aggregate conn limit for the whole subnet by using identity NAT. But how about each Ip in the 10.10.10.0/24 network?

Thanks,

Shiling

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to sding2006

‎01-12-2011 08:04 AM

I tailored the previous post to your specs. On the ASA yes - you can do per-client-max. On the FWSM no - you cannot restric per-client-max but you can do conn-max.  The diff. is per-client-max - is for each IP address or host that is listed in the ACL and conn-max is all of them combined in the ACL.

-KS

0 Helpful

Steve Coady
Level 1
Level 1

‎01-12-2011 08:23 AM

Hello

I am learning this device and trying some configs. I have searched the web, but have not found a reason for the following:

I am creating an OBJECT-group network and wanted to use "network-object 10.3.4.5 255.255.255.0". However, I get the message

"network: IP address/mask <10.3.4.5/255.255.255.0> doesn't pair". What does this mean? At your earliest convenience.

Thanks

sMc
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Steve Coady

‎01-12-2011 08:28 AM

The reason is because you have

<10.3.4.5/255.255.255.0>

Pls. change it to <10.3.4.0/255.255.255.0>

If you need only a single host:

object-group network test
  network-object host 10.3.4.5

If you need a whole network:

object-group network test
   network-object 10.3.4.0 255.255.255.0

-Kureli

0 Helpful

Steve Coady
Level 1
Level 1
In response to Kureli Sankar

‎01-12-2011 08:31 AM

Poonguzhali

Thank you for the quik response.    

sMc
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card