Re: Cisco ASA 5505 ver 8.2.1 connection drops and loss of connec

loskene16 · ‎04-19-2011

I just recently purchased a Cisco ASA 5505 ASA ver 8.2. I run a teamspeak server/ssh/dns and domain on the same server on the network. Before I switched to the asa, I have a regular DGL-4100 that ran with no issues. I have noticed that the connections are very unstable and disconnect frequently and when they do they take 1 to 5 minutes to be able to reconnect. I have done some cisco IOS but am fairly new to this.

Anyone know why this is happening? Below is my config off the device with ip's masked.

ASA Version 8.2(1)
!
hostname p-clvfsw1
domain-name XXXXXX.XX
enable password tFU encrypted
passwd encrypted
names
name 10.240.XXX.XXX P-CLVSRV1-125
name 10.240.XXX.XXX P-CLVSRV1-126
!
interface Vlan1
description to outside interface (CDE Lightband)
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan2
description to inside VLAN
nameif inside
security-level 100
ip address 10.240.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
description physical connection to CDE Gateway
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
banner motd
banner motd +-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +-+
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server P-CLVSRV1-125
name-server P-CLVSRV1-126
domain-name gsdomain.us
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service Teamspeak-UDP udp
port-object eq 9987
object-group service Teamspeak-TCP tcp
port-object eq 10011
port-object eq 30033
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-list acl_outside extended permit udp any interface outside object-group T
eamspeak-UDP
access-list acl_outside extended permit tcp any interface outside object-group T
eamspeak-TCP
access-list acl_outside extended permit object-group TCPUDP any interface outsid
e eq domain
access-list acl_outside extended permit tcp any interface outside eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.240.XXX.XXX 255.255.255.0
static (inside,outside) udp interface 9987 P-CLVSRV1-126 9987 netmask 255.255.25
5.255
static (inside,outside) tcp interface 10011 P-CLVSRV1-126 10011 netmask 255.255.
255.255
static (inside,outside) tcp interface 30033 P-CLVSRV1-126 30033 netmask 255.255.
255.255
static (inside,outside) tcp interface domain P-CLVSRV1-125 domain netmask 255.25
5.255.255
static (inside,outside) udp interface domain P-CLVSRV1-125 domain netmask 255.25
5.255.255
static (inside,outside) tcp interface ssh P-CLVSRV1-125 ssh netmask 255.255.255.
255
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Remote_VPN protocol nt
aaa-server Remote_VPN (inside) host P-CLVSRV1-125
nt-auth-domain-controller 10.240.XXX.XXX
aaa-server Remote_VPN (inside) host 10.240.XXX.XXX
nt-auth-domain-controller 10.240.XXX.XXX
http server enable
http 10.240.XXX.XXX 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns P-CLVSRV1-125 P-CLVSRV1-126
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain gsdomain.us
!
dhcpd address 10.240.XXX.X-10.240.XXX.XXX inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
webvpn
tunnel-group DefaultRAGroup general-attributes
authentication-server-group Remote_VPN
authentication-server-group (inside) Remote_VPN
password-management
username-from-certificate CN
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Remote_VPN
authentication-server-group (inside) Remote_VPN
password-management
username-from-certificate CN
!
class-map CONNS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map CONNS
class CONNS
set connection timeout tcp 2:00:00
!
service-policy global_policy global
service-policy CONNS interface outside
prompt hostname context

Shrikant Sundaresh · ‎04-20-2011

Hi Don,

One thing which seems odd:

class-map CONNS
match any

policy-map CONNS
class CONNS
set connection timeout tcp 2:00:00

Why match all traffic in all protocols, when tcp timeout needs to be set? Try disabling the CONNS policy for a while and check if that's causing delays.

Just do : no service-policy CONNS interface outside for testing purposes.

Other issues with 5505, could be the fact that if you have a base license, then there is a restriction on number of allowed users. This would cause connections being denied due to reaching host limits. You can do "show version" to check this.

I would suggest setting up a syslog server, and collecting logs (if possible at level 6 or 7) during times when you see an increase in unstable connections or loss of connections. The logs would help determine what's going wrong.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

loskene16 · ‎04-20-2011

Thanks for your reply,

The class policy was put in because I read on the forums and they explained that putting in the class policy and setting a timeout in that fashion might correct the issue.However it didn't seem to help much. I did dig back thru to cisco logs and I am seeing TONS of teardown messages scrolling then stoping and starting up again. I notice the ip is a 65.55.7.141 which is a microsoft site. I see it scroll like 100 times incrementing up by 1 on the port. What would a denial because of max users look like?

I may have found it:

I ran a show tech-support and found 10 nic MAC's on it. I assume that each NIC is considered a user session, Am I correct?

Total NICs found: 10
Message #4 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #5 : MAC: 0000.0003.0002
Message #6 : 88E6095 rev 2 Ethernet @ index 08Message #7 : MAC: 6400.f139.430
Message #8 : 88E6095 rev 2 Ethernet @ index 07Message #9 : MAC: 6400.f139.430
Message #10 : 88E6095 rev 2 Ethernet @ index 06Message #11 : MAC: 6400.f139.430
Message #12 : 88E6095 rev 2 Ethernet @ index 05Message #13 : MAC: 6400.f139.430
Message #14 : 88E6095 rev 2 Ethernet @ index 04Message #15 : MAC: 6400.f139.430
Message #16 : 88E6095 rev 2 Ethernet @ index 03Message #17 : MAC: 6400.f139.430
Message #18 : 88E6095 rev 2 Ethernet @ index 02Message #19 : MAC: 6400.f139.430
Message #20 : 88E6095 rev 2 Ethernet @ index 01Message #21 : MAC: 6400.f139.430
Message #22 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 6400.f139.430

Shrikant Sundaresh · ‎04-20-2011

Hi Don,

Run a "show version" on the ASA, and look for the following output:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 50
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

This will tell you the number of hosts allowed on the inside.

Could you please post some of the logs you saw. A tear down message is generally accompanied by the reason as well. Search for logs which contain the ip address of the server to which you are experiencing loss of/bad connections.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

loskene16 · ‎04-20-2011

Hi,

Thanks again for the reply,

Here is the results from the show version command and I have attached a text file with the messages that were scrolling. HELP!!!

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

p-clvfsw1 up 20 hours 58 mins

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0    : address is 6400.f139.430e, irq 11
1: Ext: Ethernet0/0         : address is 6400.f139.4306, irq 255
2: Ext: Ethernet0/1         : address is 6400.f139.4307, irq 255
3: Ext: Ethernet0/2         : address is 6400.f139.4308, irq 255
4: Ext: Ethernet0/3         : address is 6400.f139.4309, irq 255
5: Ext: Ethernet0/4         : address is 6400.f139.430a, irq 255
6: Ext: Ethernet0/5         : address is 6400.f139.430b, irq 255
7: Ext: Ethernet0/6         : address is 6400.f139.430c, irq 255
8: Ext: Ethernet0/7         : address is 6400.f139.430d, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has a Base license.

Serial Number: JMX15144029
Running Activation Key: 0x333cc36e 0xd441e9e8 0xcc80b968 0xbc8cfc98 0x8b0718be
Configuration register is 0x1

Cisco ASA 5505 ver 8.2.1 connection drops and loss of connections