04-19-2011 08:03 PM - edited 03-11-2019 01:23 PM
I just recently purchased a Cisco ASA 5505 ASA ver 8.2. I run a teamspeak server/ssh/dns and domain on the same server on the network. Before I switched to the asa, I have a regular DGL-4100 that ran with no issues. I have noticed that the connections are very unstable and disconnect frequently and when they do they take 1 to 5 minutes to be able to reconnect. I have done some cisco IOS but am fairly new to this.
Anyone know why this is happening? Below is my config off the device with ip's masked.
ASA Version 8.2(1)
!
hostname p-clvfsw1
domain-name XXXXXX.XX
enable password tFU encrypted
passwd encrypted
names
name 10.240.XXX.XXX P-CLVSRV1-125
name 10.240.XXX.XXX P-CLVSRV1-126
!
interface Vlan1
description to outside interface (CDE Lightband)
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan2
description to inside VLAN
nameif inside
security-level 100
ip address 10.240.XXX.XXX 255.255.255.0
!
interface Ethernet0/0
description physical connection to CDE Gateway
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
banner motd
banner motd +-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +-+
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server P-CLVSRV1-125
name-server P-CLVSRV1-126
domain-name gsdomain.us
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service Teamspeak-UDP udp
port-object eq 9987
object-group service Teamspeak-TCP tcp
port-object eq 10011
port-object eq 30033
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-list acl_outside extended permit udp any interface outside object-group T
eamspeak-UDP
access-list acl_outside extended permit tcp any interface outside object-group T
eamspeak-TCP
access-list acl_outside extended permit object-group TCPUDP any interface outsid
e eq domain
access-list acl_outside extended permit tcp any interface outside eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.240.XXX.XXX 255.255.255.0
static (inside,outside) udp interface 9987 P-CLVSRV1-126 9987 netmask 255.255.25
5.255
static (inside,outside) tcp interface 10011 P-CLVSRV1-126 10011 netmask 255.255.
255.255
static (inside,outside) tcp interface 30033 P-CLVSRV1-126 30033 netmask 255.255.
255.255
static (inside,outside) tcp interface domain P-CLVSRV1-125 domain netmask 255.25
5.255.255
static (inside,outside) udp interface domain P-CLVSRV1-125 domain netmask 255.25
5.255.255
static (inside,outside) tcp interface ssh P-CLVSRV1-125 ssh netmask 255.255.255.
255
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Remote_VPN protocol nt
aaa-server Remote_VPN (inside) host P-CLVSRV1-125
nt-auth-domain-controller 10.240.XXX.XXX
aaa-server Remote_VPN (inside) host 10.240.XXX.XXX
nt-auth-domain-controller 10.240.XXX.XXX
http server enable
http 10.240.XXX.XXX 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns P-CLVSRV1-125 P-CLVSRV1-126
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain gsdomain.us
!
dhcpd address 10.240.XXX.X-10.240.XXX.XXX inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
webvpn
tunnel-group DefaultRAGroup general-attributes
authentication-server-group Remote_VPN
authentication-server-group (inside) Remote_VPN
password-management
username-from-certificate CN
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Remote_VPN
authentication-server-group (inside) Remote_VPN
password-management
username-from-certificate CN
!
class-map CONNS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map CONNS
class CONNS
set connection timeout tcp 2:00:00
!
service-policy global_policy global
service-policy CONNS interface outside
prompt hostname context
04-20-2011 05:37 PM
Hi Don,
One thing which seems odd:
class-map CONNS
match any
policy-map CONNS
class CONNS
set connection timeout tcp 2:00:00
Why match all traffic in all protocols, when tcp timeout needs to be set? Try disabling the CONNS policy for a while and check if that's causing delays.
Just do : no service-policy CONNS interface outside for testing purposes.
Other issues with 5505, could be the fact that if you have a base license, then there is a restriction on number of allowed users. This would cause connections being denied due to reaching host limits. You can do "show version" to check this.
I would suggest setting up a syslog server, and collecting logs (if possible at level 6 or 7) during times when you see an increase in unstable connections or loss of connections. The logs would help determine what's going wrong.
Hope this helps.
-Shrikant
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-20-2011 06:17 PM
Thanks for your reply,
The class policy was put in because I read on the forums and they explained that putting in the class policy and setting a timeout in that fashion might correct the issue.However it didn't seem to help much. I did dig back thru to cisco logs and I am seeing TONS of teardown messages scrolling then stoping and starting up again. I notice the ip is a 65.55.7.141 which is a microsoft site. I see it scroll like 100 times incrementing up by 1 on the port. What would a denial because of max users look like?
I may have found it:
I ran a show tech-support and found 10 nic MAC's on it. I assume that each NIC is considered a user session, Am I correct?
Total NICs found: 10
Message #4 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #5 : MAC: 0000.0003.0002
Message #6 : 88E6095 rev 2 Ethernet @ index 08Message #7 : MAC: 6400.f139.430
Message #8 : 88E6095 rev 2 Ethernet @ index 07Message #9 : MAC: 6400.f139.430
Message #10 : 88E6095 rev 2 Ethernet @ index 06Message #11 : MAC: 6400.f139.430
Message #12 : 88E6095 rev 2 Ethernet @ index 05Message #13 : MAC: 6400.f139.430
Message #14 : 88E6095 rev 2 Ethernet @ index 04Message #15 : MAC: 6400.f139.430
Message #16 : 88E6095 rev 2 Ethernet @ index 03Message #17 : MAC: 6400.f139.430
Message #18 : 88E6095 rev 2 Ethernet @ index 02Message #19 : MAC: 6400.f139.430
Message #20 : 88E6095 rev 2 Ethernet @ index 01Message #21 : MAC: 6400.f139.430
Message #22 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 6400.f139.430
04-20-2011 10:05 PM
Hi Don,
Run a "show version" on the ASA, and look for the following output:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
This will tell you the number of hosts allowed on the inside.
Could you please post some of the logs you saw. A tear down message is generally accompanied by the reason as well. Search for logs which contain the ip address of the server to which you are experiencing loss of/bad connections.
Hope this helps.
-Shrikant
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.
04-20-2011 10:17 PM
Hi,
Thanks again for the reply,
Here is the results from the show version command and I have attached a text file with the messages that were scrolling. HELP!!!
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
p-clvfsw1 up 20 hours 58 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 6400.f139.430e, irq 11
1: Ext: Ethernet0/0 : address is 6400.f139.4306, irq 255
2: Ext: Ethernet0/1 : address is 6400.f139.4307, irq 255
3: Ext: Ethernet0/2 : address is 6400.f139.4308, irq 255
4: Ext: Ethernet0/3 : address is 6400.f139.4309, irq 255
5: Ext: Ethernet0/4 : address is 6400.f139.430a, irq 255
6: Ext: Ethernet0/5 : address is 6400.f139.430b, irq 255
7: Ext: Ethernet0/6 : address is 6400.f139.430c, irq 255
8: Ext: Ethernet0/7 : address is 6400.f139.430d, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX15144029
Running Activation Key: 0x333cc36e 0xd441e9e8 0xcc80b968 0xbc8cfc98 0x8b0718be
Configuration register is 0x1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide