Solved: Removing the laptop would not - Page 2

sprintership-il · ‎09-05-2015

From time to time , almost every week we have to reboot ASA firewall. Before I manually hit the button, I noticed there is no DNS communication at time we loose internet connection. Logging to CLI ASA can't ping anything to outside word from outside interface. Have already replaced hardware, CISCO TAC checked config and all should be ok. Should be. I am thinking about setting the some sort of syslog to see what is going on.

ASA port is connected to ISP router Cisco 2800. Both port had duplex and speed set to auto. I have changed that manually. What else I can do in order to troubleshoot that?

sprintership-il · ‎10-01-2015

damm it, its not the case, I added extra IP as backup of existing one to external,

according to me someone or something from internal network attaching my external IP, rather looking on the syslog.

Is there any way on ASA see what internal IP is messing with external IP?

Rishabh Seth · ‎10-02-2015

can you try following at the time of issue:

>> ping any hostname from ASA and capture traffic to see if the outgoing traffic is getting source translated.

>> Ping your default gateway to ensure upstream device is is reachable.

>> There could be come problem with upstream device on layer two. Try applying capture for ARP at the time of issue and check if you anything unusual.

>> instead of reloading ASA, try bouncing interface connected to upstream device.

Let us know your findings.

Thanks,

R Seth

sprintership-il · ‎10-02-2015

sorry for a confusion, what you mean "try bouncing interface connected to upstream device" ?

Rishabh Seth · ‎10-02-2015

Try shut and no shut of interface connected to ISP device or unplug and plug tha cable from ASA which is connected to ISP device.

Thanks,

R.Seth

sprintership-il · ‎10-02-2015

today at 7PM when building is almost empty I his:

asa# sh xlate count
68681 in use, 88294 most used

Indeed there may be 200 devices connected (IPADs) but 68000 open sessions?

Something generating these sessions from inside? I believe yes. Some sort of virus, program, or somebody.

sprintership-il · ‎10-02-2015

sh nat pool
TCP PAT pool outside, address MY EXT IP, range 1-511, allocated 0
TCP PAT pool outside, address MY EXT IP, range 512-1023, allocated 0
TCP PAT pool outside, address MY EXT IP, range 1024-65535, allocated 370
UDP PAT pool outside, address MY EXT IP, range 1-511, allocated 326
UDP PAT pool outside, address MY EXT IP, range 512-1023, allocated 0
UDP PAT pool outside, address MY EXT IP, range 1024-65535, allocated 35461
TCP PAT pool outside, address MY EXT IP, range 1-511, allocated 1
TCP PAT pool outside, address MY EXT IP, range 512-1023, allocated 0
TCP PAT pool outside, address MY EXT IP, range 1024-65535, allocated 0
TCP PAT pool outside, address MY EXT IP, range 1-511, allocated 0
TCP PAT pool outside, address MY EXT IP, range 512-1023, allocated 0
TCP PAT pool outside, address MY EXT IP, range 1024-65535, allocated 137
UDP PAT pool outside, address MY EXT IP, range 1-511, allocated 3
UDP PAT pool outside, address MY EXT IP, range 512-1023, allocated 0
UDP PAT pool outside, address MY EXT IP, range 1024-65535, allocated 5
UDP PAT pool outside, address MY EXT IP, range 1-511, allocated 7
UDP PAT pool outside, address MY EXT IP, range 512-1023, allocated 0
UDP PAT pool outside, address MY EXT IP, range 1024-65535, allocated 23296
TCP PAT pool inside, address MY INT IP, range 1-511, allocated 1
TCP PAT pool inside, address MY INT IP, range 512-1023, allocated 0
TCP PAT pool inside, address MY INT IP, range 1024-65535, allocated 0
UDP PAT pool inside, address MY INT IP, range 1-511, allocated 2
UDP PAT pool inside, address MY INT IP, range 512-1023, allocated 1
UDP PAT pool inside, address MY INT IP, range 1024-65535, allocated 3
TCP PAT pool management, address ASA IP, range 1-511, allocated 2
TCP PAT pool management, address ASA IP, range 512-1023, allocated 0
TCP PAT pool management, address ASA IP, range 1024-65535, allocated 0

sprintership-il · ‎10-02-2015

also looking at single chrome book:

UDP PAT from inside:INT IP/43293 to outside:EXT IP/32456 flags ri idle 8:54:46 timeout 0:00:30
UDP PAT from inside:INT IP/37697 to outside:EXT IP/37697 flags ri idle 8:55:46 timeout 0:00:30
UDP PAT from inside:INT IP/48970 to outside:EXT IP/55987 flags ri idle 8:56:46 timeout 0:00:30
UDP PAT from inside:INT IP/52888 to outside:EXT IP/44833 flags ri idle 8:56:47 timeout 0:00:30
UDP PAT from inside:INT IP/43917 to outside:EXT IP/19543 flags ri idle 8:56:48 timeout 0:00:30
UDP PAT from inside:INT IP/33838 to outside:EXT IP/7235 flags ri idle 8:56:48 timeout 0:00:30
UDP PAT from inside:INT IP/36156 to outside:EXT IP/36156 flags ri idle 8:57:30 timeout 0:00:30
UDP PAT from inside:INT IP/59134 to outside:EXT IP/23675 flags ri idle 8:57:31 timeout 0:00:30
UDP PAT from inside:INT IP/59545 to outside:EXT IP/8254 flags ri idle 8:57:46 timeout 0:00:30
UDP PAT from inside:INT IP/54024 to outside:EXT IP/14064 flags ri idle 8:59:01 timeout 0:00:30
UDP PAT from inside:INT IP/49632 to outside:EXT IP/6204 flags ri idle 8:59:25 timeout 0:00:30
UDP PAT from inside:INT IP/38789 to outside:EXT IP/32092 flags ri idle 8:59:46 timeout 0:00:30
UDP PAT from inside:INT IP/58646 to outside:EXT IP/48015 flags ri idle 9:00:06 timeout 0:00:30
UDP PAT from inside:INT IP/58252 to outside:EXT IP/39630 flags ri idle 9:00:06 timeout 0:00:30
UDP PAT from inside:INT IP/53012 to outside:EXT IP/6104 flags ri idle 9:00:28 timeout 0:00:30
UDP PAT from inside:INT IP/60819 to outside:EXT IP/38942 flags ri idle 9:00:46 timeout 0:00:30
UDP PAT from inside:INT IP/55925 to outside:EXT IP/5980 flags ri idle 9:00:54 timeout 0:00:30

hundreds of lines from a single chrome book?

Rishabh Seth · ‎10-04-2015

Hi,

Looks like the connections are not timing out even after reaching its time-out value.

Please refer following link:

https://tools.cisco.com/bugsearch/bug/CSCuh13899/?reffering_site=dumpcr

Hope it helps!!!

Thanks,

R.Seth

Don't forget to mark the answer as correct if it helps in resolving your query!!!

sprintership-il · ‎10-04-2015

Mr. R.Seth, I think you pointed me to the right direction with ASA bug CSCuh13899:

My version of ASA:

Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(3)

Looks like I am affected, that's make a sense: I took a laptop which made 7,000 sessions according the ASA, disabled wifi connection on it, all connections were up for all day, inspected the laptop for viruses, malwares, etc. did not found literally "nothing suspicious".

Once I apply the work arounds I will let you know the final fix. And imagine I have replace the firewall under warranty because of "bug in software" ehhhhhh really frustrating.

Thank You all and Mr. Seth for your help !!! Really Appreciate it.

Rishabh Seth · ‎10-04-2015

Removing the laptop would not change anything on the ASA as we can see that the sessions are up even beyond time-out values.

Yes, you should try the workaround and share your findings.

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

sprintership-il · ‎10-08-2015

Mr. Seth, Yes you were right about that bug. My ASA was affected not properly closing sessions. It was not me like the others said, its software. I can tell because I see today max sessions about 5K not 105K.

This is resolved. Thank You Seth for your help!!!!!

Rishabh Seth · ‎10-08-2015

Nice!!! :)

Peter Koltl · ‎09-29-2015

maybe you're part of the problem :)

maybe you are one of the attackers? :) some zombies in your network?

Cisco ASA 5510 reboot necessary every week