11-12-2012 12:13 PM - edited 03-11-2019 05:22 PM
Running into a bit of a problem. Anytime I try to download a large file through our 5510 the download fails at different points. Cannot download via a download manger at all. I see nothing in the logs which are set to infomational.
I can connect my laptop to our internet connection outside the firewall and HTTP and download manager downloads connect and finish just fine.
Can someone point me in the right direction before I go through and scrub my config for posting?
11-12-2012 07:11 PM
Hi,
Do you see any logs when the connection fails?
Does the large downloads only affect HTTP traffic?
Can you try FTP traffic?
Do you have any logs on the Service policy?
Do you have HTTP inspection turned on?
Mike Rojas
11-12-2012 07:32 PM
I see no logs other than the normal build and teardowns.
Seems to affect http and https. I have another user that complains of disconnects while connected to a client using an open source SSL VPN.
I will try a large FTP shortly. I have had no complaints of FTP disconnects.
I have not added any logs since I inherited this device.
I do not have inspection turned on for http or https.
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
11-12-2012 07:41 PM
Hello,
Well this is going to take a bit of deep troubleshooting then. We may need to check captures, MSS settings, MTU settings, try to bypassing TCP inspection and last but not least set the MSS allow just in case.
Do they all stop at the same percentage? Are there any filtering services? WCCP, URL filter, Proxy and so on?
Mike
11-12-2012 07:54 PM
The disconnects are very random. Happens mostly during the day. I was trying to download from Symantec today and it stopped at 220mb, 146mb, 25mb, 300mb. I just VPN'd in to work and RDP'd to my laptop and was able to download the same file. It is not just Symantec. I have noticed with MS and external users sending large files to our HTTPS file transfer service.
We have no URL filters or proxies.
Which are the least disruptive things I can try first? I will start cleaning up my config for posting.
11-12-2012 08:07 PM
Nothing really, but we have issues with Microsoft downloads, can you try something like downloading an OS image (Ubuntu or something).
Also, do you have any servers on another interface that can host files on HTTP so you can upload them there and try to access is right from the next interface instead of going to the cloud (just to rule out ISP issues).
Mike
11-12-2012 08:12 PM
I am able to give my laptop an external IP and connect between the ISP and the ASA and download without interuption. Our connection is WiMax so that was my first thought.
11-12-2012 08:08 PM
Here is my current config. If you notice anything else while looking it over feel free to tell me we're doing it wrong.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)11
!
hostname ciscoasa
domain-name company.local
enable password ***** encrypted
passwd **** encrypted
names
name 1.1.1.107 Sonoma description OLD MAIL SERVER
name 2.2.2.19 SonomaBullsEye description OLD MAIL SERVER
name 10.10.2.6 DAYTONA-INT
name 10.10.2.62 SEBRING-INT
name 10.10.2.4 AUTHENTICA-INT
name 10.10.2.11 MIDOHIO-INT
name 10.10.2.15 PMEUPDATE-INT
name 10.10.2.25 FILETRANSFER-INT
name 10.10.2.22 FTP-INT
name 10.10.2.1 HOMESTEAD-INT
name 1.1.1.102 DAYTONA-EXT-OUT description CAS Server
name 1.1.1.109 FILETRANSFER-EXT-OUT description Secure File Transfer
name 1.1.1.105 FTP-EXT-OUT description FTPS
name 1.1.1.103 AUTHENTICA-EXT-OUT description Secure PDF
name 1.1.1.106 OSCODA-EXT-OUT description SQL Testing
name 1.1.1.104 ALEXSYS123-EXT-OUT description MidOhio
name 1.1.1.108 PMEUPDATE-EXT-OUT description NC Update server
name 2.2.2.21 FILETRANSFER-EXT-BAK
name 2.2.2.133 DAYTONA-EXT-BAK
name 2.2.2.134 AUTHENTICA-EXT-BAK
name 2.2.2.18 ALEXSYS-EXT-BAK description MIS
name 1.1.1.110 CRASHPLAN-EXT-OUT description CrashPlan backup server
name 68.68.68.17 CORVID-WC
name 12.12.12.2 KINCEY-NC
name 10.10.2.34 CRASHPLAN-INT
!
interface Ethernet0/0
nameif backup
security-level 1
ip address 2.2.2.131 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
nameif outside2
security-level 0
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 1.1.1.98 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 172.17.0.199 255.255.255.0
management-only
!
banner motd **************************** NOTICE ******************************
banner motd * Unauthorized access to this network device is FORBIDDEN! *
banner motd * All connection attempts and sessions are logged and AUDITED! *
banner motd ******************************************************************
banner motd **************************** NOTICE ******************************
banner motd * Unauthorized access to this network device is FORBIDDEN! *
banner motd * All connection attempts and sessions are logged and AUDITED! *
banner motd ******************************************************************
boot system disk0:/asa821-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside2
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server HOMESTEAD-INT
name-server SEBRING-INT
domain-name pme.local
same-security-traffic permit intra-interface
object-group service SQLTEST udp
description SQLTEST for VES
port-object eq 1434
object-group service SQLTEST_TCP tcp
description SQLTEST For VES
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service crashplan-4282 tcp
port-object eq 4282
access-list nonat extended permit ip any 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list nonat extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip host 1.1.1.98 10.100.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip any 10.20.11.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list nonat extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https
access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https
access-list outside_access_in extended permit udp any host 2.2.2.20 eq 1434
access-list outside_access_in extended permit tcp any host 2.2.2.20 eq 1433 inactive
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www
access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https
access-list outside_access_in remark HTTP for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www
access-list outside_access_in remark HTTPS for TeamWeb
access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https
access-list outside_access_in extended permit icmp host 10.100.0.1 any
access-list outside_access_in extended deny icmp any any
access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.20.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.100.0.0 255.255.0.0
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive
access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive
access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https
access-list outside_access_in_1 remark FTPS
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1
access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive
access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www
access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https
access-list outside_access_in_1 extended permit tcp any host CRASHPLAN-EXT-OUT object-group crashplan-4282
access-list outside_access_in_1 extended deny icmp any any
access-list inside_access_out extended permit ip any any log
access-list CORVID-WC_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list CORVID-WC_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list KINCEY_CRYPTO extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap informational
logging asdm informational
logging from-address asa@**COMPANY**.com
logging recipient-address jwright@**COMPANY**.com level errors
logging host inside 10.10.2.12
logging permit-hostdown
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302012
no logging message 302017
no logging message 302016
mtu backup 1500
mtu inside 1500
mtu outside2 1500
mtu outside 1500
mtu management 1500
ip local pool IPSECVPN2 10.10.11.76-10.10.11.100
ip local pool SSLVPN 10.10.11.101-10.10.11.200 mask 255.255.0.0
ip local pool IPSECVPN 10.10.11.25-10.10.11.75
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (backup) 1 2.2.2.132
global (outside) 1 1.1.1.99 netmask 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255
static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255
static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255
static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255
static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255
static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255
static (inside,backup) FILETRANSFER-EXT-BAK FILETRANSFER-INT netmask 255.255.255.255
static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255
static (inside,backup) AUTHENTICA-EXT-BAK AUTHENTICA-INT netmask 255.255.255.255
static (inside,backup) ALEXSYS-EXT-BAK MIDOHIO-INT netmask 255.255.255.255
static (inside,outside) CRASHPLAN-EXT-OUT CRASHPLAN-INT netmask 255.255.255.255
access-group outside_access_in in interface backup
access-group inside_access_out in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.97 1 track 1
route backup 0.0.0.0 0.0.0.0 2.2.2.129 254
route backup 62.109.192.0 255.255.240.0 2.2.2.129 1
route backup 64.68.96.0 255.255.224.0 2.2.2.129 1
route backup 66.114.160.0 255.255.240.0 2.2.2.129 1
route backup 66.163.32.0 255.255.240.0 2.2.2.129 1
route backup 209.197.192.0 255.255.224.0 2.2.2.129 1
route backup 210.4.192.0 255.255.240.0 2.2.2.129 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
http-proxy enable
aaa-server PMERADIUS protocol radius
aaa-server PMERADIUS (inside) host HOMESTEAD-INT
key ******
radius-common-pw ******
aaa authentication ssh console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 172.17.0.0 255.255.255.0 management
http redirect backup 80
http redirect outside 80
snmp-server location Server Room
snmp-server contact Jay Wright
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 216.216.216.216 interface outside
timeout 3000
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set PM1 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map dyn1 1 set pfs group1
crypto dynamic-map dyn1 1 set transform-set PM1
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1
crypto map cryptomap1 interface backup
crypto map outside_map 20 match address KINCEY_CRYPTO
crypto map outside_map 20 set peer KINCEY-NC
crypto map outside_map 20 set transform-set PM1
crypto map outside_map 30 match address CORVID-WC_CRYPTO
crypto map outside_map 30 set peer CORVID-WC
crypto map outside_map 30 set transform-set PM1
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint vpn.**COMPANY**.com
enrollment terminal
fqdn vpn.**COMPANY**.com
subject-name CN=vpn.**COMPANY**.com, O=Pratt & Miller Engineering, C=US, St=MI, L=New Hudson
keypair vpn.**COMPANY**.com
crl configure
crypto ca certificate chain vpn.**COMPANY**.com
certificate ca 0301
308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500
***********
776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
quit
certificate 041200616c79f4
30820577 3082045f a0030201 02020704 1200616c 79f4300d 06092a86 4886f70d
***********
5c940b2a 0083979e aad3794a 040d54bc ef874aa1 9a12944f b4aeef
quit
crypto isakmp identity address
crypto isakmp enable backup
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 33
!
track 1 rtr 100 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.22.86.210 source backup prefer
ssl trust-point vpn.**COMPANY**.com outside2
ssl trust-point vpn.**COMPANY**.com backup
ssl trust-point vpn.**COMPANY**.com outside
webvpn
enable backup
enable outside2
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 3
svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 4
svc profiles AllowRemoteUsers disk0:/AnyConnectProfile20121003.xml
svc enable
internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain none
group-policy DfltGrpPolicy attributes
dns-server value 10.10.2.1 10.10.2.62
vpn-idle-timeout 600
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value pme.local
webvpn
url-list value Book1
svc profiles value AllowRemoteUsers
svc ask enable default webvpn timeout 10
group-policy AnyConnect internal
group-policy AnyConnect attributes
vpn-tunnel-protocol webvpn
webvpn
svc ask enable default webvpn timeout 15
username **** password **** encrypted privilege 15
username **** password **** encrypted privilege 15
username **** password **** encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (backup) IPSECVPN2
address-pool (outside2) IPSECVPN2
address-pool (outside) SSLVPN
address-pool SSLVPN
authentication-server-group PMERADIUS
tunnel-group pm_ipsec type remote-access
tunnel-group pm_ipsec general-attributes
address-pool IPSECVPN2
tunnel-group pm_ipsec ipsec-attributes
pre-shared-key *
tunnel-group **COMPANY** type remote-access
tunnel-group **COMPANY** general-attributes
address-pool IPSECVPN
tunnel-group **COMPANY** ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.20 type ipsec-l2l
tunnel-group 2.2.2.20 ipsec-attributes
pre-shared-key *
tunnel-group 68.68.68.68 type ipsec-l2l
tunnel-group 68.68.68.68 ipsec-attributes
pre-shared-key *
tunnel-group 12.12.12.12 type ipsec-l2l
tunnel-group 12.12.12.12 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
class class-default
!
service-policy global_policy global
smtp-server 10.10.2.6
prompt hostname context
Cryptochecksum:07619858a9af4b27c5f4104bc3c95018
: end
11-12-2012 08:12 PM
You have Backup ISP, have you tried to rollover to the Other one and see if the issue persist?
Mike Rojas
11-12-2012 08:18 PM
I have not only because I can connect outside our firewall and download without issue. Also because it is only a T1 and most of our services do not fail over. It just allows for email/webmail and internet access.
11-12-2012 08:19 PM
Ok,
To make that a valid test, grab that IP and the laptop, connect it on the inside, set a one to one translation and do the same download and see if it fails. (Make sure to clear the local host of the laptop)
Let me know.
Mike
11-12-2012 08:39 PM
So. Keep the external IP I used on the laptop. Connect it to the inside interface. Flush the DNS.
Would the one to one translation be:
static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255
If I were using 1.1.1.1 on that laptop
I will also try the backup T1 by routing my traffic to that interface.
Message was edited by: Jay Wright
11-13-2012 05:50 AM
Good,
Let me know.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide