I see no logs other than the normal build and teardowns.

Seems to affect http and https. I have another user that complains of disconnects while connected to a client using an open source SSL VPN.

I will try a large FTP shortly.  I have had no complaints of FTP disconnects.

I have not added any logs since I inherited this device.

I do not have inspection turned on for http or https.

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

  inspect icmp

Hello,

Well this is going to take a bit of deep troubleshooting then. We may need to check captures, MSS settings, MTU settings, try to bypassing TCP inspection and last but not least set the MSS allow just in case.

Do they all stop at the same percentage? Are there any filtering services? WCCP, URL filter, Proxy and so on?

Mike

The disconnects are very random.  Happens mostly during the day.  I was trying to download from Symantec today and it stopped at 220mb, 146mb, 25mb, 300mb.  I just VPN'd in to work and RDP'd to my laptop and was able to download the same file.  It is not just Symantec. I have noticed with MS and external users sending large files to our HTTPS file transfer service.

We have no URL filters or proxies.

Which are the least disruptive things I can try first?  I will start cleaning up my config for posting.

Nothing really, but we have issues with Microsoft downloads, can you try something like downloading an OS image (Ubuntu or something).

Also, do you have any servers on another interface that can host files on HTTP so you can upload them there and try to access is right from the next interface instead of going to the cloud (just to rule out ISP issues).

Mike

I am able to give my laptop an external IP and connect between the ISP and the ASA and download without interuption.  Our connection is WiMax so that was my first thought.

Here is my current config.  If you notice anything else while looking it over feel free to tell me we're doing it wrong.

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(1)11

!

hostname ciscoasa

domain-name company.local

enable password ***** encrypted

passwd **** encrypted

names

name 1.1.1.107 Sonoma description OLD MAIL SERVER

name 2.2.2.19 SonomaBullsEye description OLD MAIL SERVER

name 10.10.2.6 DAYTONA-INT

name 10.10.2.62 SEBRING-INT

name 10.10.2.4 AUTHENTICA-INT

name 10.10.2.11 MIDOHIO-INT

name 10.10.2.15 PMEUPDATE-INT

name 10.10.2.25 FILETRANSFER-INT

name 10.10.2.22 FTP-INT

name 10.10.2.1 HOMESTEAD-INT

name 1.1.1.102 DAYTONA-EXT-OUT description CAS Server

name 1.1.1.109 FILETRANSFER-EXT-OUT description Secure File Transfer

name 1.1.1.105 FTP-EXT-OUT description FTPS

name 1.1.1.103 AUTHENTICA-EXT-OUT description Secure PDF

name 1.1.1.106 OSCODA-EXT-OUT description SQL Testing

name 1.1.1.104 ALEXSYS123-EXT-OUT description MidOhio

name 1.1.1.108 PMEUPDATE-EXT-OUT description NC Update server

name 2.2.2.21 FILETRANSFER-EXT-BAK

name 2.2.2.133 DAYTONA-EXT-BAK

name 2.2.2.134 AUTHENTICA-EXT-BAK

name 2.2.2.18 ALEXSYS-EXT-BAK description MIS

name 1.1.1.110 CRASHPLAN-EXT-OUT description CrashPlan backup server

name 68.68.68.17 CORVID-WC

name 12.12.12.2 KINCEY-NC

name 10.10.2.34 CRASHPLAN-INT

!

interface Ethernet0/0

nameif backup

security-level 1

ip address 2.2.2.131 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.0.0

!

interface Ethernet0/2

shutdown

nameif outside2

security-level 0

no ip address

!

interface Ethernet0/3

nameif outside

security-level 0

ip address 1.1.1.98 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 172.17.0.199 255.255.255.0

management-only

!

banner motd       **************************** NOTICE ******************************

banner motd       *    Unauthorized access to this network device is FORBIDDEN!    *

banner motd       *  All connection attempts and sessions are logged and AUDITED!  *

banner motd       ******************************************************************

banner motd       **************************** NOTICE ******************************

banner motd       *    Unauthorized access to this network device is FORBIDDEN!    *

banner motd       *  All connection attempts and sessions are logged and AUDITED!  *

banner motd       ******************************************************************

boot system disk0:/asa821-11-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside2

dns domain-lookup outside

dns domain-lookup management

dns server-group DefaultDNS

name-server HOMESTEAD-INT

name-server SEBRING-INT

domain-name pme.local

same-security-traffic permit intra-interface

object-group service SQLTEST udp

description SQLTEST for VES

port-object eq 1434

object-group service SQLTEST_TCP tcp

description SQLTEST For VES

port-object eq 1433

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

object-group service crashplan-4282 tcp

port-object eq 4282

access-list nonat extended permit ip any 10.10.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0

access-list nonat extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip host 1.1.1.98 10.100.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip any 10.20.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0

access-list nonat extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive

access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https

access-list outside_access_in extended permit udp any host 2.2.2.20 eq 1434

access-list outside_access_in extended permit tcp any host 2.2.2.20 eq 1433 inactive

access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https

access-list outside_access_in remark HTTP for TeamWeb

access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www

access-list outside_access_in remark HTTPS for TeamWeb

access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https

access-list outside_access_in extended permit icmp host 10.100.0.1 any

access-list outside_access_in extended deny icmp any any

access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0

access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0

access-list Split_Tunnel_List standard permit 10.20.0.0 255.255.0.0

access-list Split_Tunnel_List standard permit 10.100.0.0 255.255.0.0

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive

access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https

access-list outside_access_in_1 remark FTPS

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive

access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host CRASHPLAN-EXT-OUT object-group crashplan-4282

access-list outside_access_in_1 extended deny icmp any any

access-list inside_access_out extended permit ip any any log

access-list CORVID-WC_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0

access-list CORVID-WC_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging trap informational

logging asdm informational

logging from-address asa@**COMPANY**.com

logging recipient-address jwright@**COMPANY**.com level errors

logging host inside 10.10.2.12

logging permit-hostdown

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302012

no logging message 302017

no logging message 302016

mtu backup 1500

mtu inside 1500

mtu outside2 1500

mtu outside 1500

mtu management 1500

ip local pool IPSECVPN2 10.10.11.76-10.10.11.100

ip local pool SSLVPN 10.10.11.101-10.10.11.200 mask 255.255.0.0

ip local pool IPSECVPN 10.10.11.25-10.10.11.75

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

global (backup) 1 2.2.2.132

global (outside) 1 1.1.1.99 netmask 255.255.255.224

nat (inside) 0 access-list nonat

nat (inside) 1 10.10.0.0 255.255.0.0

static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255

static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255

static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255

static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255

static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255

static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255

static (inside,backup) FILETRANSFER-EXT-BAK FILETRANSFER-INT netmask 255.255.255.255

static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255

static (inside,backup) AUTHENTICA-EXT-BAK AUTHENTICA-INT netmask 255.255.255.255

static (inside,backup) ALEXSYS-EXT-BAK MIDOHIO-INT netmask 255.255.255.255

static (inside,outside) CRASHPLAN-EXT-OUT CRASHPLAN-INT netmask 255.255.255.255

access-group outside_access_in in interface backup

access-group inside_access_out in interface inside

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.97 1 track 1

route backup 0.0.0.0 0.0.0.0 2.2.2.129 254

route backup 62.109.192.0 255.255.240.0 2.2.2.129 1

route backup 64.68.96.0 255.255.224.0 2.2.2.129 1

route backup 66.114.160.0 255.255.240.0 2.2.2.129 1

route backup 66.163.32.0 255.255.240.0 2.2.2.129 1

route backup 209.197.192.0 255.255.224.0 2.2.2.129 1

route backup 210.4.192.0 255.255.240.0 2.2.2.129 1

timeout xlate 3:00:00

timeout conn 24:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  http-proxy enable

aaa-server PMERADIUS protocol radius

aaa-server PMERADIUS (inside) host HOMESTEAD-INT

key ******

radius-common-pw ******

aaa authentication ssh console LOCAL

http server enable

http 10.10.0.0 255.255.0.0 inside

http 172.17.0.0 255.255.255.0 management

http redirect backup 80

http redirect outside 80

snmp-server location Server Room

snmp-server contact Jay Wright

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 100

type echo protocol ipIcmpEcho 216.216.216.216 interface outside

timeout 3000

frequency 10

sla monitor schedule 100 life forever start-time now

crypto ipsec transform-set PM1 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df outside

crypto dynamic-map dyn1 1 set pfs group1

crypto dynamic-map dyn1 1 set transform-set PM1

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1

crypto map cryptomap1 interface backup

crypto map outside_map 20 match address KINCEY_CRYPTO

crypto map outside_map 20 set peer KINCEY-NC

crypto map outside_map 20 set transform-set PM1

crypto map outside_map 30 match address CORVID-WC_CRYPTO

crypto map outside_map 30 set peer CORVID-WC

crypto map outside_map 30 set transform-set PM1

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint vpn.**COMPANY**.com

enrollment terminal

fqdn vpn.**COMPANY**.com

subject-name CN=vpn.**COMPANY**.com, O=Pratt & Miller Engineering, C=US, St=MI, L=New Hudson

keypair vpn.**COMPANY**.com

crl configure

crypto ca certificate chain vpn.**COMPANY**.com

certificate ca 0301

    308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500

    ***********

    776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee

  quit

certificate 041200616c79f4

    30820577 3082045f a0030201 02020704 1200616c 79f4300d 06092a86 4886f70d

   ***********

    5c940b2a 0083979e aad3794a 040d54bc ef874aa1 9a12944f b4aeef

  quit

crypto isakmp identity address

crypto isakmp enable backup

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 33

!

track 1 rtr 100 reachability

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.22.86.210 source backup prefer

ssl trust-point vpn.**COMPANY**.com outside2

ssl trust-point vpn.**COMPANY**.com backup

ssl trust-point vpn.**COMPANY**.com outside

webvpn

enable backup

enable outside2

enable outside

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 3

svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 4

svc profiles AllowRemoteUsers disk0:/AnyConnectProfile20121003.xml

svc enable

internal-password enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.10.2.1

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain none

group-policy DfltGrpPolicy attributes

dns-server value 10.10.2.1 10.10.2.62

vpn-idle-timeout 600

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value pme.local

webvpn

  url-list value Book1

  svc profiles value AllowRemoteUsers

  svc ask enable default webvpn timeout 10

group-policy AnyConnect internal

group-policy AnyConnect attributes

vpn-tunnel-protocol webvpn

webvpn

  svc ask enable default webvpn timeout 15

username **** password **** encrypted privilege 15

username **** password **** encrypted privilege 15

username **** password **** encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (backup) IPSECVPN2

address-pool (outside2) IPSECVPN2

address-pool (outside) SSLVPN

address-pool SSLVPN

authentication-server-group PMERADIUS

tunnel-group pm_ipsec type remote-access

tunnel-group pm_ipsec general-attributes

address-pool IPSECVPN2

tunnel-group pm_ipsec ipsec-attributes

pre-shared-key *

tunnel-group **COMPANY** type remote-access

tunnel-group **COMPANY** general-attributes

address-pool IPSECVPN

tunnel-group **COMPANY** ipsec-attributes

pre-shared-key *

tunnel-group 2.2.2.20 type ipsec-l2l

tunnel-group 2.2.2.20 ipsec-attributes

pre-shared-key *

tunnel-group 68.68.68.68 type ipsec-l2l

tunnel-group 68.68.68.68 ipsec-attributes

pre-shared-key *

tunnel-group 12.12.12.12 type ipsec-l2l

tunnel-group 12.12.12.12 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1024

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

  inspect icmp

class class-default

!

service-policy global_policy global

smtp-server 10.10.2.6

prompt hostname context

Cryptochecksum:07619858a9af4b27c5f4104bc3c95018

: end

You have Backup ISP, have you tried to rollover to the Other one and see if the issue persist?

Mike Rojas

I have not only because I can connect outside our firewall and download without issue.  Also because it is only a T1 and most of our services do not fail over.  It just allows for email/webmail and internet access. 

Ok,

To make that a valid test, grab that IP and the laptop, connect it on the inside, set a one to one translation and do the same download and see if it fails. (Make sure to clear the local host of the laptop) 

Let me know.

Mike

So. Keep the external IP I used on the laptop. Connect it to the inside interface. Flush the DNS.

Would the one to one translation be:

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

If I were using 1.1.1.1 on that laptop

I will also try the backup T1 by routing my traffic to that interface.

Message was edited by: Jay Wright

Good,

Let me know.

Mike