cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
650
Views
0
Helpful
8
Replies

new ASA-5515 X cause problem to Web Application Server

apapakons
Level 1
Level 1

In our computer room we have an ASA 5520 firewall. At some point we have decided to change this firewalll with new ASA 5515-X and we copyed the exact configuration of the old asa 5520 to  5515-X. A  problem  was occured  after the migration  between the LAN users  to  the Application server by the 5515-X firewall. I have uploaded a print screen with the specific error:

 

FluentnHibernate - Tried to add 'moduleproperties' when already added.

It seems to be a programming error but by using the old firewall the application works like a charm.

Do anyone of you have met this kind of problem before?

1 Accepted Solution

Accepted Solutions

Hi

 

This seems to be a exception caused while executing the code, may not be the issue with firewall. Can i know what are the components enabled. If IPS enabled. Have you checked any logs specific to this server.

If the app team still suspects firewall. snoop at the interface may help but  isolation of the exact issue should be the first task.

Regards

Raj

View solution in original post

8 Replies 8

Hi

 

This seems to be a exception caused while executing the code, may not be the issue with firewall. Can i know what are the components enabled. If IPS enabled. Have you checked any logs specific to this server.

If the app team still suspects firewall. snoop at the interface may help but  isolation of the exact issue should be the first task.

Regards

Raj

Dear Raj,

At the beginning I had enabled the https inspection and IPS.. Later, I by trying to isolate the problem  I removed from the service policy (of interfaces) the some commands in order to stop the forwarding of traffic to Ithe PS inpection engine (inline mode-internal interface) and the inspection of http traffic.. Still remained the same error..and the weird thing is that with my old firewall 5520 Cisco ASA  the application works right. The only thing that I have not checked yet is the threat-detection mechanism of firewall...

Hi

My question again , did you find any logs for the IPS. Was the URL you are browsing is on 443,

As i said next step probabaly should be the debug of the connection(http traffic etc ) can help understand if firewall is blocking.

 

 

I did not find any  IPS "events" (logs) regarding the application server...The application server uses the TCP Port 80...

 

Now that I remeber I used debug http at my 5515-x firewall for logs....I sent you attached the http debugging result.
The hostname of application server is protocol.yppo.gr and its ip address 10.2.129.53.

Hi

If you see the logs

>>>7AB11240:Exceeded MAX number of outstanding reqs - 10 in pipelined HTTP requests. Resetting Connection

Next troubleshooting is try changing the setting on the firewall for the embroyonic connections/open connections.

Also check on the server if there are connection getting piled up, need to understand from the server side why there is no response observed for all the request,  Server snoop might show if there is any malformation in the packet.

Hope you have tried from the compatible browser. Also how about the http inspection status

 

 

Hi Raj,

I had a configuration about the tcp embryonic connctions but the number of resetting the tcp connection was not 10 ...I will check it out....You are right it is general a problem that has to be solved.

How can I check if the server connection is pilled up ...with netstat command?For the server snoop should I use wireshark or any similar program? I should not run wireshark at working hours, should I?

About http inspection...I have applied to the internal interface of the my firewall for internal users...I disabled it and still had the same problem. I have tried different browsers from different pc's.

 

HI

What server are you using. Snoop at the server will be of no problem you can try that. but the amount of data might be high. please check the memory available.

 

 

 

Also for the server connection pilling netstat would surely help you should not fine many Time_waits. Also the webserver software can also show.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: