06-03-2011 11:30 AM - edited 03-11-2019 01:42 PM
Hello, Everyone!
i have a problem with the an ASA Version 8.2, when i try these port it sends me the following result:
PERIMETRAL#packet-tracer input dmz5 tcp 10.16.120.66 1026 10.1.115.31 5001 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz4,dmz5) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns
nat-control
match ip dmz4 host SVDGTEC51 dmz5 any
static translation to 10.1.115.31
translate_hits = 417, untranslate_hits = 6028
Additional Information:
NAT divert to egress interface dmz4
Untranslate 10.1.115.31/0 to SVDGTEC51/0 using netmask 255.255.255.255
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.16.120.0 255.255.255.128 dmz5
Result:
input-interface: dmz5
input-status: up
input-line-status: up
output-interface: dmz5
output-status: up
output-line-status: up
Action: drop
Drop-reason: (conn-limit) Connection limit reached
I have search on the statics but i have no limit on it, someone has an idea of what can be the cause of the problem?
Regards
Edmundo Vado
06-05-2011 08:43 PM
Connection limit can also be configured under "policy-map"/"class-map" configuration. You might want to check if it has been configured under MPF.
The command is under "set connection" command line.
06-06-2011 03:36 PM
i have checked and i do not have configured any policy map with connectios limits, what else should i check?
Regards
Edmundo
06-06-2011 11:45 PM
Hi Edmundo,
To begin troubleshooting this i would suggest you to check the syslogs at the time of the issue as well, when you try to access the server does it not connect, I would suggest you to collect the logs as well.
If the connection limit is not set on ASA, and it should be 65535 only, then my suggestion to you would be to clear the connection and xlates and check it again, it should not be an issue after that, but please if it is a live production firewall then you would need to plan it out, since it would need some downtime.
Let me know how it goes.
Thanks,
Varun
06-08-2011 01:26 PM
Hello, Varun!
I have cleaned the xlate, even restarted the ASA asking for downtime to my boss, i have checked al the translations to that server but they do not have configured the connection limits, like you can see above, the one that is in bold is the problematic one. I will wait tomorrow to see if the problem presents again.
static (dmz4,inside) tcp 10.1.115.31 smtp SVDGTEC51 smtp netmask 255.255.255.255 dns
static (dmz4,dmz6-tmp) tcp 10.1.115.31 smtp SVDGTEC51 smtp netmask 255.255.255.255 dns
static (dmz4,dmz5) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns
static (dmz4,outside) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns
static (outside,dmz4) SVDGTEC51 10.1.115.31 netmask 255.255.255.255 dns
static (dmz4,outside-s) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns
static (dmz4,siscae) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns
Regards
Edmundo
06-08-2011 08:09 PM
input-interface: dmz5
input-status: up
input-line-status: up
output-interface: dmz5
What does the route look like?
sh run route | i dmz5|dmz4
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide