Packet drop

cisco_sigfa · ‎06-03-2011

Hello, Everyone!

i have a problem with the an ASA Version 8.2, when i try these port it sends me the following result:

PERIMETRAL#packet-tracer input dmz5 tcp 10.16.120.66 1026 10.1.115.31 5001 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz4,dmz5) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns
nat-control
match ip dmz4 host SVDGTEC51 dmz5 any
static translation to 10.1.115.31
translate_hits = 417, untranslate_hits = 6028
Additional Information:
NAT divert to egress interface dmz4
Untranslate 10.1.115.31/0 to SVDGTEC51/0 using netmask 255.255.255.255

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.16.120.0 255.255.255.128 dmz5

Result:
input-interface: dmz5
input-status: up
input-line-status: up
output-interface: dmz5
output-status: up
output-line-status: up
Action: drop
Drop-reason: (conn-limit) Connection limit reached

I have search on the statics but i have no limit on it, someone has an idea of what can be the cause of the problem?

Regards

Edmundo Vado

Jennifer Halim · ‎06-05-2011

Connection limit can also be configured under "policy-map"/"class-map" configuration. You might want to check if it has been configured under MPF.

The command is under "set connection" command line.

cisco_sigfa · ‎06-06-2011

i have checked and i do not have configured any policy map with connectios limits, what else should i check?

Regards

Edmundo

varrao · ‎06-06-2011

Hi Edmundo,

To begin troubleshooting this i would suggest you to check the syslogs at the time of the issue as well, when you try to access the server does it not connect, I would suggest you to collect the logs as well.

If the connection limit is not set on ASA, and it should be 65535 only, then my suggestion to you would be to clear the connection and xlates and check it again, it should not be an issue after that, but please if it is a live production firewall then you would need to plan it out, since it would need some downtime.

Let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

cisco_sigfa · ‎06-08-2011

Hello, Varun!

I have cleaned the xlate, even restarted the ASA asking for downtime to my boss, i have checked al the translations to that server but they do not have configured the connection limits, like you can see above, the one that is in bold is the problematic one. I will wait tomorrow to see if the problem presents again.

static (dmz4,inside) tcp 10.1.115.31 smtp SVDGTEC51 smtp netmask 255.255.255.255 dns

static (dmz4,dmz6-tmp) tcp 10.1.115.31 smtp SVDGTEC51 smtp netmask 255.255.255.255 dns

static (dmz4,dmz5) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns

static (dmz4,outside) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns

static (outside,dmz4) SVDGTEC51 10.1.115.31 netmask 255.255.255.255 dns

static (dmz4,outside-s) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns

static (dmz4,siscae) 10.1.115.31 SVDGTEC51 netmask 255.255.255.255 dns

Regards

Edmundo

Kureli Sankar · ‎06-08-2011

input-interface: dmz5

input-status: up

input-line-status: up

output-interface: dmz5

What does the route look like?

sh run route | i dmz5|dmz4

-KS