Probable trouble with ASA-SSM-CSC-20 (?)

Joerg - · ‎01-25-2012

Hi there,

since a couple of days we notice the following major glitches in the network:

- FTP services temporarily not available from LAN to DMZ and from, WAN (via VPN) to LAN while FTP connections from WAN to DMZ are working. The time range is from several minutes to several hours.

- Internet services (such as HTTP and HTTPS, POP3, SMTP) not available from LAN to WAN while FTP traffic (in- and outbound) still working.

The system is recovering after a certain period of time (from several minutes to several hours) without any user administrative access.

I was to notice that the CSC device was at 100% CPU utilization for several minutes. This leads me to the conclusion that it could be ASA-SSM-CSC-20. We

We are using -2- ASA5520 (ASA version 8.4(1)) with ASA-SSM-CSC-20 (version 6.6.1125.0) ind active/active failover mode. If we switch from standby to active the problem recovers fully immediately.

There was no change in any configuration on ASAs, switches and workstations.

Is there any hint or idea where to look?

Cheers,

Joerg

Julio Carvajal · ‎01-25-2012

Hello Vorname,

Can you check if you are running any logging in debug level on the Trend Micro GUI.

If you do not have that enabled, can you send me the ACL you are ussing the traffic to the CSC module?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joerg - · ‎01-26-2012

Hola Julio,

thanks for the answer.

Debug is disabled.

Syslog shows messages like

Jan 26 10:14:31 ASA5520CSC01 21184512: 2012-01-26T10:14:31+0000 The maximum number of connections for FTP has been reached. New connections will be kept in a backlog and may time out.

But this will not explain the 100% CPU load on the CSC module, or will it...?

We have massive inbound FTP sessions (~approx. 220 sessions/s) via VPN (192.168.208.0/21) to our DMZ. A "sh conn port 21" show apprx. 4000 open sessions with many sessions older than 2hrs (up to 50hrs: the time the ASA has been rebooted...). Any idea what causes the ASA to have the connections still open??

Regards,

Joerg

Julio Carvajal · ‎01-26-2012

Hello Voname,

Can you share:

-sh run policy-map

-sh run | include timeout

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joerg - · ‎01-26-2012

Hello Julio,

aour wish is my command!

ASA-Aachen# sh run policy-map

!

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ftp

inspect icmp

inspect dns dynamic-filter-snoop

inspect waas

class class-default

flow-export event-type all destination 192.168.37.19

policy-map csc_out_policy

class csc_outbound_class

csc fail-close

policy-map csc_in_policy

class csc_inbound_class

csc fail-close

ASA-Aachen# sh run | include timeout

flow-export template timeout-rate 1

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

telnet timeout 5

ssh timeout 60

console timeout 0

Best regards,

Joerg