01-25-2012 07:43 AM - edited 03-11-2019 03:19 PM
Hi there,
since a couple of days we notice the following major glitches in the network:
- FTP services temporarily not available from LAN to DMZ and from, WAN (via VPN) to LAN while FTP connections from WAN to DMZ are working. The time range is from several minutes to several hours.
- Internet services (such as HTTP and HTTPS, POP3, SMTP) not available from LAN to WAN while FTP traffic (in- and outbound) still working.
The system is recovering after a certain period of time (from several minutes to several hours) without any user administrative access.
I was to notice that the CSC device was at 100% CPU utilization for several minutes. This leads me to the conclusion that it could be ASA-SSM-CSC-20. We
We are using -2- ASA5520 (ASA version 8.4(1)) with ASA-SSM-CSC-20 (version 6.6.1125.0) ind active/active failover mode. If we switch from standby to active the problem recovers fully immediately.
There was no change in any configuration on ASAs, switches and workstations.
Is there any hint or idea where to look?
Cheers,
Joerg
01-25-2012 10:20 AM
Hello Vorname,
Can you check if you are running any logging in debug level on the Trend Micro GUI.
If you do not have that enabled, can you send me the ACL you are ussing the traffic to the CSC module?
Regards,
Julio
01-26-2012 04:14 AM
Hola Julio,
thanks for the answer.
Debug is disabled.
Syslog shows messages like
Jan 26 10:14:31 ASA5520CSC01 21184512: 2012-01-26T10:14:31+0000 The maximum number of connections for FTP has been reached. New connections will be kept in a backlog and may time out.
But this will not explain the 100% CPU load on the CSC module, or will it...?
We have massive inbound FTP sessions (~approx. 220 sessions/s) via VPN (192.168.208.0/21) to our DMZ. A "sh conn port 21" show apprx. 4000 open sessions with many sessions older than 2hrs (up to 50hrs: the time the ASA has been rebooted...). Any idea what causes the ASA to have the connections still open??
Regards,
Joerg
01-26-2012 09:16 AM
Hello Voname,
Can you share:
-sh run policy-map
-sh run | include timeout
Regards,
Julio
01-26-2012 11:44 PM
Hello Julio,
aour wish is my command!
ASA-Aachen# sh run policy-map
!
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
inspect icmp
inspect dns dynamic-filter-snoop
inspect waas
class class-default
flow-export event-type all destination 192.168.37.19
policy-map csc_out_policy
class csc_outbound_class
csc fail-close
policy-map csc_in_policy
class csc_inbound_class
csc fail-close
ASA-Aachen# sh run | include timeout
flow-export template timeout-rate 1
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
telnet timeout 5
ssh timeout 60
console timeout 0
Best regards,
Joerg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide