Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1720
Views
5
Helpful
4
Replies

Problems with 8.2(3)

kathy-kat
Level 1
Level 1

‎05-25-2011 05:45 PM - edited ‎03-11-2019 01:38 PM

Hello Everyone!!!

I had a little problem with the ASA 5520 with 8.2(3)!!

This appliance had been working fine since one moth ago, but the last week the ISP did some changes in the E1 and we have some problems with the connection to Internet, but this problems is so recurrent, that in some hours in day we lose conectivity, for example; at 11:00am the conection is very slow until it fails and the connection is lost, then the connection come back.

Today we had some problems with the link, to rule out the ISP, connect a PC on the perimeter router and everything worked when we were going to review the ASA, was restored and had internet connection. From that moment the connection was stable, sometimes it was slow but did not fall.

By late afternoon, connection was lost again, did the same test a machine connecting to the router and it worked, when I connect from the ASA had no connection, so it was decided to restart and it worked.


We think it may be an image problem, because if was the configuration, it had never worked.

Previously we had problems to enter the ASDM, indicated that he could not access due to an error I can not remember and seeking support in the community saw that the recommendation was to restart the ASA. I would like to know what is the version most estable for ASA 5520?

Any idea???

KC

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-25-2011 07:23 PM

Katherine,

This is Mike how are you? This issues are a headache for any network administrator. You state that when you reload the ASA, the connection goes up again is that right? There is no more stable version, but it is always recomended to run the latest on your trend, in this case 8.2.5. If you would like to troubleshoot the issue (As far as I remember there is no bug regarding this behavior on an ASA 5520) we will need the captures on the inside interface of the ASA as well on the outside.

This would be because we would like to see if the packets are arriving to the ASA and being forwarded to the next hop (In this case the ISP router).

Here is how you can do a packet capture:

******* Capture configuration ******

{Enable GUI interface:}

http 0 0 inside

http server enable

{For outside interface:}

access-list capture1 permit ip host   host

access-list capture1 permit ip host host

{For inside interface:}

access-list capture2 permit ip host host

access-list capture2 permit ip host host

capture tcpin access-list capture1 interface outside

capture tcpout access-list capture2 interface inside

****** To download the files then… *****

Open the browser

https:///capture/tcpin/pcap

https:///capture/tcpout/pcap

Note:

Username: blank = no name

Password: {enable password}

********* To delete them *********

clear access-list capture1

clear access-list capture2

no capture tcpin

no capture tcpout

********** End *********

Also, gathering the logs as the problem happens would be a great troubleshooting step. Another thing to take in consideration is that your test with the PC woul have been optimal if the PC had the IP address of the ASA firewall, to discard a temporally black list on the ISP.

I've seen this behavior before and it was a software bug, but on the ASA 5505 explicitly, no on the ASA 5520 platform.

Anyways for summary:

captures

syslogs

Try to ping the default gateway from the ASA

Try to ping 4.2.2.2 from the ASA

Clear arp and see if the connection is restore (may be an ARP problem)

Computer on the outside with the firewall IP and try to access the internet.

Hope this is useful

Mike

Mike
0 Helpful

kathy-kat
Level 1
Level 1
In response to Maykol Rojas

‎05-26-2011 10:31 AM

Hello Mike,

Thanks for you answer!! Today we had the same problem, when the conection fail, I checked the log of asdm and i could see the following:

4|May 26 2011 10:53:21|401004: Shunned packet: Servidor-Proxy ==> 205.178.184.21 on interface inside.

So the problem was that the asa was blocked the connection by the server proxy, when deleted the command threat-detection basic-threat, the conection is restored, so we have to edit the command threat-detection scanning-threat shun and we changed by threat-detection scanning-threat shun except ip-address Servidor-Proxy 255.255.255.255.

And for now everything is work fine.

KC

Maykol Rojas
Cisco Employee
Cisco Employee
In response to kathy-kat

‎05-26-2011 10:39 AM

Hello Kathy,

Excellent troubleshooting. This is normal when you have a proxy server, since the ASA will see only one host trying to do a lot of request on port 80 to the outside. The shun except was really the way to go.

Glad that everything is working.

Pura Vida!

Mike

Mike
0 Helpful

walter baziuk
Level 5
Level 5

‎03-05-2016 10:48 PM

same issue here

all of a sudden the asa with FP module would start blocking he inside interface.

i reload the asa it runs fine for minutes, hours or even days at a time and then POW, all inside traffic shunned

i did this

 threat-detection scanning-threat shun except <ip> <mask>

using the RTR to asa inside ip subnet nly as the RTR is doing NAT

so far no issues );

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card