I am having an exact problem.

Alan Herriman · ‎10-17-2011

I've been trying to track down intermitent problems with one of our branch office ASA5505's .The way we have been tracking it is primarily through ping/icmp connectivity. Occasionily our tracking software will report that is stops responding to ping requests then in almost less than a minute it will start replying again. I'm allowing icmp to that interface and it is internal. Examing the logs it almost looks like the config is being reloaded but I've never seen this kinda of log before so I'm not sure if it is just sending it's config to a host or actually reloading its config.

Here is the first part of it:

2011-10-17 07:05:05 Local4.Notice 192.168.22.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.20' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.21' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN1 192.168.254.9 1 track 1' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN98 192.168.254.9 1 track 2' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN202 192.168.254.9 1 track 3' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside 192.168.254.28 192.168.254.9 1 track 4' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN80 192.168.254.9 1 track 80' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN81 192.168.254.9 1 track 81' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN82 192.168.254.9 1 track 82' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route outside 0.0.0.0 173.162.39.138 1' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside LAN 192.168.254.9 1' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN112 192.168.254.9 1' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside 192.168.254.1 192.168.254.9 1' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'aaa local authentication attempts max-fail 5' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'http server enable 4443' command.

2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'http 0.0.0.0 inside' command.

I've santized certain parts, but it does look like its realoding the config, has anyone run into this, or possibly know why this would happen?

Thanks in advance,

Alan

varrao · ‎10-17-2011

Hi Alan,

These logs are due to command execution by users on the ASA. It does not point towards any ASA reload. Try looking in the logs any possible cause for the ASA not responding. Take captures and check the arp entries when the ASA stops responding.

Captures:

https://supportforums.cisco.com/docs/DOC-17814

Varun

Thanks,
Varun Rao

Alan Herriman · ‎10-17-2011

I did a couple caputure but nothing stuck out as being a huge issue. I've been running a conintous ping on the interface all day and had no problems. The issue is so intermintent it is difficult to troubleshoot. Here is a diagram to help illistrate waht I'm talking about.

My computer is off SW4 as is the monitoring software that detects the firewall stops responding to icmp. The device in question is the one called remote firewall. There is a T1 it has to cross, but I don't think that is realated.

Khoa Pham · ‎03-19-2015

I am having an exact problem. Every 6h or so configurations is reloaded and that disrupts the operation of the FW for about 1 minute. It drops all connections during the time.

Have you ever found a solution ?

Let me know. Thanks

Alan Herriman · ‎03-19-2015

Hi Khoa,

This was a pretty old problem of mine. I did end up finding a more stable version of code and migrating to that. Hopefully, that helps. I did not end up find the specific bug causing the issue.

Best regards,

Alan

Khoa Pham · ‎03-19-2015

Thank you Alan. Any chance that your FW was a part of High Availability cluster ? I removed mine from a HA cluster and started having this issue.

Mine are 2 identical ASA5510s with the same code 8.2(5). I manually removed all of the "Failover" commands but the config keeps reloading itself every few hours with the same syslogs that you had.

Nerka · ‎07-22-2020

It is failover function. "show failover"

If failover disabled also requires additional disable system configuration

conf ter
failover
failover standby config-lock
no failover
end

Random ASA5505 config reloads?