10-17-2011 08:57 AM - edited 03-11-2019 02:38 PM
I've been trying to track down intermitent problems with one of our branch office ASA5505's .The way we have been tracking it is primarily through ping/icmp connectivity. Occasionily our tracking software will report that is stops responding to ping requests then in almost less than a minute it will start replying again. I'm allowing icmp to that interface and it is internal. Examing the logs it almost looks like the config is being reloaded but I've never seen this kinda of log before so I'm not sure if it is just sending it's config to a host or actually reloading its config.
Here is the first part of it:
2011-10-17 07:05:05 Local4.Notice 192.168.22.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.20' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.21' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN1 192.168.254.9 1 track 1' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN98 192.168.254.9 1 track 2' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN202 192.168.254.9 1 track 3' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside 192.168.254.28 192.168.254.9 1 track 4' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN80 192.168.254.9 1 track 80' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN81 192.168.254.9 1 track 81' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN82 192.168.254.9 1 track 82' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route outside 0.0.0.0 173.162.39.138 1' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside LAN 192.168.254.9 1' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN112 192.168.254.9 1' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside 192.168.254.1 192.168.254.9 1' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'dynamic-access-policy-record DfltAccessPolicy' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'aaa local authentication attempts max-fail 5' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'http server enable 4443' command.
2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'http 0.0.0.0 inside' command.
I've santized certain parts, but it does look like its realoding the config, has anyone run into this, or possibly know why this would happen?
Thanks in advance,
Alan
10-17-2011 10:50 AM
Hi Alan,
These logs are due to command execution by users on the ASA. It does not point towards any ASA reload. Try looking in the logs any possible cause for the ASA not responding. Take captures and check the arp entries when the ASA stops responding.
Captures:
https://supportforums.cisco.com/docs/DOC-17814
Varun
10-17-2011 12:09 PM
I did a couple caputure but nothing stuck out as being a huge issue. I've been running a conintous ping on the interface all day and had no problems. The issue is so intermintent it is difficult to troubleshoot. Here is a diagram to help illistrate waht I'm talking about.
My computer is off SW4 as is the monitoring software that detects the firewall stops responding to icmp. The device in question is the one called remote firewall. There is a T1 it has to cross, but I don't think that is realated.
03-19-2015 08:48 AM
I am having an exact problem. Every 6h or so configurations is reloaded and that disrupts the operation of the FW for about 1 minute. It drops all connections during the time.
Have you ever found a solution ?
Let me know. Thanks
03-19-2015 08:56 AM
Hi Khoa,
This was a pretty old problem of mine. I did end up finding a more stable version of code and migrating to that. Hopefully, that helps. I did not end up find the specific bug causing the issue.
Best regards,
Alan
03-19-2015 09:05 AM
Thank you Alan. Any chance that your FW was a part of High Availability cluster ? I removed mine from a HA cluster and started having this issue.
Mine are 2 identical ASA5510s with the same code 8.2(5). I manually removed all of the "Failover" commands but the config keeps reloading itself every few hours with the same syslogs that you had.
07-22-2020 11:09 PM
conf ter failover failover standby config-lock no failover end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide