09-20-2016 02:07 AM - edited 03-12-2019 01:17 AM
hello
I hope you can help, we have an ASA 5550 model, and SSH & ASDM have been working fine for years now. But all of a sudden they have stop responding.
The firewall itself is working and still routing traffic to the internet. No ACL were changed on it either.
Can you please advise what troubleshooting i can potentially do from the console cable on the firewall to restart these services again.
many thanks
09-20-2016 07:11 AM
Hello Mr. Desai,
Can you post the output of show asp table socket command ?
This command will return what connection the firewall is listening.
Best Regards,
Alex Gutierrez.
09-20-2016 08:11 AM
hello Alex
thank you for coming back to me. I do have access to the console cable to the firewall and did a debug on the SSH service and got the following error.
Lut-ASAFirewall#
Device ssh opened successfully.
SSH1: SSH client: IP = '10.251.251.107' interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25
SSH1: send SSH message: outdata is NULL
SSH1: Session disconnected by SSH server - error 0x3c "Time-out activated"
SSH1: send unsuccessful - status 0x3c
Lut-ASAFirewall# sh asp drop
Frame drop:
Bad IPSEC NATT packet (bad-ipsec-natt) 2
IPSEC tunnel is down (ipsec-tun-down) 4
Invalid encapsulation (invalid-encap) 19084
Invalid IP header (invalid-ip-header) 16
Invalid TCP Length (invalid-tcp-hdr-length) 38
Invalid UDP Length (invalid-udp-length) 67
No valid adjacency (no-adjacency) 452
No route to host (no-route) 4294
Flow is denied by configured rule (acl-drop) 513815804
Invalid SPI (np-sp-invalid-spi) 15604
First TCP packet not SYN (tcp-not-syn) 4373384
Bad TCP checksum (bad-tcp-cksum) 1
Bad TCP flags (bad-tcp-flags) 621
TCP Dual open denied (tcp-dual-open) 300
TCP data send after FIN (tcp-data-past-fin) 334
TCP failed 3 way handshake (tcp-3whs-failed) 487894
TCP RST/FIN out of order (tcp-rstfin-ooo) 2743470
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 75477
TCP SYNACK on established conn (tcp-synack-ooo) 1105
TCP packet SEQ past window (tcp-seq-past-win) 1456851
TCP invalid ACK (tcp-invalid-ack) 1760
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 6
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1
TCP RST/SYN in window (tcp-rst-syn-in-win) 3281
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 74
TCP packet failed PAWS test (tcp-paws-fail) 71221
CTM returned error (ctm-error) 121
Slowpath security checks failed (sp-security-failed) 612638
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 9834
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 52
DNS Inspect invalid packet (inspect-dns-invalid-pak) 7
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 304
DNS Inspect packet too long (inspect-dns-pak-too-long) 103668
DNS Inspect id not matched (inspect-dns-id-not-matched) 27824
FP L2 rule drop (l2_acl) 33707
Interface is down (interface-down) 58
Dropped pending packets in a closed socket (np-socket-closed) 1270193
Last clearing: Never
Flow drop:
Need to start IKE negotiation (need-ike) 950
NAT failed (nat-failed) 328720
NAT reverse path failed (nat-rpf-failed) 4
Inspection failure (inspect-fail) 7968106
SSL bad record detected (ssl-bad-record-detect) 2857
SSL handshake failed (ssl-handshake-failed) 6404
SSL malloc error (ssl-malloc-error) 125
SSL received close alert (ssl-received-close-alert) 136
Last clearing: Never
Lut-ASAFirewall#
Lut-ASAFirewall# sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 0000133f 192.168.1.1:443 0.0.0.0:* LISTEN
SSL 000020af 192.168.252.17:443 0.0.0.0:* LISTEN
TCP 0000459f 192.168.252.17:22 0.0.0.0:* LISTEN
SSL 062a1e5f 192.168.252.17:443 10.2.20.245:55177 ESTAB
SSL 062e1c5f 192.168.252.17:443 10.3.1.114:10016 ESTAB
SSL 062e25cf 192.168.252.17:443 10.3.1.114:10056 ESTAB
please let me know if you need any more information.
many thanks
Upen Desai
09-20-2016 11:02 PM
Hi
Could you share the show memory and show blocks output from the ASA ?
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: