09-11-2013 04:32 AM - edited 03-11-2019 07:36 PM
Hi,
A couple of months ago I upgraded an ASA 5520 to version 9.1(2). After the upgrade users often experience that RDP-sessions and other TCP-sessions going through the ASA disconnects. Before the upgrade we never experienced problems like this, the problems began the day after the upgrade. So my question is: How can I troubleshoot this problem? Any useful troubleshooting-commands or parameters to check? It seems that the problem occurs at random times and as said for different applications and hosts.
I know that my description is very general, but I have no idea of what triggers the problem.
Best regards,
Thor-Egil
09-11-2013 04:52 AM
Hi,
I have a similar problem but RDP via VPN: https://supportforums.cisco.com/thread/2233901
This might be a ICMP inspection problem if you have that on try to disable it.
Cheers
09-11-2013 05:58 AM
Hi and thanks for your answer. I have now disablet the icmp inspection. Could you please describe how icmp inspection may be related to the drop-problems?
09-11-2013 06:41 AM
Its in CSCui40499
I have not made an real verification of this yet, can't do that until friday afternoon.
So do you see any diffrece?
Cheers
09-11-2013 12:34 PM
Hello,
My best recommendation at the moment would be:
This will help us with the cause of the issue, remember to focus on one specific connection failling across the ASA and then grab the right outputs about it.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-11-2013 01:05 PM
Hi,
I have now increased the logging level to debugging-level on the logs sent to syslog, I am using Splunk as syslog-server. Could you give some examples of what I should look for in the logs?
BR,
Thor-Egil
09-11-2013 04:08 PM
Hello,
As we do not know why the issue is happening you should filter the logs to show all traffic related to the connection with the issue(ofcourse at the time of the issue only)
Let me know if I was clear
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-12-2013 04:17 AM
Hi again,
At the same time as we see the problem I see the following in the log:
%ASA-6-302014: Teardown TCP connection 54894121 for outside:128.39.227.88/15308 to
inside:10.100.3.21/15307 duration 28:52:54 bytes 41592000
Flow closed by inspection
It seemms that the ASA closes the connection due to an inspection-rule,
but how can I see which rule is causing this?
The only inspection that should hit the relevant ports is the waas-
inspection, I have tried to disable the inspeciton now.
09-12-2013 08:19 AM
Hello,
Okey, can you share the show run policy-map?
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-12-2013 10:41 PM
Here is the output from sh run policy-map. My problem is to understand which of the rules closes the connection showed in the log. I also have many other similar entries in the log where connections on different port-numbers are closed by inspection. But the connections using ports 15307/15308 are most critical so I concentrate on these first. Thank you for your help!
Sep 13 02:28:57 hrp-gw.hrp.no Sep 13 2013 02:28:57: %ASA-6-302014: Teardown TCP connection 58183832 for outside:128.39.227.88/15308 to inside:10.100.3.21/15307 duration 14:02:27 bytes 20217600 Flow closed by inspection
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect ctiqbe
inspect dcerpc
inspect h323 h225
inspect http
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect icmp error
class global-class
ips inline fail-open
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide