What is it mean?

Mohd Khairul Nizam · ‎01-30-2013

Hi, please see attach diagram.

My network always have connection problem everyday around 4.30 - 5.00 pm.

Attach are the screenshot i took photo of my ASA.

The place i highlighted, what does it mean actually??

We are trying to find the root cause of the connectivity problem??

Bart Kersten · ‎01-30-2013

Are you running a back-up to a external location? Which starts at the time you are saying?

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎01-30-2013

Hi,

Seems to me that some host/hosts are generating alot of traffic from your LAN through the ASA to the Internet.

Is there some backups been taken of servers that use the Internet connection? I'm not familiar with the process of backing up servers but I'd assume you could configure it to work so that it cant hog so much bandwith even though used outside normal working hours.

If this traffic is not caused by some traffic that is "normal" I would suggest monitoring the active connections on the ASA and then determining the hosts generating this traffic and removing them from the network.

- Jouni

Jouni Forss · ‎01-30-2013

Hi,

Seems actually according to the "connections per second" that there is probably only 1 or a very low amount of hosts on the network that could be causing this problem.

I would consider using the command

"show conn long"

Then looking at the output look for connections that have been active for a while and also connections that have so far transfered alot of data. As we can see the data rate is pretty high so the culprit host should be easy to determine.

- Jouni

Mohd Khairul Nizam · ‎01-31-2013

Hi all,

Thank for the respone.

we dont have any backup to external.

Lately we are having problem during that specified time.

I want to catch / isolate the culprit

I attach some more pictures. i dont know to interpret the graph and data.

Pls help?

Andrew Phirsov · ‎02-01-2013

172.27.17.8 sends bunch of traffic to 122.152.181.147.

You have to check what's 172.27.17.8 on your network and find out why it does that.

Rudy Sanjoko · ‎02-01-2013

you can use shun command to shutdown/close the connection temporary for that particular ip, you can also use capture command to monitor/capture the traffic that is causing this, can you also provide the picture for top 10 services?

Mohd Khairul Nizam · ‎02-03-2013

i belive the top 10 services is HTTP and HTTPS.

Only web services but can generate so much traffic. I wonder??

Jouni Forss · ‎02-04-2013

Hi,

As Andrew above said.

You should locate the host with the IP address of 172.27.17.8 behind the ASA that seems to be generating the highest amount of the connections. Then go through that host computer and see what is causing the high amount of connections.

If you only want to use the graphical user interface (ASDM) to troubleshoot this, I would recomment trying to use the real time logging in the ASDM to see what happens when the problem is on.

To view the logs in real time go to the following place in the ASDM

Monitor -> Logging -> View

You can then enter the source IP address and apply it as the filter and only see logs for it. Though I'm not sure how the ASDM works when the problem is on as the host on the LAN seems to push as much traffic to the Internet as the interface is able to transmit. This might make it impossible to use ASDM

I would also suggest configuring a Syslog server to the LAN if possible to store the log data for later reference.

On the ASA CLI you can issue the following commands to see the connections

"show conn"

"show conn long"

"show local-host 172.27.17.8"

If the host 172.27.17.8 is NOT a server you could try to remove it from the network temporarily and see if the problem appears again.

- Jouni