Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic


ASA 5505 Random Connection Drops

Ok folks, got a puzzle for ya here. First, the background info:

Our network consists of Catalyst 2950 Managed switches connected to an MPLS router as our primary point of service. We also had a PIX506E connected to an AT&T DSL modem, which acted as a local VPN endpoint, as well as a site to site tunnel back to corporate - the route tracking for failover performed at the switch level.

We never had any problems with it. We recently replaced the PIX with an ASA - same infrastructure. The tunnel comes up, failover works better than before (previously we'd have to reboot the PIX to drop the tunnel for failback). However, now we're having a very strange issue of the ASA5505 dropping connections randomly.

Example: I'm remote desktoped to my home server. At random, the connection will say that it has been lost, then reconnect. On the ASA I see the connection torn down with TCP RESET-I, and two seconds later, rebuilt.

Example2: From another workstation, I attempt to watch a youtube stream. The video loads partially, then stops. Refreshing the video causes it to reload, and it sometimes loads or stops at a different spot - earlier or later than the previous stop. It's random.

I've seen no established root cause - connections have lasted between 30 seconds and 30 minutes before randomly dropping.

Troubleshooting so far: I've dropped the MTU to 1492 to account for PPPoE encapsulation, however that has not fixed the problem. The ACL's and VPN setup are identical to the previous PIX. The AT&T Router has the ASA set to a public IP address (No NAT) and has the firewall disabled for that traffic.

This set up worked fine under the PIX. The ASA is running 8.2(2).

I've cleared my asp drop to see if there's a specific packet drop category occuring. Immediately after clearing, l2_acl and acl-drop both start incrementing, but the connection stream is fine. When a connection stream drops, nothing new is added to the list. Occassionaly TCP Failed 3 way handshake and slowpath secruity check failed packets show up, but they don't seem related to the drops.

Another side note - normal connection teardowns appear to be TCP RESET-I as well, from just basic web browsing. At least they appear to be judging from my coworker's web browsing habits...

Anyway, like I said - seems random, no root cause established, and honestly I'm baffled. If anyone's got an idea, you let me know...

Here's my config, vpn, passwords, etc removed:

: Saved
ASA Version 8.2(2)
name corporate-network
interface Vlan2
mac-address 4c75.6115.0d01
nameif outside
security-level 0
ip address *.*.*.*
interface Vlan20
nameif inside
security-level 100
ip address
interface Vlan91
mac-address 4c75.6115.0d91
no forward interface Vlan20
nameif dmz
security-level 50
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 91
interface Ethernet0/2
switchport access vlan 20
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object corporate-network
object-group network DM_INLINE_NETWORK_2
network-object corporate-network
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip corporate-network
access-list TASV_splitTunnelAcl standard permit
access-list TASV_splitTunnelAcl standard permit
access-list TASV_splitTunnelAcl standard permit corporate-network
access-list DefaultRAGroup_splitTunnelAcl standard permit
pager lines 24
logging enable
logging trap warnings
logging asdm debugging
logging host inside
logging permit-hostdown
no logging message 405001
no logging message 710005
logging message 106026 level warnings
mtu outside 1492
mtu inside 1500
mtu dmz 1500
ip local pool VpnPool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101
access-group outside_access_in in interface outside
route outside *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment size 300 inside
sysopt connection tcpmss 0
no service resetoutbound interface outside
no service resetoutbound interface inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map2 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map2 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh inside
ssh inside
ssh timeout 20
console timeout 0
dhcp-client update dns server none

threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source inside prefer
policy-map type inspect dns default_DNS
  message-length maximum 768
  no nat-rewrite
  id-mismatch action log
policy-map type inspect dcerpc default_DCERPC
  timeout pinhole 0:01:00

Who Me Too'd this topic