Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
733
Views
0
Helpful
0
Replies

Intermittent internet outages

nyuad2010
Level 1
Level 1

‎07-01-2018 11:31 PM - edited ‎03-05-2019 10:41 AM

Hi, hope some one can help!

 

We have started facing intermittent internet issues recently on our 2Gbps dedicated Internet link.

All the traffic is currently PAT to a range of 5 IPs from a ASA cluster (2 physical firewalls) with contexts.

What we observe is that when there is a sudden spike in traffic ( download, mainly) then the ISP stops our access to the internet for a few minutes (3 to 5 mins and then auto restore). At this point I can see some on the users are able to access internet and others are not ( I believe they only stopped the internet on that particular PAT IP which traffic spiked). When we do a trace route to the internet for the non-working user while experiencing the outage, we can see that the traffic is dropped on one of the hops at the ISP.

 

ISP says that we need to adjust the PAT timers on the FW. I am not sure how this will fix this issue. Current default I believe is 3hours. 

 

LAN -- SW -- ASA FW Cluster -- SW -- Router -- ISP(Internet)

 

xlate per-session deny tcp any4 any4
xlate per-session deny udp any4 any4

 

ASA# sh nat pool cluster
IP outside-vlan100:PAT_pool X.X.X.202, owner ASA-2, backup ASA-1
IP outside-vlan100:PAT_pool X.X.X.203, owner ASA-2, backup ASA-1
IP outside-vlan100:PAT_pool X.X.X.204, owner ASA-2, backup ASA-1
IP outside-vlan100:PAT_pool X.X.X.206, owner ASA-1, backup ASA-2
IP outside-vlan100:PAT_pool X.X.X.205, owner ASA-1, backup ASA-2

ASA# sh nat pool
UDP PAT pool outside-vlan100:PAT_pool, address X.X.X.202, range 1-511, allocated 100
UDP PAT pool outside-vlan100:PAT_pool, address X.X.X.202, range 512-1023, allocated 0
UDP PAT pool outside-vlan100:PAT_pool, address X.X.X.202, range 1024-65535, allocated 3180
ICMP PAT pool outside-vlan100:PAT_pool, address X.X.X.203, range 1-65535, allocated 9
ICMP PAT pool outside-vlan100:PAT_pool, address X.X.X.202, range 1-65535, allocated 5
TCP PAT pool outside-vlan100:PAT_pool, address X.X.X.203, range 1-511, allocated 0
TCP PAT pool outside-vlan100:PAT_pool, address X.X.X.203, range 512-1023, allocated 0
TCP PAT pool outside-vlan100:PAT_pool, address X.X.X.203, range 1024-65535, allocated 11243
TCP PAT pool outside-vlan100:PAT_pool, address X.X.X.202, range 1-511, allocated 0
TCP PAT pool outside-vlan100:PAT_pool, address X.X.X.202, range 512-1023, allocated 0
TCP PAT pool outside-vlan100:PAT_pool, address X.X.X.202, range 1024-65535, allocated 23422
UDP PAT pool outside-vlan100:PAT_pool, address X.X.X.203, range 1-511, allocated 37
UDP PAT pool outside-vlan100:PAT_pool, address X.X.X.203, range 512-1023, allocated 0
UDP PAT pool outside-vlan100:PAT_pool, address X.X.X.203, range 1024-65535, allocated 1797

 

ASA# sh cluster xlate count
Usage Summary In Cluster:*********************************************
82273 in use (cluster-wide aggregated)

ASA-2(LOCAL):***************************************
41134 in use, 132343 most used

ASA-1:**********************************************
41139 in use, 107360 most used

 

We are working on multi-session mode, has this something to do with the issue?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card