in my test LAB i have used a 5505 running 9.1.1.
I have setup a DC (2008R2) and then AD Agent.
I have configured and used Identity firewall rules which worked like a charm!!
I have also used LDAP Auth which also worked fine.
I then disabled all the rules but kept the identity firewall checked.
Since it was a lab environment, i had to remove the DC for other tests.
A few hours later the ASA initially was stuck.
I used the console and i saw it could ping noone! not even directly attached PCs or defgw (i was able to ping them before it stucked).
No arp table also!
the asa did no NATing so no xlate entries were vavailable.
Then i sshed to it.
I got a blank screen and from console i could see cpu-usage from ssh to 20%
I opened a second ssh: nothing. Blank Screen again. cpu-usage from ssh to 40% (overall ~50%)
I opened a third ssh: nothing. Blank Screen again. cpu-usage from ssh to 65% (overall ~75%)
I issued reload from console! Nothing! it was trying to shut down!
I issued reload quick-> that is when console was lost!!
I have to unplug it.
The DC that was removed was also the DNS for the ASA.
The only log message i could see, before it stuck was "AD Agent is out of reach"
To save for asking:
i have ttried this 4 times. Always the same. 100% reproducable
I disabled the identity firewall-> no problem! it worked for days.100% reproducable
I downgraded to 8.4.5--> the same for both above actions
Anyone has seen that before?
Could this be a software bug or hardware one?
You may want to open a TAC case to have an engineer review your crashdump if it does crash.
Base on your description, sounds like a software bug to me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: