Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3391
Views
0
Helpful
12
Replies

SMB over VPN does not work after update to ASA 8.0.4

foreignmediagroup
Level 1
Level 1

‎09-29-2008 12:13 AM

This weekend I upgraded our Cisco ASA 5510 to the most recent ASA software 8.0.4 but sinse then I can't reach our servers with smb anymore "\\servername\share\" also http does not work anymore. there simply does not happen anything anymore..

for http I get the following error:

6 Sep 29 2008 10:10:19 106015 10.10.0.2 3966 192.168.0.22 80 Deny TCP (no connection) from 10.10.0.2/3966 to 192.168.0.22/80 flags FIN ACK on interface outside

and for smb

6 Sep 29 2008 09:42:12 106015 192.168.0.22 445 10.10.0.2 3902 Deny TCP (no connection) from 192.168.0.22/445 to 10.10.0.2/3902 flags ACK on interface inside

Before the upgrade everything worked without any trouble!

I there Anything that's changed in the new ASA and what could be the solution?

Thanx

Labels:
0 Helpful
12 Replies 12

andrew.prince
Level 10
Level 10

‎09-29-2008 12:46 AM

Jaap,

This message is logged when the Firewall discards a TCP packet that has no associated connection in the Firewall unit's connection table. The Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the PIX Firewall discards the packet.

0 Helpful

foreignmediagroup
Level 1
Level 1
In response to andrew.prince

‎09-29-2008 12:50 AM

Allright.. and any idea why this worked on the 8.0.2 and not on the 8.0.4 anymore?

And what could be the solution?

0 Helpful

andrew.prince
Level 10
Level 10
In response to foreignmediagroup

‎09-29-2008 12:58 AM

No idea to be honest - have you compared the configs from before the upgrade to now? Is anything missing?

Is SMB over VPN the only issue you are seeing? What type of VPN is it, L2L, Client, WebSSL?

Have you checked the bug track for the 8.0.4 image? Was there a specific reason why you upgraded?

0 Helpful

foreignmediagroup
Level 1
Level 1
In response to andrew.prince

‎09-29-2008 01:09 AM

I updated to 8.0.4 because Cisco told me so after having some trouble with crashes and reboots of my ASA.

I'm using the Cisco VPN client.

And I compared the configs but there only ara some changes after updating to 8.0.4

the things that changed are:

1: (added)

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

2: (added after each crypto map)

crypto map outside_map xx set security-association lifetime seconds 28800

crypto map outside_map xx set security-association lifetime kilobytes 4608000

3: (added)

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

0 Helpful

andrew.prince
Level 10
Level 10
In response to foreignmediagroup

‎09-29-2008 01:26 AM

LOL - sorry but that is funny, to upgrade to finx crashes and reboots.....if anything you should have downgraded!

The changes you have made would not stop SMB traffic over the VPN. What could be the issue is the DNS.

Are you allowing the client to resolve to your internal network the names of the servers? Have you tried browsing the shares using the IP address of the server instead of the name?

0 Helpful

foreignmediagroup
Level 1
Level 1
In response to andrew.prince

‎09-29-2008 05:15 AM

DNS is not the problem, RDP does work but also http does not work.

Explorer does not get the actual traffic. Cisco allready called to solve the problem but they can't fix it right away. they had to analyze captured data from whireshark and Asa to look for a solution. Until then I downgraded to 8.0.2 again and now it workes again..

0 Helpful

cisco24x7
Level 6
Level 6
In response to foreignmediagroup

‎09-29-2008 10:11 AM

Basically, you're trading one "ED" code for

another one.

That's what happened when you run "ED" code.

0 Helpful

lukasdrbo
Level 1
Level 1
In response to cisco24x7

‎11-05-2008 04:49 AM

Hi,

i have same problem with 8.0.4, 8.0.2 is ok with same cfg. Do you have any solutions please ?

Thx,

Lukas

0 Helpful

foreignmediagroup
Level 1
Level 1
In response to lukasdrbo

‎11-05-2008 05:26 AM

It's a Bug in the 8.0.4, after calling Cisco tech support they tried to replicate the error and foud out they also have the same problem with 8.0.4 but not with a newer (internal version) 8.0.4.7. now I got the version from the support team to solve the problem. And that worked. If you also would like this version, you must contact tech support.

I hope this could help you.

0 Helpful

lukasdrbo
Level 1
Level 1
In response to foreignmediagroup

‎11-05-2008 05:28 AM

thank you very much, i tried 8.0.4(3), its bad too :-(. i will try tech sup

0 Helpful

mcarnahan
Level 1
Level 1
In response to foreignmediagroup

‎11-09-2008 03:10 PM

I had a similar problem after upgradeing to 8.0.4 and found that IP Compression was turned on in the group policy for my VPNs. It was off before the upgrade and was enabled after. Once I turned it off, all the problems went away and it works fine.

Check your Group Policies and look for the following:

ip-comp enable

If you find it enter the following:

no ip-comp

or

ip-comp disable

0 Helpful

lukasdrbo
Level 1
Level 1
In response to mcarnahan

‎11-10-2008 03:13 AM

amazing :-), i disabled it and all is ok.

thank you

lukas

0 Helpful
Customers Also Viewed These Support Documents