ASA 5510 Issue
in [Cisco]
|
From: Chad Mahoney on 5 Jan 2007 10:06 Hi Group, I have an ASA 5510 7.2(2) code. Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135 for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration 0:00:01 bytes 39928 TCP FINs Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside I am having some issues with intermittent traffic flow problem, what I am finding is as shown above, the translation for a connection is being torn down and the next log entry is then denied because the translation was deleted but was in fact the same connection/translation, like there was more data to be sent. This is causing some mail flow issues where email is leaving the senders network and is seen hitting mine but the email never shows up to the mail server. I have a TAC case open but have not been to successful with them as of yet. : Saved : ASA Version 7.2(2) ! hostname aof-fw-01 domain-name blah.local enable password * encrypted names dns-guard ! interface Ethernet0/0 description Connection to the Internet speed 100 duplex full nameif outside security-level 0 ip address x.x.187.177 255.255.255.240 ! interface Ethernet0/1 description Connection to Internal Network speed 100 duplex full nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd * encrypted boot system disk0:/asa722-k8.bin boot system disk0:/asa721-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS domain-name blah.local dns server-group Internal_DNS name-server 192.168.0.240 domain-name amone.local access-list outside_access_in extended permit icmp any host x.x.187.177 echo-reply access-list outside_access_in extended permit icmp any host x.x.187.177 time-exceeded access-list outside_access_in extended permit ip any host x.x.187.181 access-list outside_access_in extended permit ip any host x.x.187.182 access-list outside_access_in extended permit tcp any host x.x.187.189 eq smtp access-list outside_access_in extended permit tcp any host x.x.187.188 eq https access-list outside_access_in extended permit tcp host 70.91.116.209 host x.x.187.188 eq smtp access-list outside_access_in extended permit tcp any host x.x.187.188 eq www access-list outside_access_in extended permit tcp any host x.x.187.188 eq pop3 access-list SSL_VPN standard permit 192.168.0.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0 pager lines 24 logging enable logging trap debugging logging from-address aof-fw-01(a)blah.com logging recipient-address cmahoney(a)blah.com level errors logging host inside 192.168.0.241 mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool VPN_POOL 192.168.51.1-192.168.51.254 mask 255.255.255.0 no failover monitor-interface outside monitor-interface inside monitor-interface management icmp unreachable rate-limit 1 burst-size 1 icmp deny any outside asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.0.0 255.255.255.0 static (inside,outside) tcp x.x.187.188 https 192.168.0.245 https netmask 255.255.255.255 static (inside,outside) tcp x.x.187.188 www 192.168.0.245 www netmask 255.255.255.255 static (inside,outside) tcp x.x.187.188 pop3 192.168.0.245 pop3 netmask 255.255.255.255 static (inside,outside) tcp x.x.187.188 smtp 192.168.0.245 smtp netmask 255.255.255.255 static (inside,outside) x.x.187.181 192.168.0.179 netmask 255.255.255.255 static (inside,outside) x.x.187.182 192.168.0.178 netmask 255.255.255.255 static (inside,outside) x.x.187.189 192.168.0.246 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.187.190 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy SSL_VPN internal group-policy SSL_VPN attributes dns-server value 192.168.0.240 192.168.0.245 vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none split-tunnel-policy tunnelspecified split-tunnel-network-list value SSL_VPN split-dns value blah.local address-pools value VPN_POOL webvpn functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix svc required svc keep-installer installed username cmahoney password * encrypted privilege 15 username cmahoney attributes vpn-group-policy SSL_VPN webvpn functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.51.0 255.255.255.0 outside http 192.168.1.0 255.255.255.0 management http 192.168.0.0 255.255.255.0 inside http x.x.x.x 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no service resetoutbound interface outside no service resetoutbound interface inside crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto isakmp enable outside tunnel-group SSL_VPN type webvpn tunnel-group SSL_VPN general-attributes address-pool VPN_POOL default-group-policy SSL_VPN tunnel-group SSL_VPN webvpn-attributes hic-fail-group-policy SSL_VPN nbns-server 192.168.0.240 master timeout 2 retry 2 group-alias SSL_VPN enable dns-group Internal_DNS telnet timeout 5 ssh x.x.x.x 255.255.255.255 outside ssh 192.168.51.0 255.255.255.0 outside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 60 console timeout 0 management-access inside dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect esmtp ! service-policy global_policy global ntp authenticate ntp server 193.162.159.97 source outside prefer webvpn port 4100 enable outside enable inside svc image disk0:/stc.pkg 1 svc enable tunnel-group-list enable smtp-server 192.168.0.246 192.168.0.245 prompt hostname context Cryptochecksum:81fc86e75f175aa1034e32718b20ba0e : end asdm image disk0:/asdm-522.bin no asdm history enable
From: Darren Green on 5 Jan 2007 16:30 "Chad Mahoney" <chad(a)mahoney.com> wrote in message news:12psqb0ie63mg6c(a)news.supernews.com... > Hi Group, > > > I have an ASA 5510 7.2(2) code. > > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135 > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration > 0:00:01 bytes 39928 TCP FINs > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside > > snip Chad, This rings a big alarm bell. Could be off radar here but we had massive problems recently with the same typer of issue. Our problem on 7.2(2) turned out to be a duplex issue. We had to change from a hard coded 100 full to auto duplex auto speed. Since we have done this no more problems. I know the Cisco preference is to hard code but in the end we had to change it to get it fixed. Hope that helps. Regards Darren
From: Darren Green on 5 Jan 2007 17:47 "Chad Mahoney" <chad(a)mahoney.com> wrote in message news:12psqb0ie63mg6c(a)news.supernews.com... > Hi Group, > > > I have an ASA 5510 7.2(2) code. > > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135 > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration > 0:00:01 bytes 39928 TCP FINs > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside > > > I am having some issues with intermittent traffic flow problem, what I am > finding is as shown above, the translation for a connection is being torn > down and the next log entry is then denied because the translation was > deleted but was in fact the same connection/translation, like there was > more data to be sent. This is causing some mail flow issues where email is > leaving the senders network and is seen hitting mine but the email never > shows up to the mail server. I have a TAC case open but have not been to > successful with them as of yet. > > Chad, Something else that I recall reading a while ago in this group posted originally by Brian V. See link below: http://groups.google.co.uk/group/comp.dcom.sys.cisco/browse_thread/thread/ab70d7f4d07ecb25/d1c389cd6a370de2?lnk=st&q=cisco+dnssec+email&rnum=5&hl=en#d1c389cd6a370de2 Title: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email Regards Darren
From: garrisb on 11 Jan 2007 18:41 Wow.... This is Wild!!!! I had the same issue. My asa5510 would just stop processing data. It wouldn't crash, just stopped passing data. I worked with Cisco for a couple of days and we found the following: The ASA or Switch (HP in this case) would not negogiate properly. Even though both were hard coded to 100Full I was seeing CRC errors. I've since moved them both to auto and have not had a problem. I too am running version 7.2.2 ... Darren Green wrote: > "Chad Mahoney" <chad(a)mahoney.com> wrote in message > news:12psqb0ie63mg6c(a)news.supernews.com... > > Hi Group, > > > > > > I have an ASA 5510 7.2(2) code. > > > > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135 > > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration > > 0:00:01 bytes 39928 TCP FINs > > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from > > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside > > > > > snip > > Chad, > > This rings a big alarm bell. Could be off radar here but we had massive > problems recently with the same typer of issue. > > Our problem on 7.2(2) turned out to be a duplex issue. We had to change from > a hard coded 100 full to auto duplex auto speed. Since we have done this no > more problems. > > I know the Cisco preference is to hard code but in the end we had to change > it to get it fixed. > > Hope that helps. > > Regards > > Darren
From: Chad Mahoney on 12 Jan 2007 11:08 Well I have found this is not an issue with the duplex settings, it appears after some sniffing of traffic, that the reason for this error appears when you have 2 T-1 lines in a Multilink setup, the router is not assembling packets/frames in the proper order, so the firewall is dropping the connection forcing the packets to be retransmitted over and over again, I am running some loopback tests on my router tonight to find out if the router is the issue or the carrier is the issue. Thanks for the reply.... Chad garrisb wrote: > Wow.... This is Wild!!!! > > I had the same issue. My asa5510 would just stop processing data. It > wouldn't crash, just stopped passing data. I worked with Cisco for a > couple of days and we found the following: > > The ASA or Switch (HP in this case) would not negogiate properly. Even > though both were hard coded to 100Full I was seeing CRC errors. I've > since moved them both to auto and have not had a problem. I too am > running version 7.2.2 ... > >
|
Pages: 1 Prev: DSL firmware. Next: Cisco SDM Java Applet StackOverflowError |