ASA5505 Keeps Going Down

Unanswered Question
Apr 2nd, 2007

We are experiencing an issue where once or twice a month our DSL connection takes a hit, and then the ASA5505 device will not function. In the past the only way to resolve this has been to shut the device down and then bring it back up about 10 minutes later. I thought it might be an ARP cache problem but it's not I tried clearing that and no luck. The ASA is using a static IP address and the connection is maintained by the DSL modem.

The activity light on the modem is flashing all the time as is the activity light on the outside interface of the ASA, but I can not access the ASA remotely via SSH or VPN. The configuration has not changed so Im not sure why this is occuring. Does anyone have any ideas, besides the obvious of convincing them to get a dedicated circuit?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David White Mon, 04/02/2007 - 10:52

Hi turlockpoker,

We would need to get some troubleshooting information from the time when you were having a problem. A good start is to get the syslogs and show tech output.

I would attempt to ping from the ASA to the default router and verify that is working. If not, then check L2 (is the ARP entry correct for next hop)? Clear arp, then re-try.

For outbound connections, do you see the connection built? If so, then check the conn flags ("show conn") to see if the connection completes or if you only see the SYN.

Finally, a packet capture on the outside would reveal more as to what is going on as well.

Sincerely,

David.

swharvey Tue, 04/03/2007 - 17:05

I will share that I have seen connection sessions exceed 10000 count on our asa5505, which caused the box, on 7.2.2 to require reboots about once/month. We upgraded to the interim release 7.2.2(8) and the problem stopped. We are currently running 7.2.2(14).

David is absolutely correct on conducting sniffer traces, and you can use the asa to capture packets on the interfaces and export them in pcap format for review in a protocol analyzer.

Next time you run into your problem, before you power cycle/reload your ASA, if you can console on to the box, do a show conn and check your sessions.

Hope this helps,

-Scott

David White Tue, 04/03/2007 - 20:03

The ASA's have software imposed connection limits. For the 5505 (without the Plus license) that is 10,000 as you saw. At that time you should get a syslog indicating the connection limit was reached. No new connections (over 10,000) will be allowed. All existing 10,000 connections would continue to work.

It sounds like you had a different issue whereby the connections were not getting torn down, resulting in the high conn count?

Sincerely,

David.

swharvey Wed, 04/04/2007 - 08:02

Agreed on the high connection count. I was sharing that this was a bug I found on code prior to 7.2.2(8) that caused our firewall to hang and require a reboot. Not sure if this problem was related to the original poster's problem, but his symptoms sounded similar (firewall no longer passes traffic after ~1 month).

turlockpoker Wed, 04/04/2007 - 09:17

This actually seems like it may be the issue, I am going to apply the interim build (18) and see if we experience it again.

rbolyard Tue, 04/24/2007 - 16:50

I am having this same issue. However, when i logged in, i am having issued trying to find the correct ios version. Can you post the actual file name so i can do the advance search and dowload it from my cisco support.

Thanks,

Rick

rbolyard Tue, 04/24/2007 - 16:59

sorry guys, already figured it out, just one of those days,

I have 7.2 (2) running with plus pack and still have the same issues you guys are seeing. once a month sometimes every 2 weeks or so.

so i am doing an upgade and see if that fixes the issue.

Actions

This Discussion