cisco asa - LAN to DMZ drops out for 30 seconds (seemingly) randomly

Unanswered Question
Jun 23rd, 2009

I have a cisco ASA with a very basic setup.

LAN (10.8.0.x) --> ASA --> DMZ (192.168.2.x) --> internet

Intermittently I get no response from my email (and other) servers in the DMZ. However - from the internet the connection does not drop - I can continue to connect to mail ports on our servers.

I have put a PC on the DMZ and checked the connection on the servers and they are fine.

The LAN to DMZ access comes up shortly after (30 seconds or so) from the time it decides not to work, but there is seemingly no reason for the traffic not to flow.

There are no errors in the logs, traffic on the lan does go to the firewall but from there nothing appears to happen. Routes on the DMZ are simple enough so there's nothing being lost there as it's just the default back through the firewall, likewise - the ASA knows where to send traffic but appears to decide not to play nicely on a random basis - could be an hour, could be 20 minutes.... could be longer.

It works most of the time - so ACL's etc shouldn't be an issue.

I would appreciate any asssitance you might be able to provide to point me in the right direction for resolving this one.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jliscano Thu, 06/25/2009 - 10:03

I would check if the CPU load is high on the ASA while this happens. Also, check to see if there are any unresolved or resolved caveats on the release notes on the ASA IOS version you are running.

brentonwil Tue, 06/30/2009 - 20:47

Thanks for the ideas. The CPU is doing nothing when it stops - it's actually idle 99.9% of the time as I'm the only one using services through it till I nut this out. I'm starting to think it might have more to do with the local switches (they're just a basic mix of layer 2 managed and others unmanaged switches) - it looks like if I ping the ASA every 10 seconds I (so far today) can access the proxy when previously it would have stopped working by now so it's as if either the local lan on the asa stops responding - OR - the switches have issues sending traffic to it.

I will go read up on the IOS version and spend some time on site and sort through switching or IOS issues.

Again - thanks for the ideas.

Actions

This Discussion