Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
3
Replies

ASA locks down traffic

n_parshina
Level 1
Level 1

‎11-23-2009 06:00 AM - edited ‎02-21-2020 03:48 AM

ASA 5520, with 7.2(1) image


The ASA Acts as a VPN termination point for another office, connects to a similar ASA. There is an inside interface, and outside interface, and a third interface never really used. Four days ago had a configuration change, config attached below, since then it stops passing and accepting ANY traffic every 3 hours and 10 minutes. I.e. it was just passing traffic and responding to pings, then boom! - lockdown. It pings itself, responds to console, shows me logs and acts like everything is fine. Yet it does not ping anything else, does not accept or pass any traffic on the two interfaces it uses. Interfaces are physically and line up, shutting them down and bringing up again does not help. Clearing connections and etc. does not help either. Memory usage shows used memory 14%, cpu 9%, xlate 0. If you reboot it, it reloads and starts working normal for exactly 3 hours and 10 minutes.
One of most puzzling things for me is that there is an arp mapping in the configuration for a certain address, and after ASA locks down this mapping is the only one remaining in the ARP table and that address is reachable from the ASA, i.e. it responds to pings. All other addresses are not being resolved and can't reach them. ASA is connected to a switch that services a bunch of other devices and all of them keep working when this happens. The switch also does not display any errors or port downs for where the ASA sits.
I'm lost in guessing the possible causes.

Does anyone have any suggestions?

36010-1515 log.txt.zip
36009-show run.txt.zip
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎11-24-2009 12:17 AM

Hello

This is most probably an ARP issue, why have you put this command?

sysopt noproxyarp VideoConf_Net

Also you never mentioned what changes you made in the configuration after which this problem started to appear.

Also after 3 hours and 10 minutes, which devices are unreachable from the ASA? Any particular interface or ALL interfaces are affected?

E.g. is  10.17.8.1 255 reachable?

Why have you changed the AD of your default route?

route MO_LAN 0.0.0.0 0.0.0.0 10.17.8.1 255

Initially I thought u are getting a default route via OSPF, but there is no OSPF in you config! except the cost set on one interface (with no effect)

Regards

Farrukh

0 Helpful

n_parshina
Level 1
Level 1
In response to Farrukh Haroon

‎11-29-2009 07:34 PM

Hi

The issue was resolved by completely removing and rebuilding configurations on both sides. The previous configurations were left over by another network engineer and some parts of them were not used (like ACLs and crypto maps not assigned to anything), including those lines that you had questions about. The initial configuration change was a cleanup - getting rid of those ACLS and cryptos. Our guess is that some of those leftover parts in the configuration, particularly a PKI configuration I chose not to include in the show run output uploaded, caused the problem. By the way - yes, it would make all interfaces unreachable, not just one.

In any case, cleaning it up resolved the issue.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to n_parshina

‎11-30-2009 08:44 AM

I'm glad your issue was resolved

Regards


Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card