Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2361
Views
0
Helpful
8
Replies

traffic not passing through firewall at sometimes for some users

Go to solution
arulkumar80
Level 1
Level 1

‎02-19-2010 08:46 PM - edited ‎03-11-2019 10:12 AM

Hi,

Most of the time everything works fine on the firewall and all the required traffic is passing through the firewall as expected by the configuration.

Sometimes some of the users are not able to a)go online, b)access  the servers.

the users  facing this issue are able to work with the existing connections but if they try to open a new connection to any servers they fail.

At that time users are not able to go online either. I am able to ping that time but i am not able to telnet.

servers are in one security level and users are in different security level.

If they user remove the lan cable and refix it everthing works normal for that user.

Regards

Arulkumar

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-20-2010 12:47 PM

Hi,

Don't have any logs from the time when the problem happened?

Are you reaching the limit of connections permitted?

Federico.

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to arulkumar80

‎02-21-2010 06:57 AM

The ''show conn count'' will show you amount of connections at a certain point, you can compare this number to the max. connections that your specific model can handle.

Also, for the servers, they have a limit on the amount of embryonic connections and total connections as well on the STATIC command. (The same applies for dynamic NAT).

If the problem is with the amount of traffic, a temporary solution is to change the timeouts for the XLATEs and connections:  ''sh run timeout''

Federico.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-20-2010 12:47 PM

Hi,

Don't have any logs from the time when the problem happened?

Are you reaching the limit of connections permitted?

Federico.

0 Helpful

Go to solution
arulkumar80
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-21-2010 12:49 AM

Don't have any logs from the time when the problem happened?

Are you reaching the limit of connections permitted?

Federico.

Hi Federico,

Thanks for your reply.

How can i check if ASA is reaching the limit of connections permitted. (any command to check that)

Regards

Arulkumar

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to arulkumar80

‎02-21-2010 06:57 AM

The ''show conn count'' will show you amount of connections at a certain point, you can compare this number to the max. connections that your specific model can handle.

Also, for the servers, they have a limit on the amount of embryonic connections and total connections as well on the STATIC command. (The same applies for dynamic NAT).

If the problem is with the amount of traffic, a temporary solution is to change the timeouts for the XLATEs and connections:  ''sh run timeout''

Federico.

0 Helpful

Go to solution
arulkumar80
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-21-2010 10:11 PM

Hi

Thanks for your reply.

The information was useful

Will check that......

Regards

Arulkumar

0 Helpful

Go to solution
arulkumar80
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-22-2010 06:03 AM

Hi,

from sh conn i see that device can handle more number of connection.

will reducing the timeout for xlate and connection work?

because the only some of the hosts are not able to connect to a servers or go online and it is happening sometimes only sometimes

after few minutes the hosts are able to connect to severs and go online normally.

when the issue is occuring ping works fine

and if the host"s lan cable is unlugged and relugged back the issue is resolved, they are able to connect to servers an able to go online.

Servers are connected in 1 interface and internet is on another interface

hope my explanation is clear.

Your help is much appreciated.

Regards

Arulkumar

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to arulkumar80

‎02-22-2010 01:30 PM

Will be a good test to try lowering the timeouts for the translation and connections...

Just make sure, the XLATE timeout should be greater than the CONN timeout.

Let's see the results...

Federico.

0 Helpful

Go to solution
arulkumar80
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-25-2010 09:28 PM

Hi,

tried lowering the timeouts for the translation and connections, no good....

please advise.

Regards

Arulkumar

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to arulkumar80

‎02-26-2010 05:58 AM

Arulkumar,

We just can't manipulate the timeout not knowing what the cause it.

What do the logs say when these hosts can't go out?

Can they ping the firewall's IP address?

Can they get name resolution when they ping yahoo.com or google.com

Can they load the page by IP address and not name?

Can they ping an outside IP through the firewall?

Only TCP breaks? ICMP works?

enable logging on the firewall

conf t

logging buffered 7

sh logg | i x.x.x.x

where x.x.x.x is the host that cannot got out. Explain what protocol (http ?) breaks. You are trying a telent x.x.x.x 80 to verify?

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card