cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6351
Views
0
Helpful
7
Replies

Frequently Cisco ASA 5510 stops

jibsoni
Level 1
Level 1

Dear all ,

I am having a cisco ASA and its frequently stops working .Please check the logs given below.

kindly let me know this happands because of the commands given below.

threat-detection basic-threat
threat-detection statistics access-list

--------------------------------Logs----------------------------------------------------

show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 1144 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 2594532 messages logged
anslation from inside:10.204.4.220/20732 to outside:1.1.1.1/37533
%ASA-6-302013: Built outbound TCP connection 914288 for outside:64.13.161.61/443 (64.13.161.61/443) to inside:10.204.4.220/20732 (1.1.1.1/37533)
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.204.4.220/20670 to outside:1.1.1.1/29835 duration 0:01:00
%ASA-6-302014: Teardown TCP connection 914258 for outside:64.4.11.160/80 to inside:10.204.4.220/20714 duration 0:00:30 bytes 0 SYN Timeout
%ASA-7-609002: Teardown local-host outside:64.4.11.160 duration 0:00:30
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.204.4.220/20671 to outside:1.1.1.1/14014 duration 0:01:00
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.204.4.220/20672 to outside:1.1.1.1/51985 duration 0:01:00
%ASA-6-302014: Teardown TCP connection 914262 for outside:67.192.78.23/80 to inside:10.204.4.220/20715 duration 0:00:30 bytes 0 SYN Timeout
%ASA-7-609002: Teardown local-host outside:67.192.78.23 duration 0:00:30
%ASA-6-302014: Teardown TCP connection 914263 for outside:67.192.111.246/80 to inside:10.204.4.220/20716 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.204.4.220/20673 to outside:1.1.1.1/51568 duration 0:01:00
%ASA-7-609001: Built local-host outside:207.246.192.35
<--- More --->
             
%Built local-host outside:10.206.1.253
%ASA-6-302013: Built outbound TCP connection 914298 for outside:10.206.1.253/135 (10.206.1.253/135) to inside:10.14.10.28/31908 (10.14.10.28/31908)
%ASA-6-302021: Teardown ICMP connection for faddr 145.27.24.94/512 gaddr 10.204.4.253/0 laddr 10.204.4.253/0
%ASA-7-609002: Teardown local-host inside:10.204.4.253 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:145.27.24.94 duration 0:00:00
e:10.162.2.13 duration 0:00:30
%ASA-6-302014: Teardown TCP connection 914265 for outside:72.14.253.83/80 to inside:10.204.4.220/20717 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.204.4.220/20674 to outside:1.1.1.1/47025 duration 0:01:00
%ASA-7-609001: Built local-host outside:70.37.129.135
%ASA-6-305011: Built dynamic TCP translation from inside:10.204.4.220/20734 to outside:1.1.1.1/41163
%ASA-6-302013: Built outbound TCP connection 914290 for outside:70.37.129.135/80 (70.37.129.135/80) to inside:10.204.4.220/20734 (1.1.1.1/41163)
%ASA-6-302014: Teardown TCP connection 914267 for outside:64.13.161.61/443 to inside:10.204.4.220/20718 duration 0:00:30 bytes 0 SYN Timeout
%ASA-7-609001: Built local-host outside:72.30.2.43
%ASA-6-305011: Built dynamic TCP translation from inside:10.204.4.220/20735 to outside:1.1.1.1/10561
%ASA-6-302013: Built outbound TCP connection 914291 for outside:72.30.2.43/80 (72.30.2.43/80) to inside:10.204.4.220/20735 (1.1.1.1/10561)
%ASA-6-305011: Built dynamic TCP translation from inside:10.204.4.220/20736 to outside:1.1.1.1/63473
%ASA-6-302013: Built outbound TCP connection 914292 for outside:173.194.36.104/443 (173.194.36.104/443) to inside:10.204.4.220/20736 (1.1.1.1/63473)
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.204.4.220/20675 to outside:1.1.1.1/2184 duration 0:01:00
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.204.4.220/20680 to outside:1.1.1.1/29227 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from inside:10.204.4.220/20737 to outside:1.1.1.1/51962
%ASA-6-302013: Built outbound TCP connection 914293 for outside:209.85.229.18/443 (209.85.229.18/443) to inside:10.204.4.220/20737 (1.1.1.1/51962)
%ASA-7-609001: Built local-host outside:209.85.229.19
%ASA-6-305011: Built dynamic TCP translation from inside:10.204.4.220/20738 to outside:1.1.1.1/29710
%ASA-6-302013: Built outbound TCP connection 914294 for outside:209.85.229.19/443 (209.85.229.19/443) to inside:10.204.4.220/20738 (1.1.1.1/29710)
<--- More --->
             
%ASA-6-302014: Teardown TCP connection 914271 for outside:64.13.161.61/443 to inside:10.204.4.220/20719 duration 0:00:30 bytes 0 SYN Timeout

7 Replies 7

Panos Kampanakis
Cisco Employee
Cisco Employee

What do you need to do to get it working again? Reload it?

Have you checked the cpu and memory when the problem happens?

What is your ASA version?

PK

some time after  one reload it will start sometime  3-4 reload is required. every time i noticed one thing after 30 min every thing will work smoothly with out any modification on configuration.

ASA Version 8.2(2)

I have never checked the memory /CPU usage..

See if the ASA shows an output for "sh crash"

If it does then the unit probably crashed.  If you have smartnet then pls. open a TAC case so, an engineer can decode the crash and suggest further steps to upgrade the code.

-KS

I doubt its related to crash because even when your firewall stops passing traffic we can see its building the connection and tearing it down because of SYN-TIMEOUT

%ASA-6-302013: Built outbound TCP connection 914290 for  outside:70.37.129.135/80 (70.37.129.135/80) to inside:10.204.4.220/20734  (1.1.1.1/41163)
%ASA-6-302014: Teardown TCP connection 914267 for  outside:64.13.161.61/443 to inside:10.204.4.220/20718 duration 0:00:30  bytes 0 SYN Timeout

Can you check your upstream side ? are you able to ping from the firewall any public address on internet ?

Alternatively from outside world are you able to ping firewall's outside interface ?

Let me know the result of the probing above

--regards

I have noticed one thing .

When ASA stops working that moment i wont be able to ping any ip from ASA but traceroute works fine and i am unable to ping / SSH to the device from outside.

Traceroute from ASA works fine or through the ASA  from any local machine ?

If you try to SSH/ping to the ASA outside interface do you see "request" packets reaching the box ?

Next time this happens, can you get me

access-list out permit ip host   host

ccess-list out permit ip host host

x.x.x.x--->Host ip on outside from where you pinging ASA outside

capture cpo access-list out interface outside

Now ping and SSH to the ASA outside interface and gather

show cap cpo

I am interested to know if packets are reaching ASA outside interface

--regards

Look here,  at Step 3 - Confirm and Monitor Application Traffic  and compare to your ASA settings.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: