Solved: Cisco ASA 5510 reboot necessary every week

sprintership-il · ‎09-05-2015

From time to time , almost every week we have to reboot ASA firewall. Before I manually hit the button, I noticed there is no DNS communication at time we loose internet connection. Logging to CLI ASA can't ping anything to outside word from outside interface. Have already replaced hardware, CISCO TAC checked config and all should be ok. Should be. I am thinking about setting the some sort of syslog to see what is going on.

ASA port is connected to ISP router Cisco 2800. Both port had duplex and speed set to auto. I have changed that manually. What else I can do in order to troubleshoot that?

Rishabh Seth · ‎10-04-2015

Removing the laptop would not change anything on the ASA as we can see that the sessions are up even beyond time-out values.

Yes, you should try the workaround and share your findings.

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

View solution in original post

dbellaze · ‎09-05-2015

Do you have a span/monitor port capable switch you can use to connect the ASA and the ISP router? This could help give you visibility by mirroring traffic to a device that has tcpdump/wireshark available for analysis.

Below are things I'd look at while the problem is occurring on the ASA.

Can you ping your ISP's side of the connection (2800)?

Do you have a valid arp entry to the ISP's address?

Aside from internet communication do other things to/from/through the ASA appear to work? LAN to DMZ communication? Ping's etc?

Have you checked nat, memory, and cpu resources?

Do you have a static IP or dynamic?

Do interfaces show unusual errors or drops?

Have you conferenced in your ISP and TAC during an outage?

Your ISP should also be able to troubleshoot from their equipment.

sprintership-il · ‎09-11-2015

Thank You, meantime I have logs from syslog while all was down and could not ping 8.8.8.8.

Do you have a static IP or dynamic? STATIC

Do interfaces show unusual errors or drops? Attached syslog.

I have feeling its either DoS, or some sort of attack. I will try to get answers on all. Thank You.

sprintership-il · ‎09-15-2015

I have noticed its happening every time we access NWEA site for testing. All is ok during the days we don't use that site at all.

dbellaze · ‎09-16-2015

I found NWEA has some references to DoS on twitter.

https://mobile.twitter.com/NWEA?lang=fil

From the post it sounds like they were attacked in some way so its possible you had/have systems in your network contributing. You mentioned testing as well, maybe a faulty or misconfigured system?

sprintership-il · ‎09-17-2015

but is that possible their problems affecting our network service? I don't want to believe it is possible at all.

sprintership-il · ‎09-26-2015

What I have done was placing a switch between a router and firewall, mirrored ports and took TCPDUMP. I have a file but another problem is analyzing that file.

The DNS blockout happens at same times, I wonder if there is limit on ASA 5510 for client connection or sessions.

sprintership-il · ‎09-27-2015

I was able to get tcpdump from the time when I had to reboot ASA again. Looks like right before WAN port "die" there was a lot of https traffic but I don't think I deal with DoS since network was utilized in 48%.

I start taking tcpdump files out of internal network just before they reach ASA and behind both in and out. But this is really drives me crazy since the problem is being since 3 weeks.

sprintership-il · ‎09-29-2015

What I have noticed based on tcp dump is a lot https traffic is generated from my side to 23.4.1.138 and 173.194.192.95, but the first one kicks before ASA WAN port dies.

Looks like this is akamai technologies. The question is how that affects and how to stop the traffic?

Rishabh Seth · ‎09-29-2015

At the time of issue did you try pinging internet from the ASA?

Check if the interface is UP or not.

Check ARP entries on ASA and also check if upstream device is passing traffic at the time of issue.

Thanks,

R.Seth

sprintership-il · ‎09-29-2015

Yes, at that time WAN port on ASA looks like is UP - BUT I can't ping anything externally.

Normally, I can ping any ip out of ASA. together with ISP we sat manually speed and duplex on both ASA and router.

ASA > ROUTER (ISP)> switch (ISP)

However, If I unplug the WAN data cable from the router and plug it to the a laptop with my static info I can open any websites without issue.

Rishabh Seth · ‎09-29-2015

Hi,

You have mentioned that you can span traffic.

So at the time of issue do you see traffic leaving ASA when :

>> You try to ping public IP from ASA.

>> You try to ping public IP from a host behind ASA.

>> In any of the above cases do you see reply coming back.

It might be possible that there is some issue with upstream device.

And as you have mentioned that when you plug your laptop you do not see the issue. So did you test the connectivity with your laptop directly connected for a week? If not then probably the issue might take some time to occur.

Also try speed and duplex with auto if possible.

Thanks,

R.Seth

sprintership-il · ‎09-30-2015

well, I cannot use the laptop connected to my WAN link since this is a production environment. Also, for troubleshooting my time is limited since I have 700 people waiting to be online. :( I will be looking for traffic insight of network but I don't think this matters since I see bandwidth utilization for both U/D = 50%

sprintership-il · ‎09-30-2015

why nobody says to use:

show local-host connection tcp 1000 | inc TCP flow count ?????

I think I hit a jock pot and narrowed it down to my problems. So one external IP is not enough to all ports an connections. I may expend that

Make sense?

Rishabh Seth · ‎09-30-2015

To check if your PAT pool is getting exhausted then you can use command show nat pool and then make a decision to add more IP address for NAT.

Thanks,

R.Seth