отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

Проблема с PAT на ASA

Добрый вечер коллеги.

Имеется failover cluster из ASA 5520.

Cisco Adaptive Security Appliance Software Version 8.3(1)

 

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

 

This platform has an ASA 5520 VPN Plus license.

This platform has an ASA 5520 VPN Plus license.

 

Inside Hosts                   : Unlimited      perpetual

##

Фиксирую плавающую проблему с тем, что ресурсы по HTTP могут быть не доступны временами.

Конфиг:

object network wifi-onyx-lap-access-point

subnet 10.0.130.0 255.255.255.0

 

object network wifi-onyx-lap-access-point

nat (inside,outside) dynamic 141.101.243.XXX

###

interface GigabitEthernet0/3

description ## inside - core2 - Gi1/0/3 / core1 - Gi2/0/4

nameif inside

security-level 100

ip address 192.168.85.20 255.255.248.0 standby 192.168.85.19

 

 

interface GigabitEthernet0/0.500

vlan 500

nameif outside

security-level 0

ip address 141.101.XX3.XX1 255.255.255.224 standby 141.101.XX3.XX2

###

ru-msk-ai001# sh xlate | i 10.0.130.123

UDP PAT from inside:10.0.130.123/123 to outside:141.101.2X.XX/91 flags ri idle 0:00:03 timeout 0:00:30

TCP PAT from inside:10.0.130.123/57277 to outside:141.1XX.2X.XX/11663 flags ri idle 0:00:05 timeout 0:00:30

TCP PAT from inside:10.0.130.123/57276 to outside:141.101.2XX.1XX/38753 flags ri idle 0:00:05 timeout 0:00:30

 

 

###

 

ru-msk-ai001# sh conn | i 10.0.130.123

TCP outside 104.75.57.165:443 inside 10.0.130.123:57273, idle 0:00:37, bytes 8565, flags UIO

TCP outside 17.253.55.212:80 inside 10.0.130.123:57247, idle 0:06:24, bytes 1932, flags UFIO

UDP outside 17.253.54.253:123 inside 10.0.130.123:123, idle 0:00:31, bytes 96, flags -

UDP outside 17.253.54.125:123 inside 10.0.130.123:123, idle 0:00:31, bytes 96, flags -

 

###

ru-msk-ai001# sh nat pool | i 141.101.243.186

TCP PAT pool outside, address 141.101.2X.1XX, range 1-511, allocated 0

TCP PAT pool outside, address 141.101.2X.1X, range 512-1023, allocated 0

TCP PAT pool outside, address 141.101.2X.1XX, range 1024-65535, allocated 633

UDP PAT pool outside, address 141.101.2X.1XX, range 1-511, allocated 5

UDP PAT pool outside, address 141.101.2X.1XX, range 512-1023, allocated 0

UDP PAT pool outside, address 141.101.2X.1XX, range 1024-65535, allocated 38

###

28 (inside) to (outside) source dynamic wifi-onyx-lap-access-point 141.101.2XX.1X

    translate_hits = 1091771, untranslate_hits = 143133

###

ru-msk-ai001# sh cpu usage

CPU utilization for 5 seconds = 24%; 1 minute: 22%; 5 minutes: 21%

 

 

ru-msk-ai001# sh memory

Free memory:      2355552584 bytes (110%)

Used memory:      4086898360 bytes (190%)

-------------     ----------------

Total memory:     2147483648 bytes (100%)

###

capture трафика HTTP - не работает, FTP - всё отлично:

Syn ->
syn ack ->
ack ->

и тишина...

Полный debug:

 

   1: 18:21:20.706414 10.0.130.27.59812 > 178.62.9.171.80: S 755093679:755093679(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245478874 0,sackOK,eol>

   2: 18:21:20.761160 178.62.9.171.80 > 10.0.130.27.59812: S 3475864375:3475864375(0) ack 755093680 win 28960 <mss 1380,sackOK,timestamp 3203506131 245478874,nop,wscale 8>

   3: 18:21:20.763769 10.0.130.27.59812 > 178.62.9.171.80: . ack 3475864376 win 4104 <nop,nop,timestamp 245478934 3203506131>

   7: 18:21:52.553621 178.62.9.171.80 > 10.0.130.27.59812: S 3475864375:3475864375(0) ack 755093680 win 28960 <mss 1380,sackOK,timestamp 3203514080 245478934,nop,wscale 8>

   8: 18:22:23.513706 10.0.130.27.59820 > 213.180.204.62.80: S 579124212:579124212(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245541576 0,sackOK,eol>

   9: 18:22:23.517597 213.180.204.62.80 > 10.0.130.27.59820: S 3379191765:3379191765(0) ack 579124213 win 27960 <mss 1380,sackOK,timestamp 2903065140 245541576,nop,wscale 8>

  10: 18:22:23.520511 10.0.130.27.59820 > 213.180.204.62.80: . ack 3379191766 win 4104 <nop,nop,timestamp 245541581 2903065140>

  11: 18:24:04.550203 10.0.130.27.59824 > 173.255.255.20.80: S 3982395340:3982395340(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245642524 0,sackOK,eol>

  12: 18:24:04.748771 173.255.255.20.80 > 10.0.130.27.59824: S 1420396915:1420396915(0) ack 3982395341 win 28960 <mss 1380,sackOK,timestamp 133574852 245642524,nop,wscale 7>

  13: 18:24:04.751212 10.0.130.27.59824 > 173.255.255.20.80: . ack 1420396916 win 4104 <nop,nop,timestamp 245642722 133574852>

  14: 18:24:06.923215 10.0.130.27.59825 > 199.233.217.201.21: S 2362179665:2362179665(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245644892 0,sackOK,eol>

  15: 18:24:07.127724 199.233.217.201.21 > 10.0.130.27.59825: S 3696146908:3696146908(0) ack 2362179666 win 4096 <mss 1380,nop,wscale 6,nop,nop,timestamp 1 245644892,sackOK,nop,nop>

  16: 18:24:07.186834 10.0.130.27.59825 > 199.233.217.201.21: . ack 3696146909 win 4104 <nop,nop,timestamp 245645155 1>

  17: 18:24:08.201146 199.233.217.201.21 > 10.0.130.27.59825: P 3696146909:3696146970(61) ack 2362179666 win 68 <nop,nop,timestamp 4 245645155>

  18: 18:24:08.231234 10.0.130.27.59825 > 199.233.217.201.21: . ack 3696146970 win 4102 <nop,nop,timestamp 245646199 4>

  19: 18:24:08.232898 10.0.130.27.59825 > 199.233.217.201.21: P 2362179666:2362179676(10) ack 3696146970 win 4102 <nop,nop,timestamp 245646200 4>

  20: 18:24:08.440284 199.233.217.201.21 > 10.0.130.27.59825: P 3696146970:3696147019(49) ack 2362179676 win 68 <nop,nop,timestamp 4 245646200>

###

Вот packet-tracer:

ru-msk-ai001# packet-tracer input inside tcp 10.0.130.27 59812 178.62.9.171 80$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x541b9a68, priority=1, domain=permit, deny=false
hits=51268251027, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 359980837, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Phase: 3
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.85.50 using egress ifc inside
adjacency Active
next-hop mac address 649e.f30d.6740 hits 529

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow

2 ОТВЕТ.
New Member

Почему дропает HTTP трафик:

Почему дропает HTTP трафик:

Inside capture:

 

   8: 12:16:28.576325 10.0.130.132.54736 > 213.180.204.62.80: SWE 2824034339:2824034339(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245317298 0,sackOK,eol>

   9: 12:16:28.586853 213.180.204.62.80 > 10.0.130.132.54736: SE 2152717139:2152717139(0) ack 2824034340 win 27960 <mss 1380,sackOK,timestamp 884977026 245317298,nop,wscale 8>

  10: 12:16:28.589431 10.0.130.132.54736 > 213.180.204.62.80: . ack 2152717140 win 4104 <nop,nop,timestamp 245317310 884977026>

 

###

 

20: 12:17:20.138634 213.180.204.62.80 > 10.0.130.132.54675: . ack 2267140545 win 110 <nop,nop,timestamp 731105536 245152491>

  21: 12:17:20.167273 10.0.130.132.54675 > 213.180.204.62.80: R 2267140545:2267140545(0) win 0

  22: 12:17:37.133614 213.180.204.62.80 > 10.0.130.132.54693: . ack 2119608774 win 110 <nop,nop,timestamp 1100386304 245169483>

  23: 12:17:37.192967 10.0.130.132.54693 > 213.180.204.62.80: R 2119608774:2119608774(0) win 0

  24: 12:17:48.752371 213.180.204.62.80 > 10.0.130.132.54695: . ack 2366314958 win 110 <nop,nop,timestamp 885214208 245180823>

  25: 12:17:48.786473 10.0.130.132.54695 > 213.180.204.62.80: R 2366314958:2366314958(0) win 0

  26: 12:18:01.782964 10.0.130.132.54739 > 213.180.204.62.80: S 2925360319:2925360319(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 245410432 0,sackOK,eol>

  27: 12:18:01.791554 213.180.204.62.80 > 10.0.130.132.54739: S 2997702397:2997702397(0) ack 2925360320 win 27960 <mss 1380,sackOK,timestamp 474265027 245410432,nop,wscale 8>

  28: 12:18:01.794224 10.0.130.132.54739 > 213.180.204.62.80: . ack 2997702398 win 4104 <nop,nop,timestamp 245410446 474265027>

  29: 12:18:10.443168 213.180.204.62.80 > 10.0.130.132.54703: . ack 2065444472 win 110 <nop,nop,timestamp 884879616 245202235>

  30: 12:18:10.511829 10.0.130.132.54703 > 213.180.204.62.80: R 2065444472:2065444472(0) win 0

  31: 12:18:43.000106 213.180.204.62.80 > 10.0.130.132.54705: . ack 3489438041 win 110 <nop,nop,timestamp 885001728 245235222>

  32: 12:18:43.099878 10.0.130.132.54705 > 213.180.204.62.80: R 3489438041:3489438041(0) win 0

 

###

 

 

 

###

 

OUTSIDE capture:

 

 

109: 12:16:28.576508 802.1Q vlan#500 P0 141.101.243.186.19798 > 213.180.204.62.80: SWE 315774344:315774344(0) win 65535 <mss 1380,nop,wscale 5,nop,nop,timestamp 245317298 0,sackOK,eol>

110: 12:16:28.586822 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.19798: SE 1441464601:1441464601(0) ack 315774345 win 27960 <mss 1410,sackOK,timestamp 884977026 245317298,nop,wscale 8>

111: 12:16:28.589477 802.1Q vlan#500 P0 141.101.243.186.19798 > 213.180.204.62.80: . ack 1441464602 win 4104 <nop,nop,timestamp 245317310 884977026>

 

###

 

288: 12:17:20.138603 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.42911: . ack 3970837092 win 110 <nop,nop,timestamp 731105536 245152491>

 

##

 

 

289: 12:17:20.167303 802.1Q vlan#500 P0 141.101.243.186.42911 > 213.180.204.62.80: R 3970837092:3970837092(0) win 0

290: 12:17:37.133583 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.21209: . ack 4081145712 win 110 <nop,nop,timestamp 1100386304 245169483>

291: 12:17:37.192998 802.1Q vlan#500 P0 141.101.243.186.21209 > 213.180.204.62.80: R 4081145712:4081145712(0) win 0

310: 12:17:48.752356 802.1Q vlan#500 P0 213.180.204.62.80 > 141.101.243.186.40839: . ack 2372938204 win 110 <nop,nop,timestamp 885214208 245180823>

311: 12:17:48.786504 802.1Q vlan#500 P0 141.101.243.186.40839 > 213.180.204.62.80: R 2372938204:2372938204(0) win 0

New Member

Нашёл такое в asp :

Нашёл такое в asp drop и трафик из этой сети к HTTP/HTTPS ресурсам...

  TCP RST/FIN out of order (tcp-rstfin-ooo)                               348193

но как быть...

21
Просмотры
0
Полезный материал
2
Ответы