I have a 5505 setup in my home office. It generally works well but I noticed when I upgraded it to 22.214.171.124 it would stop passing traffic after a few days. I figured this was just the interim release blues and waited until 9.1.3 came out. However, with 9.1.3 the problem is even worse. I'm actually not exactly sure what's going on. Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set. This seems like it might have some relation to the problem:
I also get these in 9.1.2 (which works fine), but far fewer. When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet. I can't ping my Comcast router (actually in my office, L2 adjacent to ASA). I also have some SLA probes going to the Internet which fail. If I do a clear conn all, then everything starts working again for a while. The BTF (dynamic-filter) feature seems to make it worse. If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag. I don't believe that should be possible so perhaps a bug?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...