Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

5505 stops passing traffic with 9.1.3

I have a 5505 setup in my home office.  It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days.  I figured this was just the interim release blues and waited until 9.1.3 came out.  However, with 9.1.3 the problem is even worse.  I'm actually not exactly sure what's going on.  Here's what I've noticed:

I get a lot of DNS connections with the "h" flag (H.225 traffic) set.  This seems like it might have some relation to the problem:

UDP outside  216.218.130.2:53 inside  192.168.234.146:50705, idle 0:00:18, bytes 534, flags h

(...)

I also get these in 9.1.2 (which works fine), but far fewer.  When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.

When traffic stops passing, the ASA itself can no longer get to the Internet.  I can't ping my Comcast router (actually in my office, L2 adjacent to ASA).  I also have some SLA probes going to the Internet which fail.  If I do a clear conn all, then everything starts working again for a while.  The BTF (dynamic-filter) feature seems to make it worse.  If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:

policy-map global_policy

class inspection_default

  inspect dns dns-ipm dynamic-filter-snoop

What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag.  I don't believe that should be possible so perhaps a bug?

Ideas?

135
Views
0
Helpful
0
Replies