Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510 - Disallowing new connections

Hi,

I'm in need of some help here. We lost internet connection. I checked ASA syslog, I found that ASA was displaying disallowing new connections on the ASDM syslog:

 

Syslog ID: 201008: Disallowing new connections

 

I did a google search and didn't yield any good results. Any help would greatly be appreciated.

Need to know why and what caused this error, and what is the fix. Thanks.

 

 

4 REPLIES
Super Bronze

Hi, I think we had this

Hi,

 

I think we had this problem when we enabled TCP based Syslog to a Syslog server (instead of the default UDP traffic). Unknown to us at that time was that if for any reason the Syslog server was not reached through that TCP connection the ASA would stop allowing new connections through it.

 

I then found out that to avoid this situation you had to have this command enabled

 

logging permit-hostdown

 

This command essentially allows the ASA to perform normally even if the Syslog server had become unreachable. Our problem in this case was related to misunderstanding on what the TCP port used should have been.

 

We added this command after the problem had started on a Security Context in a Multiple Context mode ASA and we found out also that adding this command later did not help with the situation. We went as far as removing all logging configurations and even the interface through which the Syslog server had been configured originally. None of this helped. In the end we had to remove the whole Security Context and enter it again in the System Context to get connections going through that particular Security Context.

 

So I kind of wonder if you have configured TCP based Syslog messages on the ASA and the server has become unreachable and you dont have the above mentioned command enabled?

 

Hope this helps

 

- Jouni

 

New Member

Yes, TCP is enabled for

Yes, TCP is enabled for syslog server.

I have also enabled "Allow user traffic to pass when TCP syslog server is down". Hoping this will resolve the issue.

Will test the firewall again tomorrow evening to see if this solves the problem. 

New Member

Jouni Forss , thanks for the

Jouni Forss , thanks for the posting, we lost link to syslog server, and the same thing happened.

logging permit-hostdown Worked great while we restore the link.

New Member

Hi

Hi

I know it's an older post, but it's still a problem :)

If the command:

logging permit-hostdown

not helps, you're hitting a bug which is not public. The bug is related to context firewalls.

To fix the problem, the only solution is to re-create the context again. A reboot doesn't help.

Here's a short instruction (repeat for every context):

remove tcp syslog server configuration

changeto contex XYZ
conf t
no logging host inside x.x.x.x tcp/xxx


save new configuration

changeto system
wr mem all

check configuration (optional)

more xyz.cfg | in logging

check context file:

sh run context XYZ
context XYZ
<snip>
config-url disk0:/xyz.cfg

remove context configuration

changeto context XYZ
clear configure all

Use context file again:

changeto sys
context XYZ
conf t
config-url disk0:/xyz.cfg

If you have a failover pair, I recommend to remove the configuration of the secondary ASA and built up the failover cluster again.

Regards Andrin

1934
Views
10
Helpful
4
Replies
CreatePlease to create content