Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5580 local-host problem

We have 2 border routers (7609-S) running BGP routing protocol with 3 different ISPs and are connecting to 2 ASA5580-40 firewalls (Active-standby mode).

A server X on Interent is connecting to our server Y in LAN. Server X is unable to connect to server Y if any of the 3 ISP links got interrupted. Even link is recovered but X still failed to connection to Y everytime.

We found that didn't find any IPINIP connection when I do " show local-host x.x.x.x(IP of X) on ASA firewall:

(IP of X & Y are shown as x.x.x.x and y.y.y.y for confidentiality)

FW01# sh local-host x.x.x.x
Interface Inside: 1554344 active, 1610150 maximum active, 0 denied
Interface Outside: 1040329 active, 1465152 maximum active, 0 denied
local host: <x.x.x.x>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

  Conn:
    UDP Outside x.x.x.x:434 Outside y.y.y.y:434, idle 0:00:00, bytes 3310318788, flags -
Interface Stateful: 1 active, 2 maximum active, 0 denied
Interface management: 1 active, 4 maximum active, 0 denied
Interface Failover: 1 active, 2 maximum active, 0 denied


Once I issue "clear local-host x.x.x.x", the connection is up:

FW01# clear local-host x.x.x.x
FW01# sh local-host x.x.x.x  
Interface Inside: 1554451 active, 1610150 maximum active, 0 denied
Interface Outside: 1039506 active, 1465152 maximum active, 0 denied
local host: <x.x.x.x>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

  Conn:
    IPINIP Outside x.x.x.x Inside y.y.y.y, idle 0:00:00, bytes 3440
    UDP Outside x.x.x.x:434 Inside y.y.y.y:434, idle 0:00:00, bytes 2156, flags -
    IPINIP Outside x.x.x.x Inside y.y.y.y, idle 0:00:00, bytes 2784
Interface Stateful: 1 active, 2 maximum active, 0 denied
Interface management: 1 active, 4 maximum active, 0 denied
Interface Failover: 1 active, 2 maximum active, 0 denied


We have workaround to do clear local-host everytime now but are still finding solution on it. Could anyone adivce on it please? thanks in advance.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hello; This specifies UDP

Hello;

 

This specifies UDP (typo on the document or whatever) but you can use the "timeout-floating-conn".

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

 

It will kill the connection that is floating on an non existing interface instead of waiting for the whole hour or to manually clear the conn.

 

Mike.

Mike
1 REPLY
Cisco Employee

Hello; This specifies UDP

Hello;

 

This specifies UDP (typo on the document or whatever) but you can use the "timeout-floating-conn".

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

 

It will kill the connection that is floating on an non existing interface instead of waiting for the whole hour or to manually clear the conn.

 

Mike.

Mike
95
Views
5
Helpful
1
Replies
CreatePlease to create content