We have ASA 5510 (8.03) configured with url server Websense (7.5). Sometime we got URL server is not responding error. The error happened more especially when more people are trying to browse internet. We are using TCP connection between ASA and Websense. Below is our configuration:
I'm wondering is there any limit about how many TCP connections we can make from ASA to websense. My packet capture shows lots of FIN packets from ASA to websense also inverse direction. It seems like ASA is trying to close the TCP connections. This doesn't happen when everything is in normal status. Is there anyone who has similar issue before? Can I just increase the "connection number" in the url-server command?
If your log says that websense is not responding I would not focus on the ASA, but on websense. When the problem is happening you probably lose websensee. There might be a chance where you run out of blocks for websense on the ASA. I would suggest tracking down "sh blocks" also.
There is no conn limit on the ASA as long as there are resources available. You can increase the mem-pool and cache zise but I don't think that is going to change anything.
Let us know what logs you are exactly getting when you see the log.
Thanks PR for helping me here. When we saw "URL server is not responding" log in ASA, we tried verifying the websense status in the server. The process is up and the listening port is available. It seems nothing wrong there.
As for blocks, when I configure the url block in ASA, we can see the below statistics. It is really ugly. Packets dropped due to exceeding url-block buffer limit is really high. That number is increasing but not always happen at the same tiem when we get "URL server not responding" log.
URL Pending Packet Buffer Stats with max block 128 ----------------------------------------------------- Cumulative number of packets held: 13364 Maximum number of packets held (per URL): 8 Current number of packets held (global): 0 Packets dropped due to exceeding url-block buffer limit: 2720 HTTP server retransmission: 3933 Number of packets released back to client: 12079
The url buffer exceed doesn't mean we should be losing websense.
If blocks were depleted that could explain the log, but your blocks look fine.
Can you verify that you don't really lose websense, TCP connection loss? For example can you start a capture with buffer wrapping for traffic between ASA and websense only and see if when you get the log, you have packet loss between them?
When the URL not responding log pops up, I can still ping the websense and also telnet to the listening port. The real issue is when this log message occur, I saw lots of request got dropped when you show url-server statistics. So the ASA does drop the client's web request when this issue occurs. I have captured the packet in ASA when the issue happened. The difference between normal and the one when the issue happend is lots of FIN packets happened around the time when the URL not responding logs occured.
I don't understand why ASA was trying to close the TCP connections. The situation is like ASA closed the TCP connections to websense and then dropped the client's web requests.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :