We are experiencing an issue where once or twice a month our DSL connection takes a hit, and then the ASA5505 device will not function. In the past the only way to resolve this has been to shut the device down and then bring it back up about 10 minutes later. I thought it might be an ARP cache problem but it's not I tried clearing that and no luck. The ASA is using a static IP address and the connection is maintained by the DSL modem.
The activity light on the modem is flashing all the time as is the activity light on the outside interface of the ASA, but I can not access the ASA remotely via SSH or VPN. The configuration has not changed so Im not sure why this is occuring. Does anyone have any ideas, besides the obvious of convincing them to get a dedicated circuit?
I will share that I have seen connection sessions exceed 10000 count on our asa5505, which caused the box, on 7.2.2 to require reboots about once/month. We upgraded to the interim release 7.2.2(8) and the problem stopped. We are currently running 7.2.2(14).
David is absolutely correct on conducting sniffer traces, and you can use the asa to capture packets on the interfaces and export them in pcap format for review in a protocol analyzer.
Next time you run into your problem, before you power cycle/reload your ASA, if you can console on to the box, do a show conn and check your sessions.
The ASA's have software imposed connection limits. For the 5505 (without the Plus license) that is 10,000 as you saw. At that time you should get a syslog indicating the connection limit was reached. No new connections (over 10,000) will be allowed. All existing 10,000 connections would continue to work.
It sounds like you had a different issue whereby the connections were not getting torn down, resulting in the high conn count?
Agreed on the high connection count. I was sharing that this was a bug I found on code prior to 7.2.2(8) that caused our firewall to hang and require a reboot. Not sure if this problem was related to the original poster's problem, but his symptoms sounded similar (firewall no longer passes traffic after ~1 month).
I am having this same issue. However, when i logged in, i am having issued trying to find the correct ios version. Can you post the actual file name so i can do the advance search and dowload it from my cisco support.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...