11-17-2013 10:20 PM - edited 03-11-2019 08:06 PM
Dear Support ,
we have observed an issue of ASA 5585 Firewall service degradation in production Network,
TOPOLOGY:
We have following topology design:
Inside: Vlan 300(Server Vlan)
Portchannel Subinterface IP is 172.16.0.2 255.255.255.0....(All Server Gateway IP)
Outside: Vlan301 (User Vlan)
PortChannel Subinterface IP is 10.100.3.254....(All User Gateway IP)
Outside1: for Internet Access
Now on this firewall all user and server is allowed to access the internet (router 3945) also which is connected to firewall.
All user is allowed to access the server where all application is working.
we have created the port channel of Gig0/6 and Gig0/7 where all this vlan are configured.
ISSUE:
In Office working time where most of the users (250) are connecting and the gateway of all user is (10.100.3.254). Facing ping delay issue and request timeout issue and unable to access the internet and application server.
During troubleshooting when we restart the Firewall all service become normal and ping repsonse is become 1ms....then all things working fine.
Identify the Problem(RCA):
we need to problem where it is exist and why issue happaning after 1 week or 10 days.please advise about any Firewall troubleshooting guide to fix this issue.
11-18-2013 08:50 PM
Setup netflow collector with Cisco switches or ASA to monitor your normal traffic flows and pick hours and look at the services and sources that are top talkers on the network.
11-20-2013 07:11 AM
You need to know how much traffic and what type of traffic goes through your firewall to understand what could be causing latency. You also need to check basic things like interfaces.
If you have Cisco switches you can configure Netflow to collect all this information if you do not you can configure netflow on the ASA but it has its limitations regarding not giving out real time statistics based on the fact that it needs the connection to be built and when it is teardown it gives out info to build a report.
Netflow on ASA
https://supportforums.cisco.com/docs/DOC-6113
11-20-2013 07:13 AM
This video is really nice:
11-20-2013 07:15 AM
Or you can enable threat-detection that gives you real time stats but that it is CPU intensive.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide