we have observed an issue of ASA 5585 Firewall service degradation in production Network,
We have following topology design:
Inside: Vlan 300(Server Vlan)
Portchannel Subinterface IP is 172.16.0.2 255.255.255.0....(All Server Gateway IP)
Outside: Vlan301 (User Vlan)
PortChannel Subinterface IP is 10.100.3.254....(All User Gateway IP)
Outside1: for Internet Access
Now on this firewall all user and server is allowed to access the internet (router 3945) also which is connected to firewall.
All user is allowed to access the server where all application is working.
we have created the port channel of Gig0/6 and Gig0/7 where all this vlan are configured.
In Office working time where most of the users (250) are connecting and the gateway of all user is (10.100.3.254). Facing ping delay issue and request timeout issue and unable to access the internet and application server.
During troubleshooting when we restart the Firewall all service become normal and ping repsonse is become 1ms....then all things working fine.
Identify the Problem(RCA):
we need to problem where it is exist and why issue happaning after 1 week or 10 days.please advise about any Firewall troubleshooting guide to fix this issue.
You need to know how much traffic and what type of traffic goes through your firewall to understand what could be causing latency. You also need to check basic things like interfaces.
If you have Cisco switches you can configure Netflow to collect all this information if you do not you can configure netflow on the ASA but it has its limitations regarding not giving out real time statistics based on the fact that it needs the connection to be built and when it is teardown it gives out info to build a report.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :