Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
3
Replies

Help!! Power outage, then ASA no longer passes traffic

Brad Hodgins
Level 1
Level 1

‎07-09-2013 12:55 AM - edited ‎03-11-2019 07:09 PM

I'm really tired, been trying to figure out what went wrong since 1am, it's now 4am. I hadn't changed any configuration for quite some time. Now I have intermittent pings to inside interface. Outside sites are seeing 70% of ICMP packets dropped to the outside interface. When I ping from the ASA to outside IPs, the rate is 4/5 (80%).

I haven't changed any rules or NAT config. I have 3 NAT entries, none of them working, ne mail, no internet, no remote access. The strange thing is that it's not dropping everything, the odd thing makes it through.

System load is minimal.

Please HELP!

Anyone?

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎07-09-2013 01:04 AM

Hi,

I'd imagine that there is always the chance that some device has gotten damaged by the sudden power outage.

I am not sure what kind of Internet connection you have but I would suggest trying to get a replacement device and test connections with it.

Naturally it might be the ASA also. Though I have only seen 1 ASA break because of problems with the power. But it was completely dead then.

I would also imagine that provided that all the ASA configurations were saved before the power outage that there should be no problems with the configurations.

I would also look into the state of the physical interfaces and their counters. Possibly also resetting the counters to zero so you can see see clearly any counter incrementing that isnt "supposed" to.

Naturally if you want, you can always share the current configuration (while removing any public IP addresses or sensitive information) and we can look through it but somehow I doubt its a configuration issue.

- Jouni

0 Helpful

Brad Hodgins
Level 1
Level 1
In response to Jouni Forss

‎07-09-2013 01:16 AM

Thanks for the reply Jouni,

I have Fiber optic LAN coming in from the media changer to a vlan on a switch. I've tried connecting to that VLAN with an external IP, and I can get out fine, bypassing the 5505.

I'm seeing a lot of inbound tcp connection denied from 192.168.1.244 (internal NAT of spam gateway) to (external IPs) flags SYN on interface outside, as well as Deny inbound UDP from 192.168.1.8 (internal DNS) to (ISP's external DNS) due to DNS query.

I'll see if I can post the config. Any other thoughts?

0 Helpful

Brad Hodgins
Level 1
Level 1
In response to Brad Hodgins

‎07-09-2013 05:58 AM

I figured out what the problem was. The clues were in the logs, once I could focus my bloodshot eyes enough to read them. The ports on the switch connecting the ASA outside interface to the fiber access point had lost their VLAN config. The entire switch had lost it's VLAN config, and every port had been reset to VLAN 1.

The switch is a 2950, I'm still trying to figure how it lost only it's VLAN config, yet all other settings remained intact.

Now I see the results of the ASA forced to use the same VLAN for both interfaces, I was just too tired to see it.

Brad

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card