Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

new ASA-5515 X cause problem to Web Application Server

In our computer room we have an ASA 5520 firewall. At some point we have decided to change this firewalll with new ASA 5515-X and we copyed the exact configuration of the old asa 5520 to  5515-X. A  problem  was occured  after the migration  between the LAN users  to  the Application server by the 5515-X firewall. I have uploaded a print screen with the specific error:

 

FluentnHibernate - Tried to add 'moduleproperties' when already added.

It seems to be a programming error but by using the old firewall the application works like a charm.

Do anyone of you have met this kind of problem before?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi This seems to be a

Hi

 

This seems to be a exception caused while executing the code, may not be the issue with firewall. Can i know what are the components enabled. If IPS enabled. Have you checked any logs specific to this server.

If the app team still suspects firewall. snoop at the interface may help but  isolation of the exact issue should be the first task.

Regards

Raj

8 REPLIES
New Member

Hi This seems to be a

Hi

 

This seems to be a exception caused while executing the code, may not be the issue with firewall. Can i know what are the components enabled. If IPS enabled. Have you checked any logs specific to this server.

If the app team still suspects firewall. snoop at the interface may help but  isolation of the exact issue should be the first task.

Regards

Raj

New Member

Dear Raj,At the beginning I

Dear Raj,

At the beginning I had enabled the https inspection and IPS.. Later, I by trying to isolate the problem  I removed from the service policy (of interfaces) the some commands in order to stop the forwarding of traffic to Ithe PS inpection engine (inline mode-internal interface) and the inspection of http traffic.. Still remained the same error..and the weird thing is that with my old firewall 5520 Cisco ASA  the application works right. The only thing that I have not checked yet is the threat-detection mechanism of firewall...

New Member

HiMy question again , did you

Hi

My question again , did you find any logs for the IPS. Was the URL you are browsing is on 443,

As i said next step probabaly should be the debug of the connection(http traffic etc ) can help understand if firewall is blocking.

 

 

New Member

I did not find any  IPS

I did not find any  IPS "events" (logs) regarding the application server...The application server uses the TCP Port 80...

 

Now that I remeber I used debug http at my 5515-x firewall for logs....I sent you attached the http debugging result.
The hostname of application server is protocol.yppo.gr and its ip address 10.2.129.53.

New Member

HiIf you see the logs>>

Hi

If you see the logs

>>>7AB11240:Exceeded MAX number of outstanding reqs - 10 in pipelined HTTP requests. Resetting Connection

Next troubleshooting is try changing the setting on the firewall for the embroyonic connections/open connections.

Also check on the server if there are connection getting piled up, need to understand from the server side why there is no response observed for all the request,  Server snoop might show if there is any malformation in the packet.

Hope you have tried from the compatible browser. Also how about the http inspection status

 

 

New Member

Hi Raj,I had a configuration

Hi Raj,

I had a configuration about the tcp embryonic connctions but the number of resetting the tcp connection was not 10 ...I will check it out....You are right it is general a problem that has to be solved.

How can I check if the server connection is pilled up ...with netstat command?For the server snoop should I use wireshark or any similar program? I should not run wireshark at working hours, should I?

About http inspection...I have applied to the internal interface of the my firewall for internal users...I disabled it and still had the same problem. I have tried different browsers from different pc's.

 

New Member

HIWhat server are you using.

HI

What server are you using. Snoop at the server will be of no problem you can try that. but the amount of data might be high. please check the memory available.

 

 

New Member

 Also for the server

 

Also for the server connection pilling netstat would surely help you should not fine many Time_waits. Also the webserver software can also show.

 

87
Views
0
Helpful
8
Replies