Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Probable trouble with ASA-SSM-CSC-20 (?)

Hi there,

since a couple of days we notice the following major glitches in the network:

- FTP services temporarily not available from LAN to DMZ and from, WAN (via VPN) to LAN while FTP connections from WAN to DMZ are working. The time range is from several minutes to several hours.

- Internet services (such as HTTP and HTTPS, POP3, SMTP) not available from LAN to WAN while FTP traffic (in- and outbound) still working.

The system is recovering after a certain period of time (from several minutes to several hours) without any user administrative access.

I was to notice that the CSC device was at 100% CPU utilization for several minutes. This leads me to the conclusion that it could be ASA-SSM-CSC-20. We

We are using -2- ASA5520 (ASA version 8.4(1)) with ASA-SSM-CSC-20 (version 6.6.1125.0) ind active/active failover mode. If we switch from standby to active the problem recovers fully immediately.

There was no change in any configuration on ASAs, switches and workstations.

Is there any hint or idea where to look?

Cheers,

Joerg

4 REPLIES

Probable trouble with ASA-SSM-CSC-20 (?)

Hello Vorname,

Can you check if you are running any logging in debug level on the Trend Micro GUI.

If you do not have that enabled, can you send me the ACL you are ussing the traffic to the CSC module?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Probable trouble with ASA-SSM-CSC-20 (?)

Hola Julio,

thanks for the answer.

Debug is disabled.

Syslog shows messages like

Jan  26 10:14:31 ASA5520CSC01 21184512: 2012-01-26T10:14:31+0000 The maximum  number of connections for FTP has been reached. New connections will be  kept in a backlog and may time out.

But this will not explain the 100% CPU load on the CSC module, or will it...?

We  have massive inbound FTP sessions (~approx. 220 sessions/s) via VPN  (192.168.208.0/21) to our DMZ. A "sh conn port 21" show apprx. 4000 open  sessions with many sessions older than 2hrs (up to 50hrs: the time the  ASA has been rebooted...). Any idea what causes the ASA to have the  connections still open??

Regards,

Joerg

Probable trouble with ASA-SSM-CSC-20 (?)

Hello Voname,

Can you share:

-sh run policy-map

-sh run | include timeout

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Probable trouble with ASA-SSM-CSC-20 (?)

Hello Julio,

aour wish is my command!

ASA-Aachen# sh run policy-map

!

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ftp

  inspect icmp

  inspect dns dynamic-filter-snoop

  inspect waas

class class-default

  flow-export event-type all destination 192.168.37.19

policy-map csc_out_policy

class csc_outbound_class

  csc fail-close

policy-map csc_in_policy

class csc_inbound_class

  csc fail-close

ASA-Aachen# sh run | include timeout

flow-export template timeout-rate 1

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

telnet timeout 5

ssh timeout 60

console timeout 0


Best regards,

Joerg

492
Views
0
Helpful
4
Replies
CreatePlease login to create content