Hi and thanks for your answer. I have now disablet the icmp inspection. Could you please describe how icmp inspection may be related to the drop-problems?

Its in CSCui40499

I have not made an real verification of this yet, can't do that until friday afternoon.

So do you see any diffrece?

Cheers

Hello,

My best recommendation at the moment would be:

1. Make sure you enable the logging service (with timestamp) on your ASA so we can correlate the problems at the time of the issue.
2. Do captures at the time of the issue

This will help us with the cause of the issue, remember to focus on one specific connection failling across the ASA and then grab the right outputs about it.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Hi,

I have now increased the logging level to debugging-level on the logs sent to syslog, I am using Splunk as syslog-server. Could you give some examples of what I should look for in the logs?

BR,

Thor-Egil

Hello,

As we do not know why the issue is happening you should filter the logs to show all traffic related to the connection with the issue(ofcourse at the time of the issue only)

Let me know if I was clear

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Hi again,

At the same time as we see the problem I see the following in the log:

%ASA-6-302014: Teardown TCP connection 54894121 for outside:128.39.227.88/15308 to
inside:10.100.3.21/15307 duration 28:52:54 bytes 41592000 
Flow closed by inspection

It seemms that the ASA closes the connection due to an inspection-rule, 
but how can I see which rule is causing this?

The only inspection that should hit the relevant ports is the waas-
inspection, I have tried to disable the inspeciton now.

Hello,

Okey, can you share the show run policy-map?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Here is the output from sh run policy-map. My problem is to understand which of the rules closes the connection showed in the log. I also have many other similar entries in the log where connections on different port-numbers are closed by inspection. But the connections using ports 15307/15308 are most critical so I concentrate on these first. Thank you for your help!

Sep 13 02:28:57 hrp-gw.hrp.no Sep 13 2013 02:28:57: %ASA-6-302014: Teardown TCP connection 58183832 for outside:128.39.227.88/15308 to inside:10.100.3.21/15307 duration 14:02:27 bytes 20217600 Flow closed by inspection

policy-map global_policy

class inspection_default

  inspect dns

  inspect ftp

  inspect ctiqbe

  inspect dcerpc

  inspect h323 h225

  inspect http

  inspect ils

  inspect ip-options

  inspect ipsec-pass-thru

  inspect mgcp

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect snmp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect icmp

  inspect icmp error

class global-class

  ips inline fail-open

!