A couple of months ago I upgraded an ASA 5520 to version 9.1(2). After the upgrade users often experience that RDP-sessions and other TCP-sessions going through the ASA disconnects. Before the upgrade we never experienced problems like this, the problems began the day after the upgrade. So my question is: How can I troubleshoot this problem? Any useful troubleshooting-commands or parameters to check? It seems that the problem occurs at random times and as said for different applications and hosts.
I know that my description is very general, but I have no idea of what triggers the problem.
I have a similar problem but RDP via VPN: https://supportforums.cisco.com/thread/2233901
This might be a ICMP inspection problem if you have that on try to disable it.
Hi and thanks for your answer. I have now disablet the icmp inspection. Could you please describe how icmp inspection may be related to the drop-problems?
Its in CSCui40499
I have not made an real verification of this yet, can't do that until friday afternoon.
So do you see any diffrece?
My best recommendation at the moment would be:
This will help us with the cause of the issue, remember to focus on one specific connection failling across the ASA and then grab the right outputs about it.
I have now increased the logging level to debugging-level on the logs sent to syslog, I am using Splunk as syslog-server. Could you give some examples of what I should look for in the logs?
As we do not know why the issue is happening you should filter the logs to show all traffic related to the connection with the issue(ofcourse at the time of the issue only)
Let me know if I was clear
At the same time as we see the problem I see the following in the log:
%ASA-6-302014: Teardown TCP connection 54894121 for outside:188.8.131.52/15308 to
inside:10.100.3.21/15307 duration 28:52:54 bytes 41592000
Flow closed by inspection
It seemms that the ASA closes the connection due to an inspection-rule,
but how can I see which rule is causing this?
The only inspection that should hit the relevant ports is the waas-
inspection, I have tried to disable the inspeciton now.
Okey, can you share the show run policy-map?
Here is the output from sh run policy-map. My problem is to understand which of the rules closes the connection showed in the log. I also have many other similar entries in the log where connections on different port-numbers are closed by inspection. But the connections using ports 15307/15308 are most critical so I concentrate on these first. Thank you for your help!
Sep 13 02:28:57 hrp-gw.hrp.no Sep 13 2013 02:28:57: %ASA-6-302014: Teardown TCP connection 58183832 for outside:184.108.40.206/15308 to inside:10.100.3.21/15307 duration 14:02:27 bytes 20217600 Flow closed by inspection
inspect h323 h225
inspect icmp error
ips inline fail-open