Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

traffic not passing through firewall at sometimes for some users

Hi,

Most of the time everything works fine on the firewall and all the required traffic is passing through the firewall as expected by the configuration.

Sometimes some of the users are not able to a)go online, b)access  the servers.

the users  facing this issue are able to work with the existing connections but if they try to open a new connection to any servers they fail.

At that time users are not able to go online either. I am able to ping that time but i am not able to telnet.

servers are in one security level and users are in different security level.

If they user remove the lan cable and refix it everthing works normal for that user.

Regards

Arulkumar

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: traffic not passing through firewall at sometimes for some u

Hi,

Don't have any logs from the time when the problem happened?

Are you reaching the limit of connections permitted?

Federico.

Re: traffic not passing through firewall at sometimes for some u

The ''show conn count'' will show you amount of connections at a certain point, you can compare this number to the max. connections that your specific model can handle.

Also, for the servers, they have a limit on the amount of embryonic connections and total connections as well on the STATIC command. (The same applies for dynamic NAT).

If the problem is with the amount of traffic, a temporary solution is to change the timeouts for the XLATEs and connections:  ''sh run timeout''

Federico.

8 REPLIES

Re: traffic not passing through firewall at sometimes for some u

Hi,

Don't have any logs from the time when the problem happened?

Are you reaching the limit of connections permitted?

Federico.

New Member

Re: traffic not passing through firewall at sometimes for some u

Don't have any logs from the time when the problem happened?

Are you reaching the limit of connections permitted?

Federico.

Hi Federico,

Thanks for your reply.

How can i check if ASA is reaching the limit of connections permitted. (any command to check that)

Regards

Arulkumar

Re: traffic not passing through firewall at sometimes for some u

The ''show conn count'' will show you amount of connections at a certain point, you can compare this number to the max. connections that your specific model can handle.

Also, for the servers, they have a limit on the amount of embryonic connections and total connections as well on the STATIC command. (The same applies for dynamic NAT).

If the problem is with the amount of traffic, a temporary solution is to change the timeouts for the XLATEs and connections:  ''sh run timeout''

Federico.

New Member

Re: traffic not passing through firewall at sometimes for some u

Hi

Thanks for your reply.

The information was useful

Will check that......

Regards

Arulkumar

New Member

Re: traffic not passing through firewall at sometimes for some u

Hi,

from sh conn i see that device can handle more number of connection.

will reducing the timeout for xlate and connection work?

because the only some of the hosts are not able to connect to a servers or go online and it is happening sometimes only sometimes

after few minutes the hosts are able to connect to severs and go online normally.

when the issue is occuring ping works fine

and if the host"s lan cable is unlugged and relugged back the issue is resolved, they are able to connect to servers an able to go online.

Servers are connected in 1 interface and internet is on another interface

hope my explanation is clear.

Your help is much appreciated.

Regards

Arulkumar

Re: traffic not passing through firewall at sometimes for some u

Will be a good test to try lowering the timeouts for the translation and connections...

Just make sure, the XLATE timeout should be greater than the CONN timeout.

Let's see the results...

Federico.

New Member

Re: traffic not passing through firewall at sometimes for some u

Hi,

tried lowering the timeouts for the translation and connections, no good....

please advise.

Regards

Arulkumar

Cisco Employee

Re: traffic not passing through firewall at sometimes for some u

Arulkumar,

We just can't manipulate the timeout not knowing what the cause it.

What do the logs say when these hosts can't go out?

Can they ping the firewall's IP address?

Can they get name resolution when they ping yahoo.com or google.com

Can they load the page by IP address and not name?

Can they ping an outside IP through the firewall?

Only TCP breaks? ICMP works?

enable logging on the firewall

conf t

logging buffered 7

sh logg | i x.x.x.x

where x.x.x.x is the host that cannot got out. Explain what protocol (http ?) breaks. You are trying a telent x.x.x.x 80 to verify?

-KS

419
Views
0
Helpful
8
Replies
CreatePlease to create content