I had a wierd problem yesterday and was wondering if anyone else has experienced something like it. I moved some production appliation servers into a DMZ interface on an ASA 5520 (8.0.2) and everything ran great for a while. Then mid afternoon users starting reporting a esocketconnection error poping up when running a particular query in the application. The esocket error was reproducable 99% of the time. One very rare occusion you would not get the error and the query would return the requested results but you could close out of the application, launch it again, and get the error. I looked at debug messages, even opened up any/any dmz to internal and still would get the error. A reboot of the server did not help. I migrated all but one of the servers out of the DMZ. The server left in the DMZ still had the error and the servers now in the internal zone worked fine. It gets a little more confusing this morning. The server in the DMZ which had the esocket error last night works perfectly fine today, no error. That server was not rebooted and neither was the ASA. I looked at sh asp drop this morning and "dropped pending packets in a closed socket" was 1070. Unfortuantly, this has been over 4 days so i don't know if there is any truth to this number. My number of connection doubled from about 450 to about 900 when the server were migrated into the dmz.
So has anyone had the ASA close connections incorrectly/prematurely because of a high number of connections?
Before moving the production servers to any other interface on ASA you should make sure that all connections to those servers through the ASA are closed and then you can safely move the servers to the other interface without any problems.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...