Cisco Firewall :: ASA 5505 Connection Limit And TIME_WAIT Freezing Device
Sep 30, 2011
My little ASA 5505 is working great The device appears to be artificially crippled and limited to 10,000 connections. This isn't a "CPU limit" it's just some fake limit in the device as far as I can tell.
The problem we have is that we are only using around 500-600 connections and CPU usage is only like 25%, and yet the connection count is pegged at 10,000 and locks us out of our network.
I am pretty sure this is because there are a lot of "dead" TIME_WAIT connections hanging around not being used. In our application we only have the couple hundred connections but they do move around a bit every now and then.
Is there anyway to get the device to ignore the "dead" connections and not count them towards the artificial limit on the device given that it's pretty clear the CPU / etc., is not utilized sufficiently. These aren't real connections, we only have a couple 100 established, they do just move around a bit however.
We are really only using 500-700 connections according to our servers, the others are just sitting in TIME_WAIT doing nothing.
View 1 Replies
ADVERTISEMENT
Feb 26, 2013
I updated an ASA 5505 to 50 users, but I still can only connect 10 hosts. In Licensing it show 50 insides hosts. I also tried to update to ASA 8.4.5 but that did not work.
View 2 Replies
View Related
Jun 11, 2013
I'm having a bit trouble to limit the bandwidth on outgoing traffic with a Cisco ASA 5505.
In my case I want to limit the bandwidth to 31mbit/s up and down on the outside interface. but with my current configuration, just the download rate gets limited to 31mbit/s when I do a tptest. and the upload is around 40/50mbit.
Here is the policy configuration,
access-list outside_bw extended permit ip any any
class-map outside_bw
match access-list outside_bw
[Code].....
View 1 Replies
View Related
Aug 7, 2012
We need to have one connection with less internet bandwidth assigned to it than all other other connections. Basically it is a separate conection from all others, incoming just from one switch port and separate VLAN.I know this can be done on the switch by limiting the bandwidth allocated to a port,
however, is it possible to have the speed limited down, just before it goes to the internet, ie, on the ASA, rather than doing it on the switch?The firewall is an ASA 5505.
View 2 Replies
View Related
Jan 7, 2013
After getting hacked I want to limit terminal server/ remote desktop to only my computer. (although I may need to let other net in later)
In other words I want only computers from my home ip range (lets say my ISP gives me at home something in 28.28.XX.0) to be let in to the router at work and then to port 3389.
In the work ASA 5505 softwareVersion 7.2(4) I now have:
access-list outside_in extended permit tcp any interface outside eq 3389
static (inside, outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
acces-group outside_in in interface outside
View 3 Replies
View Related
Sep 22, 2011
What would be the equivalent of the below static translation below which limit the connection to 100 and embroynic to 50 in ASA 8.3 above.
View 1 Replies
View Related
Apr 21, 2013
Within a workgroup environment we have four large drives, statically assigned and all accessbile via VPN. Our FW is a Cisco ASA-5505. Where within the ASA-5505 GUI can one of these drives be made inaccessible via VPN ?
View 0 Replies
View Related
Mar 21, 2011
I planning to integrate cisco asa5505 device in runing enviornment for filter ip traffic.Internet ----router----ciscoasa----lan.Ip series is public(25.263.25.0/24) througout of network (no privateIP)now how do I set asa in such case and filter traffic from comming into lan and going out to internet.
View 5 Replies
View Related
Feb 27, 2012
A customer got a new VoIP PBX, and now I have to forward port 443 on the ASA to the PBX for remote administration purposes. The LAN-interface of the PBX is in the same subnet as the ASA but has an external VoIP-router as default gateway and not our ASA. Is it even possible to forward the port to the PBX when there is no route of any sort to our ASA on it?
View 2 Replies
View Related
Feb 28, 2011
i did a reset on my asa by stopping the boot process because i could not remember what my enable password was, i had no problems with the reset the asa came backup as it should and i started configuring the device again. My problem is when the device is powered off and back on i lose all configuration that were made, i save the changes with "write me" before the restart and they are still being over wrote.
View 4 Replies
View Related
Jul 13, 2011
Is there a way to restore the device to factory settings. I tried the reset button with a paper clip.
View 2 Replies
View Related
Feb 27, 2012
why does my wireless connection freezes when i am online? i have to shot down and on the system before it works again
View 2 Replies
View Related
Feb 27, 2011
We have an Asterisk/FreePBX phone system located behind an ASA 5505 device where we are having problems with sip inspection.
We connect to three different phone providers, and things works as expected for 2 of the 3 providers,but for the last one (Draytel) we are having problems with sip inspection.
The key difference about the VoIP provider where we are having problems is that they are using differetn servers for the voice (RTP) traffic than the server we are registered with to establish SIP sessions.
sip inspection is configured with the default out of the box options.The problems we see are this:
1. For ingoing calls sip inspection does not open the required pinhole to allow the traffic to flow through. As a result we can not hear the voice of the calling party, but voice from our side is passed through ok.As a workaround we have added and ACE allowing traffic in the used UDP (RTP) range from this VoIP providers ip addresses to pass through the ASA, and with that in place incoming calls work.
2. Outgoing calls doesn't work because sip inspection doesn't kick in, and as a result of this we forward internal ip addresses in the SIP / SDP body to the VoIP provider. I'm not sure whether this is a consequence of sip inspection not kicking in for this provider, or a result of having added the ACE for an ip ragnge that covers the ip address we register with.
As stated above sip inspection does work as expected for two other providers where all traffic goes through a single server.We actually have had this working with ASA firmware 7.2(4), but as that version intermittently had a problem where sip inspection would stop working (fixable by power off/on or a clear command), then we decided to upgrade.
View 1 Replies
View Related
Aug 17, 2011
I use the internet wirelessly via a Netgear JWAGR614 (I guess this is the Japanese-market version of the WAGR614), which works fine with my old laptop, a Toshiba Dynabook running Windows Vista. When I use it to connect with my new laptop, however (also a Dynabook, using Windows 7 32-bit), the connection to the router will freeze every few minutes. (It still claims to be connected, but no data seems to get through.) It will then come back after about 20 seconds, or faster if I disconnect and reconnect manually.The connection of my other PC is not affected during this time, it is still transferring data normally even while the new PC cannot.
View 6 Replies
View Related
Nov 18, 2012
I recently got a secure token to be able to connect to my desktop at work from home.The first couple of times I connected it worked well. Now when I try to connect it works for about 4 or 5 minutes then the remote session freezes up and the window won't update. Once it freezes I no longer can connect at all to my work PC until I physically go into the office and restart the computer. Our IT dept can't even connect to the work computer once that happens.
I'm trying to think of what could be causing this to happen when it worked fine the first couple of times.It could be a coincidence but the last couple of times this has happened I think I had just opened an IE web browser on the remote work pc but that could be unrelated and I don't see why that would affect it.The only thing that I can think of that has changed is on friday I got a juniper router and a Polycom IP phone so that I could use a work phone at home over my home network, however that should have any impact and the freeze up is happening remotely not at home.
Details:
I'm using a laptop at home running Windows 7 Ultimate
I connect to my work network using a web based ssl vpn web page logging in with an Aladdin Safeword token over IE9 using Juniper terminal services client software.
My home connection consists of a cable modem which has a wireless router plugged into it.Plugged into the ethernet port on the back of the router is a broadband-over-electric adapter that runs broadband over my electric current in the house. I then have a receiving adapter for that electric adapter running ethernet from the electric outlet into the Juniper router. The only thing plugged into the juniper router is the Polycom IP phone. My laptop connects wirelessly to the wireless router.
As you can see, with this setup the addition of the Juniper router/ip phone should have no impact on me connecting to my work network over the wireless connection so it is probably a coincidence. What could be causing the remote desktop session on my work machine to crash & stop accepting connections?
View 2 Replies
View Related
Apr 9, 2013
I work from home and log into my work using a token I get into my work server but it keeps freezing and boots me out. If this makes sense. I have to use my mums laptop windows 7.
View 2 Replies
View Related
Dec 18, 2011
We're getting "Connaction Timeout / Connection Failure" error messages several time per day. Here is our setup:
Verizon FiOS Internet (ONT Box) --> Cisco ASA 5505 --> EdgeMarc 4500 Router --> Cisco 300-24G Switch --> Dell PE1950 Servers
From past few months, we keep getting Connection Timeout and Connection Failure error messages in our vendor application which connects to SQL Server 2005. Also Terminal Server 2003 keep disconnecting for every few hours.After several days of troubleshooting, we come to know that this Cisco ASA 5500 is not working properly. When I access the ASDM, it shows several warning messages.I know there is a setting option to configure TimeOut, but is there anyway to test and track the ASA 5500 regarding this Timeout issues?
View 3 Replies
View Related
Jul 6, 2012
I want to know how I can manually limit the Kbps for a particular devince in the QOS.I DO NOT want to simply set the priority (low/med/high). I want to "physically" limit a device.
When I select to do it manually (upstream bandwidth) it limits ALL devices and I do not want this. I want to limit the bandwidth on only one device that is connected (ie an Xbox)
I have a Linksys E4200 V2
View 9 Replies
View Related
Dec 31, 2012
Within the Internet Access Policy section of the browser based utility, is it possible to limit access for a specific device (PC) to LAN only (not allow any traffic to external internet)? I see that you can block internet access for a specific machine, however I didn't know if this was inclusive of LAN as well.If not, is there another way to achieve this via the E3000 or should I be looking for a solution on the specific PC itself?
View 4 Replies
View Related
Dec 21, 2012
I installed a CISCO ASA5505 with 50 user license to my network as the gateway firewall. So ASA is acting as the gaeway router which is connected to a fibre circuit and also it gives DHCP to the network. The strange thing is that except for two computers rest does not have internet. I also have an asterisk phone system which works fine..
I tried everything.... static IP's DHCP, DNS nothing worked. But strange enough two computers works fine and have internet.. but are no special computers. One is Win XP and the other one is Win7. When I troubleshoot the problem in win 7 on one of the computers it says
"The remote device or resource won't accept the connection"
View 3 Replies
View Related
Aug 18, 2011
I am using ASA 5505 cisco firewall as a transparent firewall. I have assigned ethernet 0/0 as outside interface and ethernet0/1-7 as inside interface. There are 3 departments in office. So, i connected ethernet 0/1 to Dept A, ethernet 0/2 to Dept B and ethernet 0/3 to Dept C. Now, I want to limit bandwidth to each department, e.g, 1 Mbps download/upload to Dept A, 512 kbps download/upload to Dept B and 512 kbps download/upload to Dept C. So, how can i do this in ASA 5505.?
View 1 Replies
View Related
May 2, 2012
I am trying to replace a 1751 IPSec VPN that connects a single LAN behind the 1751 to ~45 remote networks behind a single peer. There are a small number of workstations (~50) and low throughput (< 1MBps) across this VPN, the biggest trouble is the number of remote networks needed.
I have tried to connect an ASA5505 Security Plus in place of the 1751 and am able to get Phase 1 and Phase 2 up, except I don't get all of my ipsec sa's and can only pass traffic to some of the remote networks. Does the 25 IPSec limit apply to multiple sa's one one peer, I've only ever seen it spoken of as a 25 peer limit?
View 4 Replies
View Related
Nov 27, 2011
Hit my 10 license limit on my 5505 and am trying out how to clear the cache so my main machines can get online.
I connected some VMs to the internet so i could download updates and now im stuck.
View 10 Replies
View Related
Nov 18, 2012
Region : Italy
Model : TD-W8960N
Hardware Version : V4
Firmware Version : 67406
ISP :
I have problem on router td-w8960n v4 internet speed download is limited a 4 mb in device android e ios wifi connected for test i use application speedtest.net on ipad 3 and samsung galaxy s
View 2 Replies
View Related
Sep 11, 2011
I have the default license for a ASA 5505 and this last Friday I received the attached log for SSH sessions through this firewall; we want to be clear about this issue. This limitation has to be with the 10 Inside Host or the Total VPN Peers limitations in this license? This firewall exists only to agree with a PCI requirement between our router and a communication with a Payment Card Industry Brand, all of this in the same site.
ASA5505 <164>Sep 09 2011 10:42:08: %ASA-4-450001: Deny traffic for protocol 6 src DMZ:X.X.X.X/2479 dst DMZ1:X.X.X.X/22, licensed host limit of 10 exceeded.
I hope that the communications through 22 TCP port, are not countable for license propose.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
[code]....
View 1 Replies
View Related
Feb 13, 2012
I have the asa 5505 with asdm 6.4(5). my inside LAN is 192.168.0.0/24. the outside of asa is connected on lan 10.13.74.0/24 and i need over LAN 10.13.74.0/24 connect on LAN 10.15.100.0/24. i put nat rule on asa 5505 and acl rule and users from lan 10.15.100.0/24 can connect on my server, but i can't connect on from inside of asa connect on lan 10.15.100.0/24 and 10.13.74.0/24. my configuration asa is Result of the command:
"show running-config"
: Saved
:
ASA Version 8.4(2)
!
host name Cisco asa
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[ code]....
what i do that connect on LAN 10.15.100.0/24. i cant ping my outside interface, put rules on acl, i enabled service policy rule for icmp ,but nothing.
View 3 Replies
View Related
Feb 15, 2011
We recently got a 10 meg dedicated internet fiber connection installed. I connected it to a PIX 501 firewall and everything worked fine (I tested it for a couple of weeks). A couple of days ago I got a new ASA 5505 and replaced the PIX with this device. It works, but every so often there seems to be a timeout when surfing the web whereby I click on a link and there is up to a 45 second wait and then the page loads quickly. I was not getting this before on the PIX so I'm assuming it's not a latency issue with the connection. I am the only one using this connection on the network so it's not to say that it's being bogged down. I want to roll this out to the other users on the network but not when this is happening. The configuration is below:
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 8 Replies
View Related
Apr 15, 2013
I have a SIP trunk in my Florida office connected to a Cisco 2851 ISR. I'm using Unified Communications Manager 8.0 and life is great.
We just opened a new office in Spain and now the fun begins. We created a site-to-site VPN tunnel using ASA 5510 in Florida and ASA 5505 in Spain. We can register IP Commuicator phones in Spain but when they make calls it shows up as a Florida call. We need it to show up as a Spain call.
We are thinking to get a SIP trunk into the Spain office but I only have a ASA 5505 over there. Can I terminate a SIP connection to it? Is this the best option? If not, what is the recommened setup?
View 1 Replies
View Related
Nov 13, 2012
I am having a problem with a ASA 5505. The users on the inside cannot access internet for the most of the time. When i looked over the configuration and tried a few changes i got out to internet about 5 seconds every 30 minute or so. Very strange. When i try to access internet i just get the windows post that DNS is not working properly. As you can see in my config i get all addresses dynamic from ISP.
I am not sure what to do next, i tried to set static routes, make Nat changes, static dns addresses, searching this forum but nothing works. It seems like there is a ISP problem but i have talked to the support twice today and they say that all is fine from their side. Does ASA behave like this?
ASA Version 8.2(2)
hostname ciscoasa
domain-name
enable password encrypted
passwd encrypted
names
[code]...
View 7 Replies
View Related
Jun 23, 2012
I have a Cisco ASA 5505 - 50 VPN edition. I have baffling network issues that I have not been able to pinpoint and I recently started to think it may have something to do with my ASA. I'm a network administrator and I have a Cisco ASA 5505 in my home network so I can learn how to manage Cisco ASA's and utilize the Easy VPN feature so I have a always on VPN connection into work to log into servers, etc. I've been using the ASA for almost 6 months with the EasyVPN feature with no issues. My ISP is Comcast.
Within the last week my connections have been randomly dropping for about 20 seconds and then reconnecting. I have two computers on the network that have a direct ethernet run to the switch ports on the back of the ASA. When the connection drops, I see my LAN icons completely lose connectively (yellow exclamation warning) then after 20 seconds, reconnect. This is very random. I was able to get it to happen every time I connected to XBOX live and play a online game. It would almost on cue drop after 30 minutes of online gamming. Here are the steps I have taken:
1. Replaced 10/100 switch to a brand new 10/100/1000 switch from computer run in my office to the ASA.
no joy
2. I upgraded the ASA to the most recent firmware: ASA Version 8.4, ASDM Version 6.4
no joy
3. I had an ethernet run under my carpet to the office, I started to think that maybe one of the cables had an issue after walking on it and vacumming causing a short. I removed all the ethernet under the carpet and installed power line over ethernet adapter from the ASA to my office.
no joy
4. I checked both computers on the network for viruses. All computers came back clean after scanning wth Malwarebytes and SuperAntispyware.
5. I've watched the logs on the ASA as the LAN connection drops and I don't see error messages to troubleshoot this issue.
The only thing left to replace is the Comcast modem or the Cisco ASA. The Comcast modem is newer and only about 1 year old (rented from Comcast). Since my actual LAN connection drops and I lose connectively I believe there may be some issue with the ASA or the ASA switch ports or some sort of internal hardware issue on the ASA.
View 4 Replies
View Related
Jun 24, 2012
I'm trying to get an asa5505 set up so that our web server can send an LDAPS login to a client's server and receive the request back. The default IP our traffic goes out on is different than where I want the connection to come back in on. So, I set a NAT rule to send all traffic from a specific inside IP out a default outside IP. I also allowed LDAPS traffic from the client's server IP address in and have nat'd it back to the appropriate inside IP address. It seems to build the outbound connection fine, but then seems to drop it right away, which then seems to not allow the response back in. I've attached a picture of the log, with (what I think are) the lines in question highlighted. I'm far from a routing expert, but this seemed like a fairly easy setup.
View 1 Replies
View Related
Jun 3, 2013
I am mapping static ip address to the local ip address.We have a bsnl broadband connection, and bsnl has provided us with one static ip address.We are using broadband modem.Now I would liket to map this static ip address to one of the private ip address which is 192.168.1.2(database server).i want to do nat above ips if i do so then i dont have no ip to assign to my outside interface.I would like to access this device over internet, by typing my public (Static ip ) given by the BSNL.security device i have is cisco ASA 5505.
View 3 Replies
View Related
May 23, 2012
I have a simple network with an ASA5505 mainly used for AnyConnect so there is little traffic. There is 1 laptop connected to the E0/1 of the ASA and then E0/0 is going to the internet port. I've noticed about ever 15-20 minutes, I lose all connection. The laptop can no longer browse the web and handsets can no longer VPN into the network. I've noticed a few seconds after performing a clear arp, all the connectinos are restored. The laptop can browse the web and handsets can VPN in again.
View 11 Replies
View Related
