Cisco Firewall :: ASA 5505 Disconnecting Inactive TCP Session?
Apr 15, 2013
My company has a DCS network that was previously segregated with a layer 3 switch and a handful of access lists. However, there came this big push to segregate all DCS networks with Firewalls, so I purchased a 5505 and duplicated my simple access lists on the firewall and everything worked. There is no NAT, just explicitly permitted traffic out and explicitly permitted traffic in. However, there are some applications that connect and work fine for a few hours, then disconnect and the user must exit out of the application and go back into it, then it starts working again. Previously with the Layer 3 Switch/access lists, this never happened. Since I put the firewall in place, it has happened 3 to 4 times a day every day for the last week.
View 4 Replies
ADVERTISEMENT
Jan 14, 2013
I have an ancient Alteon load balancer which only supports HTTP and telnet access. Our management people only allow HTTPS through the management firewall farm, and don't want to change this policy. So I need a low cost HTTPS to HTTP conversion, ideally on Cisco hardware like an ASA5505. It only needs one concurrent user. Is there a way to configure an ASA 5505 to terminate the inbound HTTPS seession and re-originate a HTTP management session to the Alteon? It looks to me as if the Clientless SSL VPN might do the job.Is there a way to do a SSH to telnet conversion on the ASA, or on a router?
View 1 Replies
View Related
Apr 29, 2011
I log in to work from home and if I am inactive for 5-10 minutes, I lose connection to my work server. If I bypass the router, this problem doesn't happen. How I can change settings to keep my session alive?
View 15 Replies
View Related
Feb 27, 2012
I am facing Tear down problem on cisco asa 5505.Users are always disconnecting 25-30 min from outside server. [code]
View 2 Replies
View Related
Jul 22, 2012
I have a pair of ASA 5540 running 8.4 code. The firewall set has about 4500 rules. I am tasked to identify all unused/idel/inactive rules in the past 3 months.
View 2 Replies
View Related
Feb 21, 2011
I configured site to site vpn between asa 5505, in one site it is static ip and the other side is dynamic ip.my issue is the the tunnel is automatically going off maybe 30 minutes time, if it is idle again if i initiate from dynamic side it ll comeup.and my setup is like this,in the static ip side i am having ADSL line , so i connected to the adsl router and the adsl local network is outside network of asa 5505.like dual nat is there in the vpn connection.
View 5 Replies
View Related
Jun 4, 2012
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
View 2 Replies
View Related
Apr 5, 2011
How to terminate a vpn session on the asa 5510, when u issue the command sh vpn-sessiondb remote?
View 1 Replies
View Related
May 1, 2012
Our users are using Xmanager to connect to a NNM connection which is going through a Cisco ASA5550 with 8.3. The session of Xmanager is getting terminated exactly after 1 hour and the users have to reconnect it again. How can we make the session to be up always, when I am bypassing the Firewall its always up.
View 2 Replies
View Related
Sep 18, 2012
How can i determine the current PPPoE session duration on ASA 5500 Systems? If i use the different CLI commands like "show vpdn session state / show vpdn session pppoe state" the output says:
State: SESSION_UP Last Chg: 593595 secs.
The ISP is forcing a reconnect every 86400 seconds, so the value can't be the actual duration of the pppoe session. Does it only indicate the link duration to the attached modem or interface state? Is the only way to detect interruptions of the pppoe session with debug and syslog?
View 0 Replies
View Related
Apr 15, 2012
We have configured our ASA5540 in active-standby failover.We are observing that current active session count is twice of session count before configuring HA. Earlier average active session was 50000 and now after HA it is around 100000. Failover configuration of both firewall are as follows
failover
failover lan unit primary
failover lan interface FOLan GigabitEthernet1/0
failover polltime unit 15 holdtime 45
failover replication http
failover link StateLink GigabitEthernet1/1
failover interface ip FOLan 10.3.3.1 255.255.255.0 standby 10.3.3.2
[code]....
View 3 Replies
View Related
Sep 11, 2011
My company has a cisco ASA 5510 and we have a Citrix remote desktop solution. In a nutshell I have users from outside our network accessing a virtual Citrix NetScaler inside our DMZ. There is a session reliability feature enabled on the Citrix solution. Session reliability uses tcp port 443. A user from outside the network connects to our network and is handed a virtual desktop to work with. When a remote user is working on their virtual desktop and there is a network connection issue the end user loses network connectivity for a brief period of time (in most cases just seconds) then the Citrix session reliability feature takes over and holds in a buffer all data destined for the end user . Once the connection is re-established then the buffer is emptied and the session goes on like before and the end user is able to use the virtual desktop. At least this is the way it should work.
In our case the connection never re-establishes between the end user outside the network and the NetScaler in our DMZ. We have been working with Citrix Support and they believe the issue is in our firewall. We have taken packets captures with Wire shark and we can see when the network failure occurs the NetScaler in the DMZ is holding information in a buffer and trying to communicate with the remote end user outside our network via packets and TCP port 443. We can also do the same packet captures from the end user computer and see where it is not receiving any packets from the NetScaler in our DMZ. The fire wall has an access list allowing any traffic in the outside port destined to the NetScaler Public IP on port 443. Then once in the firewall outside port we have a static rule pointing to the NetScaler IP in the DMZ.Everything is working quite well until we need to rely upon the session reliability. We have tried altering the TCP & Global Timeouts options in the firewall via the ASDM with no luck.
View 1 Replies
View Related
Jun 5, 2012
I have an ASA 5520 for my firewall. (ver 8.0(4))I have an external hyperlink that works from dsl at home but not from behind my corperate firewall.When I filter my real-time log viewer for this destination address I see the build up and immediate teardown of the session.The log indicates the teardown was initiated from inside.The informational alerts are
Built outbound TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 (65.204.x.x/52001)
Teardown TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 duration 0:00:00 bytes 77 TCP Reset-I
Reset-I means that something (the firewall or my pc which is the source) is telling the firewall to end the session.
View 2 Replies
View Related
Sep 20, 2012
Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
NAT and access rules are as follows:
object network mail
host 192.168.101.1
description Mail relay
access-list inbound extended permit ip any host 200.225.117.1
[code]....
EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?
View 3 Replies
View Related
Apr 24, 2012
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2
Switch Number: 2 Role: Virtual Switch Standby
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
2 6 Firewall Module WS-SVC-FWM-1 -----------
[code]....
why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ?
View 2 Replies
View Related
Jul 7, 2012
i have user connected to office using Cisco vpn client , Cisco asa 5520 acts as vpn gateway, frequently the users got disconnected from the server while the VPN still established and not disconnected!
what is the cause of the issue , where the fault is located ? how to start the troubleshooting to figure out the issue?
View 1 Replies
View Related
Oct 17, 2012
Just recently we replaced our HQ Cisco-Pix with Cisco-ASA 5510. where we have many branches connecting to our HQ through site-to-site vpn.
Since putting this new ASA5510 at HQ , while we are getting a Remote-Desktop session into our branches clients, and at the time when even a single TIMEOUT occurs on the vpn-link so the remote-desktop session gets completly lost. then we have to re-connect the session.
This issue happens as i said above when a single timeout occurs on the vpn link. What is the issue with the ASA5510. because with pix we didnt have this issue, remote-desktops were never geting lost / reset with single timeout
View 1 Replies
View Related
Nov 14, 2012
I'm having issues getting the ports g3/5 and g4/5 from inactive to notconnect.
I have tried the hw-module uplink select all in the global configuratio, but it's not working, getting a : % Invalid input detected at '^' marker. Message every time.
This what I have:
Power consumed by backplane : 40 Watts
Mod Ports Card Type Model Serial No.
---+-----+--------------------------------------+------------------+-----------
1 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45 JAE152101QK
[Code].....
View 2 Replies
View Related
Mar 1, 2012
I have one cisco 2811 router.One cisco 4503 core switch.And one cyberoam UTM.VLAN 16 on router connected to VLAN 16 of core switch.VLAN 3 on router Connected to UTM.VLAN 2 on router connected with Internet Leased line. And one MPLS VPN terminated at Fast Ethernet port.All ports are fast Ethernet Port on router and all Gigabit Ethernet Ports on Core Switch.Now coming to the point, whenever the router becoming inactive the fast Ethernet ports are working but switch module ports not working. and that point we have to reboot the router.
View 2 Replies
View Related
Dec 20, 2011
I am running the following
WLC: 7.0.220
MSE: 7.0.220
NCS: 1.0.2.29
NCS shows Controller is not reachable from MSE. I am able to ping to and from the Controller and MSE.Sychronization service is showing everything being synchronize. Removed and MSE from NCS and add it back in several times.
View 8 Replies
View Related
Jun 15, 2011
Is possible clean inactive IDBs?I have a Cisco 3825 that support up to 1200 IDB and now is using 1102, but 614 is inactive.
[code]....
View 4 Replies
View Related
Jun 22, 2011
Got a mind-boggling issue with a Gig0/2 port on Cat2960 48TTL, the port seens dud. I cant enable it, its not shutdown either. However, when I restart the switch, on CNA, i can see the interface flash amber (as all ports do when restarted) and goes grey. The cable is ok and works on other interfaces on the same switch. Without having to buy a whole new equipment, is there a way I can test wether the port is faulty, as in physically, or I have missed something.
View 7 Replies
View Related
Apr 5, 2011
while traversing through Cicso ASA Firewall 5520,VPN sessions are disconnecting.In Accelissts for VPN-Outbound traffic from LAN to Client VPN ,we have allowed all Ports.Is there any inspection Rules are cause for this issue. In ASA Firewall,presently the inspection rules are [code]
View 1 Replies
View Related
Apr 14, 2012
Two people went on a business trip with their laptop and when they came back they could no longer access the data server. Cannot map the network drive either.
1. Every desktop PC in office can see and access the data server fine.
2. We have a DHCP and DNS server (on one PC; Windows Server 2008), but we had to shut down the services because internet and email didn't work when the DHCP and DNS server service was on. I am confident that this is due to the recent shutdown of the company e-mail server (now outsourced) and the server settings needs to be reconfigured. The described symptom persists even when the DNS server service is stopped.
3. Upon taking a closer look at the DHCP reservation settings. The reservation status indicates as "Reservation (inactive)". I don't know the MAC address of the device, so I have no idea if the values are correct. Tried rebooting the server, delete and recreate the reservation, reboot router; no cigar.
4. Using the coworker's laptop, the data server is shown in the "Other devices" section even with the DHCP sever disabled, but shows error that it cannot access it.
5. All users, with the exception of the data server, have dynamic IPs assigned.
6. DHCP, DNS server is set to 10.10.10.2, Router is set to 10.10.1, Data server is set to 10.10.10.175. 10.10.10.2 is also an accounting server which can be accessed by everyone even in the midst of this mess.
View 1 Replies
View Related
Aug 31, 2012
I have a switch WS-C4507R + E, added two SFP SFP-10GBase-SR, and they stayed with inactive status, activate these interfaces in 10Gb.
SWC-DC01#sh interfaces status module 4
Port Name Status Vlan Duplex Speed Type
Te4/1 connected trunk full a-1000 1000BaseBX10-U
Te4/2 notconnect 1 full auto No XCVR
Te4/3 inactive 220 full auto 10GBase-SR
Te4/4 inactive 220 full auto 10GBase-SR
[code]......
View 1 Replies
View Related
Apr 6, 2011
In our organization ,recently we are facing a issue with VPN connections are disconnecting abruptly in reandom time periods ( 5Min,15Min,1Hr also).We have verified in our SysLog .[code] The same was worked well in Cisco Pix 515E Firewall ,After changed to Cisco ASA 5520,it is giving the issue.- All Ports are allowed for outbound traffic with a Source Network 172.16.40.0/24 to their Client VPN.- This issue is giving for other Subnet Users i.e 172.16.33.0/24 to their Cleint VPN sessions & I allowed all Ports for them for Outbound traffic. Any feature in ASA is casuing for terminating the sessions which was not in Cisco PIX 515E.- ASA version is 8.0.
View 2 Replies
View Related
Jan 22, 2013
We have 3 Cat 4500 switches on three floors teh 3rd floor switch connects to the 2nd and 4th floor switches ,but we are receiving an alert from monitoring tool that " Interface(314) Backup-1Gb-Ring is Down at least 2 min on Switch: SOM500-4510-3FL the following output from "sh int status module 1 " shows the int 1/3 and 1/4 are 'inactive'local IT guy said If the status is inactive,the ports cannot be used and might lost the capability when he added 48-port blade into the 10th slot.
2nd Floor
Port Name Status Vlan Duplex Speed TypeTe1/1 SOM500-Core1 connected trunk full 10G 10GBase-LRMTe1/2 SOM500-Core1 connected trunk full 10G 10GBase-LRMGi1/3 Backup-1Gb-Ring notconnect 1 full 1000 1000BaseSXGi1/4 Backup-1Gb-Ring connected trunk full 1000 1000BaseSX
3rd FloorPort Name Status Vlan Duplex Speed TypeTe1/1 SOM500-Core1 connected trunk full 10G 10GBase-LRMTe1/2 SOM500-Core1 connected trunk full 10G 10GBase-LRMGi1/3 Backup-1Gb-Ring inactive 1 full 1000 1000BaseSXGi1/4 Backup-1Gb-Ring inactive 1 full 1000
[code]....
View 6 Replies
View Related
Jan 4, 2012
I have two WLCs (5508 - v7.0.220 and 2106 - v7.0.116) that were NMSP connected to a MSE (v7.0.201.204) according to WCS (7.0.172.0)The MSE reloaded (Actually a reload command from WCS hung the MSE and it hard to be hard rebooted) and I ran into a NTP issue with the MSE running GMT timezone and WLCs running GMT -8. This was highlighted by the NMSP status testing tool. As a quick solution I changed both WLCs to GMT. The tool now tests all green, but the NMSP status remains Inactive for both WLCs and I have no client or tag information flowing into WCS.
View 3 Replies
View Related
May 4, 2013
I've browsed around to the other support strings to make sure I didn't miss anything, but I can't seem to get this to work. I have the latest sl_suspend_ports.tcl and tm_suspend_ports.tcl created by Joseph Clarke from strings that verified they worked as planned. Here are the commands I issued to register the scripts -
Directory of flash:/policies/
9 -rwx 3101 May 3 2013 07:58:03 +00:00 sl_suspend_ports.tcl
10 -rwx 4669 May 3 2013 07:58:44 +00:00 tm_suspend_ports.tcl
conf t
event manager directory user policy flash:/policies
event manager policy sl_suspend_ports.tcl
event manager environment suspend_ports_days 1
[code].....
It doesn't appear to work though. Essentially, we have a need to make sure all computers are always on and all ports not active for >24 hours to be shutdown and moved to a designated vlan (I added the 'lappend' statement to the script to specify the additional command of assigning the vlan) I'm running 12.2(55)SE7 on Catalyst 3560s and 3750sIs there a way to manually run the script? Did I miss anything in the configuration?
View 19 Replies
View Related
Jan 29, 2011
I am trying to install a WPC54G adapter in a Compaq EVO N610C Laptop with Windows XP SP3 and it has a Texas Instrument PCI-1420 CardBus Controller. Adapter is inactive. I have uninstalled, reinstalled, download updated drivers from Linksys.
View 1 Replies
View Related
Dec 20, 2008
I've spent several hours of my life trying to rectify this silly problem without peace. Maybe one of you can enlighten me. I've got a Win98 laptop and have loaded the driver specified from the Linksys website. The software from the website under "Version 1" downloads a file entitled "...driver utility v3.1." I've installed and uninstalled it 3 times with restarts inbetween. Each time Device Mngr shows it is installed correctly but the "inactive" status persists. I get a "Power" light indicator but never the "Link" indicator on the adapter. I do not have a firewall or any other software that would interfere with the access point I have at my home (which works just fine with my Vista laptop). Furthermore, the wireless router is not secured either, so it is wide open and broadcasting. But as I said, the adaptor isn't even showing as "active" so all that stuff is moot I guess. I can not upgrade the laptop to another OS, it is an antique from 1999 and can't cut the mustard with the RAM and processor speed it has. Besides, it should work just fine with Win98 anyway.
View 4 Replies
View Related
Jan 5, 2012
I have the Linksys BEFSR V2 router and at least once a day some or one of the ports become inactive and have to unplug the router and plug it back in to reset. I have ungraded to the latest firmware but this is still happening on a daily basis.
View 3 Replies
View Related
Jan 2, 2012
I have the BEFSR81 V2 and every day at least one of the ports become inactive and the router has to be unplugged and plugged back in to reset the ports. I was going to upgrade the firmware from version 2.44.2 to the one on the site 2.45.10 but when it is downloading I get a message at the end upgrade file pattern error. There is a problem with the router that the ports go out or will the firmware update hopefully correct that issue and how to I get the firmware to update
View 2 Replies
View Related
