Cisco Firewall :: ASA 5505 Stops Accepting Connections
Nov 21, 2012
A client has an ASA 5505 with a base license. The version information and configuration is attached. In 8 hours, sometimes less and infrequently more, it becomes inaccessible. All connections are dropped and the only way to access the device is through a console connection. The WAN interface (VLAN 3) is connected to Verizon FIOS. The interface was set to 100 MBps and full duplex, but I just changed it to auto on both the speed and duplex to see what would happen. The LAN interface (VLAN 1) is also set to 100 MBps and full duplex It has not been changed.
The last time it happened logging was running, but nothing in the log indicated a problem. In fact, the last log entry was a couple of hours before the lockup (there's little or no traffic on the ASA while the problem is being diagnosed).
View 3 Replies
ADVERTISEMENT
Feb 8, 2010
We have an AP541N that has been deployed to replace a Cisco 1200 AP (B/G radio). The 1200 functioned perfectly in our environment. The new AP541N on the other hand seems to work fine right after a reboot but immediately starts to degrade service. Over a short period of time, the devices bandwidth degrades to the point were the wireless network is not usable. This happens with just one device connected. Eventually, the device stops accepting client connections. We are unable to get any relevant logging out of the device to diagnose the problem.
View 84 Replies
View Related
Sep 25, 2011
I have two WAP4410N. One of he accesspoints is connected to our wired LAN, called by now AP1. The other accesspoint is connected to the first accesspoint by WDS (Client mode) called now by AP2. I have upgraded both accesspoints to firmware 2.0.4.2. Both accesspoints are set to the same SSID and channel (6) and are set to mixed mode (B/G/N). After I two weeks they started to fail. When I connect to AP1 I don't reveive an IP-address of our DHCP server from our LAN. I'm able to connect to AP1 from our LAN. When I SSH to the box and I do an dmesg command, I see the following messages:
ath_bstuck_tasklet: stuck beacon; resetting (bmiss count 36)
ath_bstuck_tasklet: stuck beacon; resetting (bmiss count 36)
ath_bstuck_tasklet: stuck beacon; resetting (bmiss count 36)
[Code].....
I'm still testing these devices and I hope I can use these devices in our production environment,which is not possible with these errors and outages.
I can't connect to AP2 right now. I think the whole wireless interface isn't working anymore, unless I power off/power on the box. But it's hard testing when it works ok for two weeks and then stops.
View 3 Replies
View Related
Oct 20, 2011
It's a linksys wireless router attached to their service provider modem and it can no longer recieve new connections. The pc's connected to it before still run through ti fine but any new laptops using the proper authentication and password are unable to make a connection.First thing I am going to try is a factory reset(they mentioned resetting the router but they may have just rebooted it)
View 6 Replies
View Related
Jun 7, 2012
My ASA 5510 has stopped accepting connections today. I cannot connect with ASDM either. ASDM hangs at "Contacting the device. Please wait" and does not return an error or time out. I can telnet into the device but my CLI knowledge is elementary at best. I'm trying to determine how to view or enable the correct logging and view via CLI. I have looked at the client log from one of the users that cannot get in and have attached it. It looks like Phase 1 is not completing but I'm not sure how to view what the ASA is logging. I have run debug cry isa and debug cry ipsec but it just returns to the prompt and I'm not sure what I should expect to see or what command to run to view the results.
View 3 Replies
View Related
Dec 14, 2012
I have a 2801 with a very simple config that's accepting telnet connections on port 6050 from everywhere:
View 1 Replies
View Related
Nov 4, 2012
Firmware Version: 2.00.01 build 15 Sep. 13, 2010
Firmware Verification: dcf86b5724049cb145f571a4bc21a17d.
I was able to connect using Gnome Epiphay Web Browser v 3.4.1 and found no problems on the WRT610N router.So-o-o Cisco, what do you recommend I do, seeing as how there is no later firmware to apply and nothing to configure that I can see.
View 3 Replies
View Related
Jun 5, 2012
I have an asa5505 with software version 7.2(3) that randomly stops responding. The firewall sits in front of a public facing webserver that handles a significant amount of traffic.I was wondering that would happen when the asa5505 reaches or exceeds the 4000 connections per second limit... i.e. would this possibly explain why my asa5505 stops responding and requires a power cycle in order to start working again. when it "crashes" it does not respond on either the outside or inside interfaces.
View 5 Replies
View Related
Sep 24, 2012
I've got some ASA5505 which run as EzVPN clients in NEM, connecting to a ASA5510 as head-end. The ASAs are configured with a CSM and AUS. But whenever they are getting a new configuration through the AUS they stop trying to establish an EzVPN connection to the head-end. After a "reload" they run with the new configuration and establish the tunnel as expected.
View 1 Replies
View Related
Apr 18, 2013
I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters: The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly. The show version and show startup output are below.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
[Code].....
View 5 Replies
View Related
Mar 1, 2012
We have a user who needs to access a vpn from his MAC through an ASA 5505. The user is getting an IP via DHCP and the outside interface of the ASA gets it's address via DHCP as well. The user states that when he is home or anywhere else but behind the ASA it connects fine, but once the ASA is added it times out. He is able to get to the internet from the machine without any issues. Looking over the config on the firewall it isn't set to deny any traffic and there is a global set on the interface and it is nat the inside interface. There is no global policy in place so I was considering implementing the following:
policy-map global_policyclass inspection_default inspect pptp
View 2 Replies
View Related
May 22, 2012
I am trying to get up to speed on this topic as quickly as possible.
Here is my issue:
1) We are able to access the webiste
2) We are able to upload data packets
3) We allow the website to time out while we are uploading data packets
4) When we attempt to re-access the website the ip is blocked a) this includes pinging and trace
5) After an undertermined period of time the ip is unblocked and we are allowed to access it again.
The ASA 5505 router is the last forward facing stop before entering the VPN tunnel. We have tested by circumventing the ASA and we are unable to duplicate the disconnect. We have reviewed the config file and have not been able to identify what rule/settings could be affecting this.
when tracing port usage, the actions use 2 tcp ports and 1 udp port, the 2 tcp ports open and close by each transaction, when the ip block occures the 2 tcp ports are "dead" the udp port remains open (appearhently sending the remainder of the data packets)
View 1 Replies
View Related
Oct 21, 2012
When we say that ASA 5505 supports 10k connections does it mean that we can have 10k connections to the different websites?
View 5 Replies
View Related
Mar 22, 2012
How do I monitor connections to the DMZ port on our ASA 5505 (via ASDM 5.2)? We have a WAP connected to it and it's intermittently dropping connections.
View 2 Replies
View Related
May 16, 2013
I have an ASA 5505 with Security Bundle license.
I am able to create 2 LAN networks (192.168.9.0 and 172.16.9.0) Vlan1 and Vlan12 respectively. I also setup 2 outside interfaces (outside1 and outside2).
Network 1 (192.168.9.0 - VLAN1) has no issues going out via Outside1, however I can't get Network 2 (172.16.9.0 - VLAN 12) to go thru outside2.
I put in a static route (route outside 172.16.9.0 255.255.255.0 x.x.x.x), the x.x.x.x is the default gateway of my ISP.
View 7 Replies
View Related
Feb 12, 2013
Trying to add inside routes on an ASA 5505 to point traffic to another gateway for other connected networks is resulting in the following error 6Sep 16200 819:13:5810601510.184.236.1265003810.170.54.1823389Deny TCP (no connection) from 10.184.236.126/50038 to 10.170.54.182/3389 flags RST on interface insideI believe the problem is due to the Asymetric tcp connection and the ASA is dropping the connection because it only see one half of the traffic.Is there a way we can stop the firewall dropping the TCP connections on the inside interface? i've tried removing the threat managment which didnt work.Annoying thing is were putting the ASA 5505's in to replace old Watchguard soho firewalls only the watchguards forwarded the traffic no problem at all.
View 1 Replies
View Related
Mar 20, 2011
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
View 3 Replies
View Related
Mar 23, 2011
I have a very strange problem on 2 (independent) Cisco 861 routers in different places.They are both configured as easyVPN servers. One uses UDP, the other TCP. VPN clients connect by using Cisco VPN client software. This cannot be changed because the customer expects it this way. Both routers have the same problem:
* the first VPN connection after a reset works fine. Traffic passes through and it is perfectly usable. I can ping the internal network interface on the router side from the client without problems.
* the second connection (and all subsequent ones from different client machines etc.) connects fine, no errors on the client whatsoever (not sure I evaluated all possible debug output on the "server" side). However, no traffic passes through. Pings do not come back from the 861 anymore through the VPN tunnel.I already enabled ICMP debugging and saw that pings are actually answered by the 861, but do not reach the client.The same seems to happen to any and all other packets as well.
* If I restart the 861 the very same thing happens: first VPN connection works fine. You disconnect, try another connection from the very same client computer, and it does not work anymore until the next router reset.I append the configuration for sake of completeness. confidential parts are represented by XXX. Some ACLs are not in use right now; I used them for testing. [code]
View 17 Replies
View Related
Feb 26, 2011
I have recently been experiencing a problem. This started to occur after I had gotten new internet service and a new router. I now have comcast, and a new NetGear router. I also have a VOIP phone connected to the router call "AllVoi". Now, whenever I use this phone, all connections on WiFi go down as I am using it. While, when I am using any ethernet connections dirctly from the router, it works fine. It becomes a large problem when you are watching a video or something from a laptop WiFi connection.
View 2 Replies
View Related
Feb 7, 2013
A short while ago, I had my data backed up onto a new HDD, as the old one was showing signs of failing soon. When I got the computer back, I noticed a problem where I need to constantly hit "Diagnose" in the Wireless Network Connection Status to get my internet working again. When it gets into this stage, several websites continue to work, I don't lose my connection to them. Some websites I can still connect to without a problem. However, many websites, even google, keep giving an error that the host could not be found. It appears that it stops accepting new connections until I reset the wireless card. My Laptop (using wireless) and other PC (Connected directly) have had no issues at all with our wireless router.
View 4 Replies
View Related
Jun 20, 2011
I have a DIR-655 with both wired and wireless connections. Yesterday, network stopped working on one wired machine while using it to surf the internet and a 2nd wired machine has not worked in 3 weeks after moving it from one room to another. Wireless connections are working fine.
-2 wired systems (Windows 7 and Windows XP), both stopped working
-2 wired Xboxes - working fine
-2 laptops, wireless working fine
-1 smart phone, wireless working fine
I've power cycled my DSL modem and DIR-655 multiple times.Power cycled computer multiple times. Tried Win7 built-in diagnostics.Tried setting up static IPs.Tried filling in preferred DHCP server address.Disabled Windows firewall. [code]
View 4 Replies
View Related
Sep 29, 2012
I have been using a TP-Link WR1043-ND for a while now. It is configured as a dumb switch with DHCP disabled. Every other day or so, the device stops taking connections and I cannot access via the IP address. A simple power toggle resets everything immediately. Through this, the LAN connected devices never lose connectivity, I simply am not able to connect wirelessly or access the router via web browser.The only device I connect to the wifi is my phone, so it may actually be more frequently and I do not notice due to my low utilization (and I have 3G so I don't always notice right away if I'm connected). I have a WDTV Live SMP connected to one of the LAN ports and that functions non-stop regardless of the wifi. When the wifi is "down", my phone can see the network and attempts to connect. Sometimes it times out, other times I am repeatedly prompted that the password is incorrect, even though I am POSITIVE that I am entering it correctly. Once I toggle power on the router, the phone connects fine with the stored password.
I have updated to the latest firmware (about a month or so ago): Version: 3.13.12 Build 120405 Rel.33996n My hardware version is: WR1043ND v1 00000000 The router is connected (via LAN port 1) to a wall drop. My upstairs roomate maintains the gig switch and modem, as well as handling the network admin. I simply am using the router as a switch to provide extra ports and broadcast the network over wifi in my apartment.All that said: I need troubleshooting this router and it's configuration before I consider buying a more expensive replacement (and if I go this route, I might add a small switch as well to give me more than 4 LAN ports to work with). I am also considering flashing to DD-WRT before replacing as well to see if that makes a difference in reliability and uptime.
View 2 Replies
View Related
Nov 3, 2012
this issue with my WRT54G2:
- when i open more than 2 or 3 browser windows or anything that access internet, it stop routing
- shutdown and power up make it work again (then stops again after some simultaneous tcp connections)
- hard reset dont work
- WRT54G2 V1 Firmware Version: 1.0.04
View 1 Replies
View Related
May 9, 2011
I have a ASA 5505 which stops pretty early in the boot sequence.
This is all that shows up,
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
[Code].....
View 1 Replies
View Related
Dec 29, 2012
I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting. This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below."The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail. Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
View 4 Replies
View Related
May 14, 2012
We are planing on offering low end ASA 5505s as a customer offer to connect their network to our cloud as this is a business requirment. However, one of my colleagues is convinced that the license for the 5505 is *not* based ont he number of IPSEC endpoints, but the number of distince connections via *any* tunnel. So, according to him, if you have a license for 10 IPSEC endpoints, if you have 11 people connecting via *one* tunnel from a customer's network to our cloud, you go beyond your license.
View 1 Replies
View Related
May 17, 2011
is it possible to configure an ASA 5505 with two internet connections? One dedicated for VPN and the other one for Internet access only.
View 9 Replies
View Related
Feb 5, 2013
I find are steps to turn on SSH access. I have quite a few customers with ASA5510's installed. SSH is set up and working fine on every one. After a period of time, you are no longer able to SSH into the firewall. Using Putty, it just sits there on a blank screen without giving a "denied access" message or a login prompt. Rebooting the firewall will solve the issue and SSH access works again. Today, I had a customer with and active/standby configuration where I had to reboot both of them to be able to log in. Most of my customers are on 8.2.software as most don't want to reconfigure for the new NAT, etc.
I'm sure others have seen this before since it appears to be occuring on almost every ASA that I have access to. Is there any fix to eliminate this or is there something that can be run from the ASDM that will grant SSH access again without just doing a reboot?
View 4 Replies
View Related
Dec 9, 2011
I have to be missing something small in my config. If I upgrade my ASA 5510 which I am routing and Na Ting off of, from 8.4.1 to 8.4.2.8, SIP stops. All phones go dead.
If I roll back to 8.4.1, SIP comes up.,... Go back to 8.4(2)8 and SIP goes down.....
This is without making any config changes. I have looked at it so long, I must be overlooking something simple.
View 9 Replies
View Related
Sep 1, 2010
I am having a cisco ASA and its frequently stops working . Check the logs given below.
Let me know this happens because of the commands given below.
threat-detection basic-threatthreat-detection statistics access-list
[code]....
View 7 Replies
View Related
Nov 6, 2012
Over the weekend this router was put into production. SSHv2 is configfured and was working fine. Due to some circumstances, we had to avoid configuring any zone-pairs that included the self zone. This of course left the router open somewhat. SSH was secured but of course a few IP's from poorly regulated parts of the world spent the weekend trying to brute force log into the router. No luck it seems. Anyway, SSH continjued working, then we set up self zone-pairs (out to self and self to out). As ssh can't be Inspected, we did a pass log for each direction. This worked for a bit, then SSH just stopped working. I've seen this happen on 891W's in the lab here too, so is not something perhaps done by some unseen DoS attack or something.
View 8 Replies
View Related
Jan 23, 2013
Where a 5510 running 7.2.4 code and being accessed via a web browser, stops initializing the main window at 87%?We can access the box via telnet and the CPU is running at 5%. The other error message is a warning the our OS is not supported by ASDM and we may encounter problems running the application.
View 3 Replies
View Related
Jan 3, 2012
I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).I had the following setup working without issue:
[Internet] <-----> PIX <-----> 1841 <-----> [LAN]
I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.
-I can successfully ping the LAN from the PIX.
-I can successfully ping the Internet from the PIX.
-I can successfully ping the PIX inside_lan interface from the router
-I can not ping the outside interface from the router
-I can not ping the Internet from the router
I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down. [code]
View 2 Replies
View Related
