Cisco Firewall :: ASA 5520 / 2911 - TCP Reset-O Message

Oct 30, 2011

Here's the current scenario:
[LAN] <---> ASA 5520 <---> Cisco 2911 <---> [Internet] <---> Server A
Whenever I access a website running in "server A" (only HTTP traffic) everything works fine. The problem is that when I try to access a different service on the same server but listening on port 2000/tcp I get the TCP Reset-O message on the ASA and the workstation's browser says that "Internet Explorer cannot display the webpage".
A weird thing: if I access this service from a machine on the DMZ, it works fine. From the LAN (Inside) it does not work. The main difference is that from the LAN to OUTSIDE the ASA does NAT. From the DMZ to OUTSIDE it's just routed. I did another test from the LAN and the captured traffic is attached. I've been messing around with protocol inspects and firewall + NAT rules on the ASA but no luck at all.

View 5 Replies


Cisco Firewall :: Log Message In ASA 5520?

Jul 14, 2011

I'm seeing a lot of these message in my 5520 ASA.
Deny IP spoof from ( to on interface inside

View 1 Replies View Related

Cisco Firewall :: ASA-5520 - Cannot Hear Outgoing Message

Dec 9, 2009

We have setup the IP phone proxy on our ASA-5520, we had a couple of issues with the initial setup, but nothing major. It has been up and running for a few weeks and basically everything works perfectly just like we designed it except for 1 strange audio issue on outbound calls. We can make a call to anywhere, no problem, if the call is answered, no problem, perfect call setup and good quality 2 way audio. But if the person we called doesn't answer the call and that call goes to their voicemail we loose all audio from that point forward, we do not hear their outgoing message or get any prompts just dead air. The same situation appears to be true for any "recorded" service on the other end of the call.

View 7 Replies View Related

Cisco Firewall :: 5520 - Error Message When Trying To Access ASA (8.0(3)) With Asdm

Aug 26, 2012

When trying to access the asa (8.0(3)) with asdm the console send follwing error message:
vPif_isVpifNumValid: pifNum out of range!
vPif_getVpif: bad vPifNum(0xa6) from 87EBC81 from 83833B4
Have a strong suspicion that it is a hardware failure (since asdm has worked and have tried to restart the box) can not see any errors with any show commands, but could it be a RAM error .

View 1 Replies View Related

Cisco Firewall :: 5520 Dynamic NAT Conversation Ends With Reset-O

May 29, 2013

I've been tracking a conversation on my firewall. I have an inside device that is trying to communicate to a server outside to send data. The conversation is suppose to be all 443. I see that there is a TCP connection made and a dynamic NAT that translates my inside device to the public IP, and appears to change the port to 65415. The problem I'm having is that the conversation ends with reset-O, and I'm wondering if that port has something to do with it, or if it's just that their server is resetting the connection because of an issue they are having? The vendor says no firewall rules are needed for this device to communicate with their server.                

View 4 Replies View Related

Cisco Firewall :: ASA 5520 / Failing To Get To Outside Webpage - Session Being Reset

Jun 5, 2012

I have an ASA 5520 for my firewall. (ver 8.0(4))I have an external hyperlink that works from dsl at home but not from behind my corperate firewall.When I filter my real-time log viewer for this destination address I see the build up and immediate teardown of the session.The log indicates the teardown was initiated from inside.The informational alerts are
Built outbound TCP connection 726440542 for outside: to inside:172.16.x.x/3586 (65.204.x.x/52001)
Teardown TCP connection 726440542 for outside: to inside:172.16.x.x/3586 duration 0:00:00 bytes 77 TCP Reset-I
Reset-I means that something (the firewall or my pc which is the source) is telling the firewall to end the session.

View 2 Replies View Related

Cisco WAN :: 2911 Router - L2C Errors Message

Feb 13, 2011

Im getting flooded with the following messages: Feb 14 10:47:19.740 EST: PLATFORM-5-ECC_MSG: A corrected single bit error has occurred in L2C Data Cache at location 0x294.


View 1 Replies View Related

D-Link DIR-615 :: Connection Reset Message After Changing ISP?

Jan 30, 2011

I just changed my internet provider from DSL to cable.  When I hooked up the DIR-615 I had some difficulties.  At first my computers would all connect to the router but there was no internet connection.  I had to download the latest firmware and install it.  After the install succeeded, everything seemed to be okay.  However, I now occasionally get the message that the connection to the server was reset while the page was loading.  Also, the little world symbol on the router constantly flashes at a rapid rate.  Before the switch, neither of these two things happened.  When I check the download speed it seems fine.  The cable modem is an Arris and also handles my telephone service.

View 10 Replies View Related

Cisco Switching/Routing :: Reset 2911 ISR To Factory Defaults

Feb 7, 2012

I reset my Cisco 2911 ISR to the factory defaults.  I then used the configuration guide to do the initial set-up through the CLI.  I was able to assign IPs to the GE0/0 and GE0/1 ports.  Now I cannot access the GUI device manager at all.  I was able to ping the IP of GE0/0 so I know the adapter took the IP assignment, but still no GUI access.

View 7 Replies View Related

Cisco :: Reset Old TCP Session On ASA 5520?

Jul 20, 2011

how to reset old TCP session on cisco ASA 5520?

View 2 Replies View Related

Cisco Firewall :: 5550 Firewall Syslog Message

Feb 22, 2013

I have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.

View 2 Replies View Related

Cisco Firewall :: 2911 Router Zone Firewall And IP NAT Enable

Mar 20, 2013

I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]

View 1 Replies View Related

Cisco Firewall :: 2911 Difference Between The Firewall Areas

Oct 4, 2011

I recently inherited a Cisco 2911, that appears to have had Firewall rules imported into Externally Defined Rules. ACL's are currently allowing/disallowing traffic. However, there are no firewall rules configured. To meet compliance we need to have Packet Lavel Inspection (Firewalled) rules. There are two areas in the router, under ACL area, and under Security. What is the difference between these two Firewall areas?Are both areas providing packet level inspection?Can I build Firewall rules (within the Security area) to replace the ACL's?

View 2 Replies View Related

Cisco Firewall :: ASA5525 / Got Warning Message When Configuring Nat On 8.3 And Later

Jun 11, 2013

I'm configuring the nat on a ASA5525 running on 9.1.2 and got 2 questions, 1. Is the below overlap warning message normal and will not cause any issue? 2. Is there a simple way on 8.3 and later to fulfill the same functionality like 8.2 and earlier?
old config on 8.2 and earlier
nat (inside) 1 0 0
nat (dmz) 1 0 0
global (outside) 1


View 4 Replies View Related

Cisco Firewall :: ASA 305006 - Syslog Error Message

Dec 19, 2011

I keep getting an error message, i've tried several things to resolve it but still no success.This is the exact error message:
regular translation creation failed for protocol 41 src Customer: dst outside: 

View 4 Replies View Related

Cisco Firewall :: Different Between ASA-5520-K9 And ASA-5520-K8

Nov 2, 2012

We were using ASA-5520-K9 with  ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.

View 1 Replies View Related

Cisco Firewall :: ASA5520 High CPU Usage CTM Message Handler

Jan 20, 2013

I recently reboot my asa 5520, I was trying to remove webvpn listening from my outside nic, even though it wasn't configured. [code]I was planning to do another reload without the fast reload option.

View 1 Replies View Related

Cisco Firewall :: 887VA-W Keep Getting Drop Packet Error Message

Jul 13, 2012

I have an 887VA-w connected at home. I am using ip virtual-reassembly an all interfaces (dialer and all internal VLANs), I am also using CBAC (currently setting up ZBF). The issue I am having is that I keep getting drop packet error messages and the reasons can differ. Below are some of the outputs I recieve: [code] I have done a show ip virtual-reassembly on all the interfaces and the counter is shown as 0.

View 6 Replies View Related

Cisco Firewall :: Cat 4500 Translation Creation Failed Message

Aug 1, 2012

Two Vlans (ID1 and 100)are on a Cat 4500, which connects to an ASA, interface DMZ. On 4500, there is default route point to the ASA DMZ interface Issue, server on vlan 100 cannot ping a server on Vlan 1, vice verse. When I enable the realtime log, it gives me a “Translation creation failed” message, please see the attached files.

View 1 Replies View Related

Cisco Firewall :: Error Message Through Connecting To PIX 515e Via Ssh Connection

Sep 17, 2011

i got an error while connecting to my PIX (515e) via ssh connection there is an error message appears (The server has disconnected with error, server message reads: Internal Error) and at the console session at the time time, the following message appears also (process_create: out of memory)

View 1 Replies View Related

Cisco Firewall :: NAT For A Private IP 2911

Dec 20, 2012

We have some Cisco 2911's that we are configuring 2 VPN's ( second is for redundancy) We are pretty confident on the failover VPN setup using SLA monitoring.
One thing we are stuck on is the redundant VPN will be setup over a 3G connection provided by verizon. Verizon issues a Private IP ( 192.168.100.X) the far end device terminating the VPN has a public ip of 183.172.22.XX , what kind of NAT translation do I need to make this work ?  Also does Cisco have any good configuration examples for VPN Failover setups for Cisco 2911's?

View 4 Replies View Related

Cisco Firewall :: Changing Syslog Message 106100 Severity Level?

Mar 5, 2012

I'm fine tuning some of our ASA logging config, and am having an issue with one particular syslog ID.The message is: syslog 106100: default-level informational (enabled)and the log settings are:
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled

This ACE log entry is generated by explicit deny any any statements at the end of all the ACLs, e.g.access-list inside_access_in extended deny ip any any log interval 600 Based on the config, I would expect to see this being logged to the syslog server, but not to the local buffer, but am still seeing them locally in the buffer:

Feb 22 2012 10:58:20: %ASA-4-106100: access-list inside_access_in denied udp INSIDE/HOSTABC(52629) -> OUTSIDE/HOSTXXX(162) hit-cnt 5 300-second interval [0x3baecf1e, 0x0]
It also still shows these as level "warning", %ASA-4-106100, instead of the default %ASA-6-106100 I've tried removing and re-applying the config at different levels but it still reports in the buffer log as level "warning", %ASA-4-106100 This also doesnt affect every 106100 log that is generated. Most messages are generated at the correct level 6 severity but some seem to randomly log at level 4. There doesn't seem to be any pattern to this. The same access-list line can produce severity level 4 and 6 106100 messages.

View 2 Replies View Related

Cisco Firewall :: Error Message When Failover From Standby To Active In ASA5585

Aug 14, 2011

I have two ASA in failover with Active/standby configuration. When I switch from standby to active from the standby ASA I get a lot (like 100) of error messages like these below: [code] The failover works fine and nothing seems to be wrong with the firewalls function.

-Hardware is ASA5585-SSP-10.
-Software version: ASA 8.2(5),

ASA is in multiple mode with 17 active context. Why these error messages appear and what they mean?

View 2 Replies View Related

Cisco Firewall :: 5510 Inspect SIP Dropping Request Message Packets

Mar 17, 2011

I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?

View 15 Replies View Related

Cisco Firewall :: EIGRP Metrics On ASA 2911

Aug 4, 2011

I have two 2911 routers running 15.0(1)M4 in a redundant topology connected to an ASA 5520 firewall running 8.4 version. All gears are running EIGRP. In order to distribute the incoming traffic between the two 2911 routers, I am using 'offset-list out' on them, but in the ASA's routing table I see updates from both 2911 with the same metric, i.e. the offset-list is not working. What are the default metric weights on ASA? How can I change them? I couldn't find any known bug.

View 14 Replies View Related

Cisco Firewall :: Enabling IPS On 2911 Router?

Sep 20, 2012

I enable the IPS  on the 2911 router .  I am using the Basic IPS signatures that are inbulid on the routers . But sill it showing , that no signature is active .
ip ips signature-category
  category all
      retired true 
ip ips signature-category
   category ios_ips basic
      retired false


View 1 Replies View Related

Cisco Firewall :: 2911 - NAT Any Source Address From Internet

Mar 21, 2011

I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Source Address ==> Destination (nat this to inbound.
So if from the internet tries to hit we want to nat that to both of which sit on our public space.

View 1 Replies View Related

Cisco Firewall :: 2911 - Immediate Gateway Dropped Ping Traffic

Jun 13, 2011

I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.

policy-map type inspect FWPol_Out-In
class type inspect CCP_PPTP
class type inspect FCMAP_In-Email
class type inspect FCMAP_In-OutlookWebAccess

 %FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic  wasn't generated internally as all InZone>OutZone is inspected.

View 1 Replies View Related

Cisco Firewall :: 2911 - IOS Content Filtering Using Trend Micro

Apr 26, 2012

I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription. Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page [URL] or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlf policy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect -url') but how to do more with either the built in page or the redirect- url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?

View 1 Replies View Related

Cisco Firewall :: Block Gtalk On New 2911 Security Enabled Router?

May 8, 2010

I want to block gtalk on my new cisco 2911 security enabled router.

View 3 Replies View Related

Cisco Firewall :: Upgrade From 5505 To 5520 On Network - ASA Firewall Throughput

Feb 27, 2013

I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Routed Management Interface On Transparent Firewall?

May 5, 2013

I have an asa 5520.  How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Copyrights 2005-15, All rights reserved