Cisco Firewall :: ASA 8.4 TCP With RDP Server 5.2 Usage Only
Feb 16, 2013
I decided to migrate to ASA 8.4(5) from 7 and everything went very well with the exception of this one issue. All ACL and NAT for our various remote desktop servers work perfectly as long as the servers are running an RDP server version greater than 5.2. For instance, Server 2008 machines (or Win 7 Pro desktops) work perfectly as configured; however, Server 2003 machines (or WinXP Pro desktops) will not. I'm using manual, static NAT for the object to avoid automatic NAT issues.
The client computer displays the non-vista warning message, "The indentity of the remote computer cannot be verified...", but then fails to properly connect stopping at the "Configuring remote session..." status message. The ASA log shows that it built the TCP, then it displays a teardown with reason TCP Reset-I.
I can use a working ACL and NAT (using default TCP 3389 for instance) with a Server 2008 at IP 192.168.15.10 and move a Server 2003 machine to that same IP without touching any configuration at the firewall and it fails. Move the Server 2008 machine back to that IP and it works perfectly (both set at Port 3389 of course).
Here is the relevant info from the config that I am using for this:
------------------------------------------
object network RDPServer
host 192.168.15.10
object service RDP
service tcp source eq 3389
access-list out2in line 1 extended permit tcp any object 192.168.15.10 eq 3389
nat (inside,outside) 1 source static RDPServer interface service RDP RDP,The above works pefect as long as a server 2008 machine is at the IP, but fails with a server 2003 machine at the IP.
I am trying to setup a VPN server on my router at home so I that I can access my network remotely. The router has f0/0 as a dhcp interface connected to a cable modem. I have a switch card in it and vlan interfaces for my inside/private subnets. I NAT/PAT the inside vlan interfaces/subnets to the f0/0 dhcp address from the cable modem. I have found a ton of configs for this but nothing that shows it with a NAT setup. I have used a few examples I found that are close to my setup. I am able to connect and the cisco lock closes. But I am not able to do anything. When checking the cisco client stats the sent numbers keep counting up but the received number stays at zero. Any good config that I can use or have a good link? I am also running CME on this router.
however recently when i check my internet usage log on my wireless company (Rogers) the usage is totally off from what my bandwidth tracker shows me. So i decide to turn off my wifi and see what happens, there has always been this weird wifi connection appearing whenever my wifi appears, then afterwards when i turn off my wifi the suspicious wifi connections disappear. is this possible that someone is using our wifi? i might just be overreacting but it has brought me to concern that if the usage continues my family will have to end up paying over $30 for extra internet use. it is very frustrating me because when i check my DHCP client table it only shows 3 connection, ethernet - my desktop which is not turned on, 2 wireless connection - my laptop and my sister's laptop.
I am currently working with ASA 5585 with several contexts. What is the percentage of the CPU used per context. I already have the opportunity to do it for the whole ASA (context admin) using the SNMP mib CISCO-PROCES but, unfortunalty, this mib doesn't allow us to know the percentage of used CPU per context.
I was able to know the number of core used per context but not the percentage of the CPU used.
Our company’s Cisco ASA 5520 CPU usage drastically increased up to 93% after installing the antivirus our company purchased. Upon entering the show commands, which I will post the result later, it shows that the “Dispatch Unit is very high. I tried to clear the conn of each IP address that has very high bytes, but nothing happened.
INTFW(config)# show proc cpu-usage sorted non-zero PC Thread 5Sec 1Min 5Min Process 081aa324 6bdaf870 81.3% 81.5% 81.4% Dispatch Unit
One of our firewalls - Cisco ASA 5550 8.4.3 - has got a problem. Our monitoring system requests the cpu usage on the box and from time to time we got an error. It was now possible to catch the error message - the output of show cpu usage looks like on the attached picture.We did not found something in the know bugs neither in the "Resolved Caveats in ASA Version 8.4(4.1) ".
Im running ASA 8.0(3) on Active/StandBy failover pair.Last night I realized the CPU usage of my production ASA was 99%,,, on the ASDM Firewall Dashboard I can see counters like this:
Dropped Packet Rate (ACL Dropped) = 6000+ (more than 6 thousand) Scanning Attacks = 18600+ (more than Eighteen thousand)
I went on the ASDM and checked the RealTime Log viewer and I have about 30 entries per second of these: 4Oct 19 201111:35:12401004Shunned packet: 10.64.10.1 ==> 10.64.0.1 on interface NewLAN
I have an ASA 5520 with a CSC-SSM modul,the problem is when i am logging in to my ASDM, on the content security monitoring, it's showing the CPU and memory are at 100%(CSC) but when i directly connect csc-ssm MODULE it comes down,so is it problem with ASDM , java OR csc.
I have configured an ASA 5510 and 2960S 48 port switch in a lab environment. I have two laptops connected to seperate subinterfaces with server 2003 as dhcp server for one network. Everything has been working fine as we have been testing the ASA while also testing the csc smm module. When we came in today we noticed the csc module cpu is running at 100% constantly and http traffic is extremely slow. I have not yet received my smartnet contracts from the vendor or I would open a TAC case and I have read on the net that this is a common problem.
I recently reboot my asa 5520, I was trying to remove webvpn listening from my outside nic, even though it wasn't configured. [code]I was planning to do another reload without the fast reload option.
I have ASA that just started to reboot through out the day yesterday. It seems to happen every few hours but not in a pattern.Right before it reboots there is a flood of sys log id 305006 messages "portmap translation creation failed for tcp src inside:xxx dst outside:xxx the xlats go from around 2-3k to about 30+k then crash.Memory ussage is already pretty high normally on this device (about %75 used) CPU is around %15-20 I notice that the portmap translation errors are always from 3 inside host.
Today I upgraded my Cisco ASA 5505 ASDM from version 6.34 to 6.41 cause of some problems on old version with NetFlow. But now when I switch to dashboard i can not see "Top Usage" tab. That was quite usefull for me. It simply disappeared.
Can i somehow configure which tabs are displayed on dashboard ? I really need that one and I do not want to downgrade :/
I've multiple FWSMs running. The funny thing: When I do a "show resource usage" I have one blade showing a "Conns [rate]" and "Syslogs [rate]" values and one blade isn't.
All modules are running the same software version 3.2(10).And the even more funny thing is: on one blade I have different output for all the contexts on it.What's the reason for that behaviour? A bug?
I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510..The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
I'm having a problem with the memory and also trying to create some rules on the CISCO ASA. The version that I got installed was the 8.2.5.33 on a CISCO 5520 with 512 RAM, the memory usage is on 99% used, 1% free and because of that when I'm trying to create a new rule the firewall brings me the next error..So what I did was a downgrade to the version 8.2 (4) 4 and the memory went down a little (82% used, 18% free) but I still got the error when I'm creating an access rule on the device. One thing and I'm not sure if this could affect on the performance are the number of access list and the object groups that are created.
I already open a case with CISCO TAC and they are checking if the problem is with the memory capacity or maybe a memory leak.Also the doubt that I got is with the memory that I got now available should I can create access rules or 82 is still to hig to create a rule or and object group?
I'am using ASA 5510 and I try to understand how PAT is working.I want to add a Mail Server in the LAN and a webmail using port 3000 on the server. ( webmail must be reachable from the WAN)This is my Configuration :actually LAN users access internet using NAT with one global IP ( 194.x.x.69) which is the ASA WAN interface.
WAN ----- ISP Router ---------- FW ---------- LAN -------- Mail Server + Webmail | (25) | (3000) 194.x.x.69 192.168.1.254 192.168.1.6
I need to forward port 3000 and port 25 from outside to inside.For example, from the WAN : [URL] must be redirect toward 192.168.1.6:3000 . What is the Correct Configuration ? And what about the Inside/Outside Traffic,Is there any configuration to add ?
We have Cisco ASA 5505 with ASDM 5.2 We have one Proxy server in our Local Lab and pointed to Hosted service(Simple Signal)issue is, When our proxy server send register to hosted server, ASA change private IP and post with outside IP and src port as 1063 every time.
Here is debug log on real time monitoring.
Aug 24 2011 05:21:19 302015 203.xxx.xxx.226 192.168.1.51 Built outbound UDP connection 3774 for outside:203.xxx.xxx.226/5060 (203.xxx.xxx.226/5060) to inside:192.168.1.51/27014 (99.119.161.107/1142) Aug 24 2011 05:21:19 607001 203.xxx.xxx.226 Pre- allocate SIP Via UDP secondary channel for inside:192.168.1.51/27014 to outside:203.xxx.xxx.226 from REGISTER message Aug 24 2011 05:21:19 710005 203.xxx.xxx.226 99.xxx.xxx.107 UDP request discarded from 203.xxx.xxx.226/5060 to outside:99.xxx.xxx.107/1063
Here 99.xxx.xxx.107 is Our ASA Outside IP address 203.xxx.xxx.226 is Hosted server IP address. My ASA config is attached.
We want that inside host should get ip from subnet 192.168.10.0 /24. This ip pool is configured in DHCP server (ip 172.16.10.1) which is connected to ASA2. There is no routing issue as we are able to ping DHCP srever 172.16.10.1 from ASA1. to do config needed on ASA1 and ASA2 , so that host connected to ASA1 inside interface can get ip from DHCP srever. We have configured 192.168.10.1 /24 to ASA1 inside interface which will be gateway to inside host of ASA1.
I recently made a fresh install of LMS 4.1 and added all of our devices (about 400 devices). After configuring all jobs and services everything ran fine.After a few days a guy from the server team called me and told me that the CPU-usage increased over the days. I made some investigations and found out which process is using CPU ressources. Whenever ANIServer is running and collecting data CPU is running at approx. 100%. First it takes only a few minutes to complete but after some cycles ist takes more and more time to complete, after a week it takes more than 4 hours. After restarting ANIServer process it takes again a few minutes and then the duration increases.
Server specs:
Windows Server 2008 R2 64-bit VMWare ESX 4 CPUs @ 2.93 GHz 6 GB RAM
I've recently swapped out an old pix firewall for a new ASA5505 and have been trying to match the configs as best I can. However I still can't ping the new firewall from the server and it still won't let them serve out. The firewall exists on a separate VLAN (vlan30), but the previous pix never seemed to care about that. I'm wondering if that might be part of the problem.
I have a simple query for the issues I m facing currently.I have @ remote site remote site PIX firewall which is configurd to get the Snmp poll on the server locate outside via site to site VPN.There is another snmp server located also in inside which I’m not managing it . ======================================================================== below are the command for the snmp configured on PIX. snmp-server host inside x.x.x.x community XXXXX ---This is not managed by us snmp-server host inside x.x.x.x community XXXXX snmp-server host outside y.y.y.y (private IP tunneled though VPN) poll community YYYYY ---Managed by us snmp-server host outside y.y.y.y poll community YYYYY
[code]....
there are 2 snmp community & server defined in snmp-server host command for 2 different IP address belongs to snmp server and we can only define one global snmp-server community for any one of them .Question is how the snmp community take a precedence currently I am able to ping from my snmp server from outside to the PIX firewall outside interface over L2L VPN but somehow the snmp server is not listening when i do port query on 161 por!.
Do i need to create 2 objects for nating a server to 2 different interfaces?That is an inside server published in two different dmzsAutomatic migration to 8.3 creates 2 objects (one for each nat)Can I do the same with only one object? like this or I need an object for each nat?
When a physical switchport/routed port has high usage, you can move the link to a higher capacity port, upgrade the port, bond links, etc. What exactly do you do when an SVI has high usage? I guess you could remove some servers from the VLAN, but that doesn't seem like a reasonable solution. What dictates the capacity of an SVI? The backplane of the switch?
I have a problem I am running into... I replaced a 2621 with a 2911. The 2911 has three interfaces and I need to use all of them... Description:
gige0/0 dhcp static IP from ISP, public IP, they assign me 4 more usable public IPs gige0/1 broken into four VLANS, 108, 109, 120, 127, ip nat on 109 for them to get to the internet, and a static translation on 127 for the phone system to get to the internet gige0/2 assigned another public IP. A tenent has a linksys router on this interface, they want a public IP.
The problem is that this setup worked, but when we moved to the 2911, some nat translations are failing, and we would like to figure out how to minimize the number of public IPs we use (right now it is three + the static assigned dhcp). The nat that is not working is the nats to the 2001-3001 range. I am not sure why it is failing, but the router seems to indicate it thinks some of these overlap. This router is also doing a vpn to an asa... that seems to be working fine.
Current config:
Current configuration : 6072 bytes ! ! Last configuration change at 14:31:44 UTC Thu Aug 2 2012 ! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012
I have a 1841 router plugged into a 100M Comcast ethernet connection. My router cpu is really high and users download speed isn't as high as before. Can a 1841 handle 100M circuit with 100 users on it? What would cause the router's cpu to be high? I don't think there are any viruses or malware on the lan.
#sh proc cpu his r2.leaguecity-toy-startoy 06:06:26 PM Wednesday May 30 2012 PST 111 1 1 1 111 24 1 1 1 1 400369232222544222330359645223283294332688334452308404382236
6504 Sup720 ----Dot1q Trunk ----6504 Sup270VPN SPA VLAN 20,30 VPN SPA VLAN 20,30Normal VLAN 10,40 Normal VLAN 10,40,Every 18-24 hours the 6500's- the 6500 go to 100 % CPU - the work around is to reboot one of the switches. Then they will run 18-24 hours.The fix was to only trunk VLAN 10,40 (Networks that needed to see each other) between the switches. If the vlans that the VPN SPA was trunked you would Every 18-24 hours the 6500's- the 6500 go to 100 % CPU.Simple design GRE IPSEC tunnels that work fine and the latest SXI code. It appears that if you trunk the VPN SPA trunks and they are the same VLAN that it going into some kind bridging loop. No errors. Just unresponsive.
My CAT 4510 switch is showing 99.9% CPU usage almost through out the day. After some analysis i saw that the “Cat4k Mgmt LoPri” process is having 86% CPU utilization. This process is a package that is including multiple process.
2. Within this package, two processes have been identified which are causing this shock which are “K5L3Unicast Adj Tabl” and “K5 L2 Hardware Addre” .
3. This indicates that some heavy activity is going on CEF adjacency table and RP MAC Address Table. My current IOS version is 12.2(53)SG and i want to upgarde this to 12.2(53)SG1.
C Can any one tell me if this will solve the issue and how clean is the 12.2(53)SG1 of bugs.
This switch is currently the gateway of my network configured for GLBP with another CAT 4507 switch. This switch is normal and showing only 37% CPU usage.
I will attempt to make is simpler this time. I have a gateway to gateway VPN tunnel setup using two RV042 routers. I have been using this gateway for years without any issues. The computers on each side of the tunnel were Windows XP. I also use RealVNC Enterprise Edition on each computer for easy access to their desktops and applications. I have added two new Windows 7 Pro computers on each end of the tunnel.
The problem is with the two new Windows 7 computers. I am able to connect from a new Windows 7 computer to a Windows XP computer located on the opposite side of the tunnel fine with RealVNC. If I connect using the same Windows 7 computer to a new Windows 7 computer on the opposite end of the tunnel the connection will disconnect after a few seconds. I have disabled Symantec Endpoint Protection 11 and even upgraded it to version 11.0.6300. I also installed the most up to date driver for the Intel 82579V network adapter on the ASUS P8P67 Deluxe motherboard.
I attempted to install Cisco's Quick VPN for the RV042 with no luck on that. The certificates that the router uses do not work in the Trusted Root Certification AuthoritiesCertificates folder. So I gave up on that approach. All efforts to possibly by-pass the problem have failed. There is something with the two Windows 7 computers communicating through the tunnel that does to happen with the Windows XP computers.
