Cisco Firewall :: ASA5505 Dropping Packets
Apr 30, 2013
I am having an issue where the ASA is dropping packets on the vlan interfaces. I have it as a dedicated router/firewall for a 100mb connection .
Vlan1 is the internal networkVlan2 is the network to cable modem
Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full Duplex at each end, this is the inside interface. Eth 0/0 is the connection to the cable modem, this is the outside interface, set at auto at both ends.
Im getting on the vlans eg. 51253 packets dropped however network traffic isnt impacted and everything runs fine, as well as 46532 switch ingress policy drops.
Example;
ciscoasa# sh int vlan1Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 70ca.9b36.ab80, MTU 1500 IP address 10.x.x.x, subnet mask 255.255.255.0 Traffic Statistics for "inside": 43250588
[Code]......
View 1 Replies
ADVERTISEMENT
Feb 28, 2012
We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB. We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet. There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
Maybe it's dropped in the ASP, or is the capture maybe not valid?Here the show asp drop:
ASA01-Internet# sh asp drop
Frame drop: Invalid TCP Length (invalid-tcp-hdr-length) 1 Reverse-path verify failed (rpf-violated) 319 Flow is denied by configured rule (acl-drop) 477077 First TCP packet not SYN (tcp-not-syn) 10212 TCP data send after FIN (tcp-data-past-fin) 41 TCP failed 3 way handshake (tcp-3whs-failed) 824 TCP RST/FIN out of order (tcp-rstfin-ooo) 1419 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 6 TCP SYNACK on established conn (tcp-synack-ooo) 1 TCP packet SEQ past window (tcp-seq-past-win) 821 TCP invalid ACK
[code]....
View 9 Replies
View Related
Aug 21, 2012
I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
!
version 12.4
no service pad
[Code].....
View 1 Replies
View Related
May 23, 2011
I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout". What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?
View 1 Replies
View Related
Mar 17, 2011
I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?
View 15 Replies
View Related
Jun 23, 2011
6Jun 24 201118:08:44209.85.213.5458623174.141.xx.xx25Deny TCP (no connection) from 209.85.213.54/58623 to 174.141.xx.xx/25 flags RST on interface outside I am getting this error in my asdm logs whenever I try to send an email with an attachment. Regular email go through fine. If I send a 1mb file it seems to go through after several attempts. If I send a 5mb file it might go through anywhere between 4-15 hours. It doesn't matter where I send from. Sometimes it will say ACK or RST ACK on interface instead of RST. The ASA is running 8.3.1 code. I have tried inspect ESMTP and removed it, tried sysopt connection timewait. I am at a loss.
View 1 Replies
View Related
Jan 10, 2013
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
View 15 Replies
View Related
Dec 13, 2012
I have a NAT setup. Some of my udp packets are dropping. How to find more about the NAT to find whether it missed anything or not. the router is 3945e. [code]
View 3 Replies
View Related
Aug 1, 2012
I have ASA 5510 with 8.4 connected to ISG 1000, when traffic is passing the VPN tunnel is working fine, when the traffic stops, ASA will drop the packet but the VPN tunnel on ISG still up .When new traffic started from ISG side, it will drop, as the tunnel is not up on ASA side.
View 2 Replies
View Related
May 29, 2012
We have a cisco 800 series router between the internal network and the WAN. the problem is we are unable to receive some of our mail due to dropped packets by our router. the conversation between the two servers stops at the point were our server responds with the command 250 2.1.5 user@mydomain.com | 354 Start mail input; end with . i was able to trace the packet, using Packet Export, on the internal interface but not on the external interface. Also i have noticed that the external interface has about 160,000 unknown protocol drops while the internal interface has 0.
Is there anyway to find out way the external interface is dropping the packets.
View 4 Replies
View Related
Apr 10, 2012
We have a customer who we sent to Cisco to replace some aging Dell switches. They purchased 5 SG300-52’s for 2 different networks. Their production LAN has 2 “live” switches and 1 spare. The 2nd, a development LAN has 1 switch and 1 spare. Their primary production SG300-52 has GE1-8 VLAN’d off as VLAN2 for public IPs. The untrusted (WAN) interfaces of 2 x ASA-5510’s, 1 x ASA-5505, and 2 x RV082 v2’s are connected to GE2-6. GE1 is the uplink to the co-location center’s Cisco switches. GE7 & 8 are spare ports. Each SG and device port is hard coded for 100/Full.
One of the ASA-5510’s and the ASA-5505 maintain a site-to-site VPN (the development LAN used to be in a different facility hence the VPN). Recently the developers have stated the performance is horrible. I noticed ping traffic loss from PCs on the dev side to servers on the production side in the order of 20-30%. I assumed it was a VPN issue so I opened a ticket with Enterprise TAC (all the ASAs and the SGs have either SmartNet or extended support contracts). TAC determined the problem happened even if you ping from inside the ASA to the untrusted side of the other ASA thus eliminating the VPN as the culprit.
The 2nd ASA-5510 has the AIP module and was not even live until this weekend. Turning it up and giving it a basic config returned the same results. #ping x.x.x.x repeat 100 will drop 20-40 packets. I have no security enabled on the SGs and even tried using the spare SG300-52 this weekend in place of their primary with the same result. I’m to the point of returning one of the Dell switches to production, but this cannot be a good sign. I’m also a bit frustrated that I’ve yet to figure out how to get Cisco Enterprise to speak with Cisco Small Business on this. The customer has over $10k invested in Cisco equipment and Cisco isn’t jumping in to figure this out.
The latest rep wants a packet capture from the SG300’s VLAN2 but there are no PCs there to do this with and the manual doesn’t even talk about doing this. How we can do this as well as get the 2 divisions working together to fix this? BTW, the RV082’s exhibit the SAME exact problem. I can ping from ANY device on VLAN2 to any other device and drop packets. Copying a simple 1MB file over the VPN can take minutes where it should take 1 second. I can reproduce this for 24/7.
View 8 Replies
View Related
Feb 14, 2013
It appears we might have an issue with our RV082 (v4.2.1.02) dropping packets during the teardown of many TCP conversations. I have attached two packet captures of what I believe is the same conversation. One is from outside the router (Wireshark using an Ethernet Tap) and the other is from the client inside the router (SLES11SP2 running TCPDump). These are both very small captures 9 packets and 18 packets and I'm hoping it will identify the problem.
It appears that the RV082 is prematurely closing the natted port used to communicate with the host outside the network. The host sends a FIN, ACK packet, to which the client responds with an ACK, However, when the client then sends his FIN,ACK sequence, it never makes it outside the router. The client sends a total of 9 FIN,ACKs trying to contact the outside server, but none of those appear to make it through the router.
Is the router slamming the door prematurely? (I've been fighting with this problem for 3 weeks now!)
Inside Capture:
----------------------
No. Time Source Destination Protocol Length Info
1 2013-02-13 19:32:37.827942 192.168.1.45 38.113.116.214 TCP 76 35975 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=635644783 TSecr=0 WS=128
[Code].....
View 19 Replies
View Related
Dec 12, 2012
We have a Cisco ASA and recently purchased a cisco small business srp527 router. It is connected to our ADSL2 connection and is working fine. I have configured the device with an ipsec tunnel using an ike profile and the tunnel is created successfully with packets traversing the tunnel. However packets are being dropped intermittently, with no cause. The link is currently not being utilised, there is no load on the network however when I ping Google and any address subject to the rules of the tunnel i notice that a single packet is dropped every now and then.
View 0 Replies
View Related
Dec 15, 2011
I seem to be having an issue where certain very packets are being dropped/lost by my office router. The reproducible situation is, when I attempt a DNS zone transfer from my linux bind DNS server (A.A.A.A) to any server on my network behind NAT (Y.Y.Y.Y) the first packet (Seq 1) of the response is lost. The client making the query asks for first packet (Seq 1) to be resent, and the DNS server attempts to resend it repeatedly, but those are lost too.
View 10 Replies
View Related
Dec 26, 2012
We have a customer who uses about 20 x c2960's switches for access layer and 2 x c3560e for distribution layer. C2960's uses C2960-LANLITEK9-M , Version 12.2(58)SE1. Everything was working fine. Now we got information, that sometimes there are problems with connectivity. Customer tries to reach internet.
SW11#sh int fa0/18
FastEthernet0/18 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is e8ba.806a.4412 (bia e8ba.806a.4412)
[Code].....
View 7 Replies
View Related
Aug 6, 2012
I am trying to find a solution using modular QOS when there is congestion in circuit we drop packets with WRED which are marked with a DSCP value of say AF21. I can drop those traffic completely in case of congestion. I was thinking to allocate 100% bandiwth to rest of the traffic.
View 1 Replies
View Related
Mar 27, 2012
I bought a DIR-655 a less than a year ago on amazon, and it was working great up until about 4 weeks ago. Ive noticed that it has been dropping alot of packets while I am gaming on my computer. I would run about 95-98 ping usually and now it jitters every 5-10 mins or so from 95-98 to up to 500. It is really troublesome during games and I dont know what to do. Ive tried disabling QoS and still nothing. I run on wireless G and N with auto 20/40 mhz. Standard WPA(personal) and it was running absolutely great until now. I know its the wireless because I have hardwired it into my laptop, both from the router and just the modem itself with no problems whatsoever. I dont know what to do about it.
View 3 Replies
View Related
Jul 26, 2012
I have a ACE module A2(3.5) installed, I am having a connectivity problem between two servers in my network. I have captured some traffic on different points in my network and from capture it seems like the problem is with this ACE module or somehow it is closing the connection.
View 6 Replies
View Related
Jul 24, 2012
My E3000 has about 60% packet loss if the channel selected is anything other than 1. I can't enable 5GHz or even 40mhz 2.4GHz channels without dropping 60% packets.
View 9 Replies
View Related
Jan 9, 2013
I recently installed DHCP snooping on a 3750v2 switch (Version 12.2(55)SE4) and configured the uplink(Po2) as a trusted port. The problem is that clients cannot receive an IP address. When I disable DHCP snooping it is working properly. DHCP snooping is configured correctly but I don't have an idea how to resolve it. [code]I tested the solution on the same kind of hardware switch and firmware and it worked out fine. What is causing the clients not to receive an IP address from the DHCP server?
View 10 Replies
View Related
May 9, 2013
We have a remote site that is using 3750X switches as layer 2 switches back to our home site. The uplink port is showing dropped packets but the utilization on the link is never about 10%. We have a 100Mb circuit to this site. Our speed tests and iperf tests are not showing any issues that we can see. However the port is still droping packets. It is not dropping at a high rate but they are dropping.
switch#sh platform port-asic stats drop gi1/1/4
Interface Gi1/1/4 TxQueue Drop Statistics Queue 0 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 0 Queue 1 Weight 0 Frames 52876 Weight 1 Frames 2 Weight 2 Frames 0 Queue 2 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 0 Queue 3 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 1330874 Queue 4 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 0 Queue 5 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 0 Queue 6 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 0 Queue 7 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 0switch#
Is there a way to capture these dropped packets to see what they are? We do have VOIP phones at the site and are using Qos.
View 5 Replies
View Related
Dec 29, 2010
We are testing a new 1Gbps WAN circuit between 2 sites. We have cisco 3750 and 4507 on each end. Every time we run extended ping sweep ranging from 36 to 18024 bytes the packets are being dropped randomly once the size goes above 1500 bytes. Our ISP claims Demark to Demark test are clean and they don't want to acknowledge the problem, they blame our switches. To prove the problem is not on our end we've put different switches at each end, still facing the same issue. Ping success rate is around 98 to 99 percent.
View 11 Replies
View Related
Oct 13, 2011
I am trying to use my WRT120n as access device for an IP Centrex service using SIP protocol. My SIP phone is located right behind the router.My problem is sometimes the router is dropping incoming calls because signalling packets are fragmented at IP level. So I cannot receive those calls.Is there a way to enable the router to accept these packets?
View 9 Replies
View Related
Sep 20, 2012
I have a site to site VPN. Every few days my site stops transmitting data to the remote site but I do receive data from the remote site. Only way to fix it is to rebuild the tunnel. I dont have any idle time set for the vpn. so not sure why the tunnel keeps going down. I have a ASA 5505 running 7.2 (3) IOS.
View 5 Replies
View Related
Feb 24, 2011
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
View 2 Replies
View Related
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies
View Related
Jul 14, 2011
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies
View Related
Jan 9, 2013
Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
View 2 Replies
View Related
Sep 26, 2012
I am trying to configure my ASA 5545 firewall in area 0 but when I do so, the neighbor relationship never establishes. A debug on OSPF gives only one response: [code] Why the ASA is ignoring the input packets?
View 4 Replies
View Related
Jun 9, 2013
I happen to noticed the FWSM was dropping packets at about 387 packets every 5 minutes. My outside FWSM is WAN facing and has a 1gig link (35% utilized) my inside facing has about 100 downstream switches to the closets. I do not see my 6509's back plane is being over utilized and my understanding of the FWSM show be go for 5 gig so it isn't oversubscribe. Why i am seeing packets dropped?
[Code] ......
View 2 Replies
View Related
Mar 13, 2013
My config:
Windows 7 host
MS Loopback Adapter with ICS
GNS3
ASA 8.42 with ASDM 6.4
Vmware Workstation 7 with Windows XP SP3 vm
All are working like a charm, from my virtual XP machine I can ping every site, e.g. www.google.com which replies nice with it's ip-address.
However, I cannot reach ANY website
When I connect through a Cisco 3700 router the webbrowser works perfect, so it must be something in the ASA configuration (I presume )
I've tried about all possible Access Rules, but still nothing.
View 13 Replies
View Related
Apr 1, 2013
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
View 4 Replies
View Related
Sep 25, 2012
We've had this firewall in place for years, and there haven't been changes to it in the past few months. Last week, however, we started having problems accessing one of our networks through the PIX, and after working with Microsoft, we determined it was an MTU issue. The maximum sized packet to the PIX and through the PIX is 1020 bytes, and it doesn't matter if the packets are sourced from a server or the PIX itself. From the server, we can ping 1500 byte packets to the core switch with no issues. All interfaces are set for 1500 byte.
View 1 Replies
View Related
