Cisco Firewall :: ASA5505 Dropping Packets

Apr 30, 2013

I am  having an issue where the ASA is dropping packets on the vlan  interfaces. I have it as a dedicated router/firewall for a 100mb connection .
 
Vlan1 is the internal networkVlan2 is the network to cable modem
 
Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full  Duplex at each end, this is the inside interface. Eth 0/0 is the  connection to the cable modem, this is the outside interface, set at  auto at both ends.
 
Im getting on the vlans eg. 51253 packets dropped however network  traffic isnt impacted and everything runs fine, as well as 46532 switch  ingress policy drops.
 
Example;
 
ciscoasa# sh int vlan1Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 70ca.9b36.ab80, MTU 1500 IP address 10.x.x.x, subnet mask 255.255.255.0 Traffic Statistics for "inside": 43250588

[Code]......

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 8.2.4(4) Seems To Be Dropping Valid TCP SYN Packets?

Feb 28, 2012

We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB.  We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet. There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
 
Maybe it's dropped in the ASP, or is the capture maybe not valid?Here the show asp drop:

ASA01-Internet# sh asp drop
Frame drop:  Invalid TCP Length (invalid-tcp-hdr-length)                                  1  Reverse-path verify failed (rpf-violated)                                  319  Flow is denied by configured rule (acl-drop)                            477077  First TCP packet not SYN (tcp-not-syn)                                   10212  TCP data send after FIN (tcp-data-past-fin)                                 41  TCP failed 3 way handshake (tcp-3whs-failed)                               824  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 1419  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             6  TCP SYNACK on established conn (tcp-synack-ooo)                              1  TCP packet SEQ past window (tcp-seq-past-win)                              821  TCP invalid ACK

[code]....

View 9 Replies View Related

Cisco Firewall :: 871 - Default Class Map Is Dropping All Packets

Aug 21, 2012

I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
 
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
 
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run

Building configuration...
  
Current configuration : 8005 bytes
!
version 12.4
no service pad

[Code].....

View 1 Replies View Related

Cisco Firewall :: ASA5540 Dropping Packets On Large FTP Transfer

May 23, 2011

I am attempting to FTP to a remote site through a IPSEC tunnel.When I am transfering large files the ASA5540 is showing syslog errors stating "connection timeout".  What I think is happening is after about 1 hour the firewall is closing the connection control port for the FTP session and neither end is notified so eventually the transfer is stopped.What do I need to modify in the FW to accommodate these larger files?

View 1 Replies View Related

Cisco Firewall :: 5510 Inspect SIP Dropping Request Message Packets

Mar 17, 2011

I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
 
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
 
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
 
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?

View 15 Replies View Related

Cisco Firewall :: ASA5505 Dropping TCP Connections For Email With Attachments?

Jun 23, 2011

6Jun 24 201118:08:44209.85.213.5458623174.141.xx.xx25Deny TCP (no connection) from 209.85.213.54/58623 to 174.141.xx.xx/25 flags RST on interface outside I am getting this error in my asdm logs whenever I try to send an email with an attachment. Regular email go through fine. If I send a 1mb file it seems to go through after several attempts. If I send a 5mb file it might go through anywhere between 4-15 hours. It doesn't matter where I send from. Sometimes it will say ACK or RST ACK on interface instead of RST. The ASA is running 8.3.1 code. I have tried inspect ESMTP and removed it, tried sysopt connection timewait. I am at a loss.

View 1 Replies View Related

Cisco Firewall :: ASA5505 Appears To Be Dropping Traffic For Internal Network?

Jan 10, 2013

we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.

View 15 Replies View Related

Cisco WAN :: 3945e Udp Packets Are Dropping

Dec 13, 2012

I have a NAT setup. Some of my udp packets are dropping. How to find more about the NAT to find whether it missed anything or not. the router is 3945e. [code]

View 3 Replies View Related

Cisco VPN :: VPN To Juniper ISG 1000 Dropping Packets

Aug 1, 2012

I have ASA 5510 with 8.4 connected to ISG 1000, when traffic is passing the VPN tunnel is working fine, when the traffic stops, ASA will drop the packet but the VPN tunnel on ISG still up .When new traffic started from ISG side, it will drop, as the tunnel is not up on ASA side.

View 2 Replies View Related

Cisco WAN :: 800 Router Dropping SMTP Packets

May 29, 2012

We have a cisco 800 series router between the internal network and the WAN. the problem is we are unable to receive some of our mail due to dropped packets by our router. the conversation between the two servers stops at the point were our server responds with the command 250 2.1.5 user@mydomain.com | 354 Start mail input; end with . i was able to trace the packet, using Packet Export, on the internal interface but not on the external interface. Also i have noticed that the external interface has about 160,000 unknown protocol drops while the internal interface has 0.

Is there anyway to find out way the external interface is dropping the packets.

View 4 Replies View Related

Cisco Switches :: SG300 Is Dropping Packets?

Apr 10, 2012

We have a customer who we sent to Cisco to replace some aging Dell switches. They purchased 5 SG300-52’s for 2 different networks. Their production LAN has 2 “live” switches and 1 spare. The 2nd, a development LAN has 1 switch and 1 spare. Their primary production SG300-52 has GE1-8 VLAN’d off as VLAN2 for public IPs. The untrusted (WAN) interfaces of 2 x ASA-5510’s, 1 x ASA-5505, and 2 x RV082 v2’s are connected to GE2-6. GE1 is the uplink to the co-location center’s Cisco switches. GE7 & 8 are spare ports. Each SG and device port is hard coded for 100/Full.
 
One of the ASA-5510’s and the ASA-5505 maintain a site-to-site VPN (the development LAN used to be in a different facility hence the VPN). Recently the developers have stated the performance is horrible. I noticed ping traffic loss from PCs on the dev side to servers on the production side in the order of 20-30%. I assumed it was a VPN issue so I opened a ticket with Enterprise TAC (all the ASAs and the SGs have either SmartNet or extended support contracts). TAC determined the problem happened even if you ping from inside the ASA to the untrusted side of the other ASA thus eliminating the VPN as the culprit.
 
The 2nd ASA-5510 has the AIP module and was not even live until this weekend. Turning it up and giving it a basic config returned the same results. #ping x.x.x.x repeat 100 will drop 20-40 packets. I have no security enabled on the SGs and even tried using the spare SG300-52 this weekend in place of their primary with the same result. I’m to the point of returning one of the Dell switches to production, but this cannot be a good sign. I’m also a bit frustrated that I’ve yet to figure out how to get Cisco Enterprise to speak with Cisco Small Business on this. The customer has over $10k invested in Cisco equipment and Cisco isn’t jumping in to figure this out.
 
The latest rep wants a packet capture from the SG300’s VLAN2 but there are no PCs there to do this with and the manual doesn’t even talk about doing this. How we can do this as well as get the 2 divisions working together to fix this? BTW, the RV082’s exhibit the SAME exact problem. I can ping from ANY device on VLAN2 to any other device and drop packets. Copying a simple 1MB file over the VPN can take minutes where it should take 1 second. I can reproduce this for 24/7.

View 8 Replies View Related

Cisco Routers :: RV082 Dropping Packets?

Feb 14, 2013

It appears we might have an issue with our RV082 (v4.2.1.02) dropping packets during the teardown of many TCP conversations.  I have attached two packet captures of what I believe is the same conversation.  One is from outside the router (Wireshark using an Ethernet Tap) and the other is from the client inside the router (SLES11SP2 running TCPDump).  These are both very small captures 9 packets and 18 packets and I'm hoping it will identify the problem.
 
It appears that the RV082 is prematurely closing the natted port used to communicate with the host outside the network.  The host sends a FIN, ACK packet, to which the client responds with an ACK,  However, when the client then sends his FIN,ACK sequence, it never makes it outside the router.  The client sends a total of 9 FIN,ACKs trying to contact the outside server, but none of those appear to make it through the router.
 
Is the router slamming the door prematurely?  (I've been fighting with this problem for 3 weeks now!)
 
Inside Capture:
----------------------
No.     Time                       Source                Destination           Protocol Length Info
1 2013-02-13 19:32:37.827942 192.168.1.45          38.113.116.214        TCP      76     35975 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=635644783 TSecr=0 WS=128

[Code].....

View 19 Replies View Related

Cisco VPN :: Srp527 VPN Tunnel Dropping Packets Intermittently

Dec 12, 2012

We have a Cisco ASA and recently purchased a cisco small business srp527 router.  It is connected to our ADSL2 connection and is working fine.  I have configured the device with an ipsec tunnel using an ike profile and the tunnel is created successfully with packets traversing the tunnel.  However packets are being dropped intermittently, with no cause.  The link is currently not being utilised, there is no load on the network however when I ping Google and any address subject to the rules of the tunnel i notice that a single packet is dropped every now and then.

View 0 Replies View Related

Cisco WAN :: 1811- MTU 1500 - Router Dropping Certain Packets

Dec 15, 2011

I seem to be having an issue where certain very packets are being dropped/lost by my office router. The reproducible situation is, when I attempt a DNS zone transfer from my linux bind DNS server (A.A.A.A) to any server on my network behind NAT (Y.Y.Y.Y) the first packet (Seq 1) of the response is lost. The client making the query asks for first packet (Seq 1) to be resent, and the DNS server attempts to resend it repeatedly, but those are lost too.

View 10 Replies View Related

Cisco Switching/Routing :: Why C2960 Is Dropping Packets

Dec 26, 2012

We have a customer who uses about 20 x c2960's switches for access layer and 2 x c3560e for distribution layer. C2960's uses C2960-LANLITEK9-M , Version 12.2(58)SE1. Everything was working fine. Now we got information, that sometimes there are problems with connectivity. Customer tries to reach internet.
 
SW11#sh int fa0/18       
FastEthernet0/18 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is e8ba.806a.4412 (bia e8ba.806a.4412)

[Code].....

View 7 Replies View Related

Cisco WAN :: Dropping Scavenger Packets On ASR 9000 During Congestion

Aug 6, 2012

I am trying to find a solution using modular QOS when there is congestion in circuit we drop packets with WRED which are marked with a DSCP value of say AF21. I can drop those traffic completely in case of congestion.  I was thinking to allocate 100% bandiwth to rest of the traffic.

View 1 Replies View Related

D-Link DIR-655 :: Dropping Packets While Gaming On Computer

Mar 27, 2012

I bought a DIR-655 a less than a year ago on amazon, and it was working great up until about 4 weeks ago. Ive noticed that it has been dropping alot of packets while I am gaming on my computer. I would run about 95-98 ping usually and now it jitters every 5-10 mins or so from 95-98 to up to 500. It is really troublesome during games and I dont know what to do. Ive tried disabling QoS and still nothing. I run on wireless G and N with auto 20/40 mhz. Standard WPA(personal) and it was running absolutely great until now. I know its the wireless because I have hardwired it into my laptop, both from the router and just the modem itself with no problems whatsoever. I dont know what to do about it.

View 3 Replies View Related

Cisco Application :: ACE Module A2(3.5) Is Dropping Packets And Closing Connection

Jul 26, 2012

I have a ACE module A2(3.5) installed, I am having a connectivity problem between two servers in my network. I have captured some traffic on different points in my network and from capture it seems like the problem is with this ACE module or somehow it is closing the connection.

View 6 Replies View Related

Linksys Wireless Router :: E3000 Dropping Packets On Any Channel But 1

Jul 24, 2012

My E3000 has about 60% packet loss if the channel selected is anything other than 1.  I can't enable 5GHz or even 40mhz 2.4GHz channels without dropping 60% packets.

View 9 Replies View Related

Cisco Switching/Routing :: 3750v2 DHCP Snooping Not Working Dropping Packets

Jan 9, 2013

I recently installed DHCP snooping on a 3750v2 switch (Version 12.2(55)SE4) and configured the uplink(Po2) as a trusted port. The problem is that clients cannot receive an IP address. When I disable DHCP snooping it is working properly. DHCP snooping is configured correctly but I don't have an idea how to resolve it. [code]I tested the solution on the same kind of hardware switch and firmware and it worked out fine. What is causing the clients not to receive an IP address from the DHCP server?

View 10 Replies View Related

Cisco Switching/Routing :: 3750X Switches Dropping Packets On Uplink Interface?

May 9, 2013

We have a remote site that is using 3750X switches as layer 2 switches back to our home site.  The uplink port is showing dropped packets but the utilization on the link is never about 10%.  We have a 100Mb circuit to this site.  Our speed tests and iperf tests are not showing any issues that we can see.  However the port is still droping packets.  It is not dropping at a high rate but they are dropping.          
  
switch#sh platform port-asic stats drop gi1/1/4
  Interface Gi1/1/4 TxQueue Drop Statistics    Queue 0      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 1      Weight 0 Frames 52876      Weight 1 Frames 2      Weight 2 Frames 0    Queue 2      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 3      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 1330874    Queue 4      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 5      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 6      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 7      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0switch#
         
Is there a way to capture these dropped packets to see what they are?  We do have VOIP phones at the site and are using Qos.

View 5 Replies View Related

Cisco WAN :: 3750 And 4507 / 1Gbps Link / Sweep Ping Dropping Packets?

Dec 29, 2010

We are testing a new 1Gbps WAN circuit between 2 sites. We have cisco 3750 and 4507 on each end. Every time we run extended ping sweep ranging from 36 to 18024 bytes the packets are being dropped randomly once the size goes above 1500 bytes. Our ISP claims Demark to Demark test are clean and they don't want to acknowledge the problem, they blame our switches. To prove the problem is not on our end we've put different switches at each end, still facing the same issue. Ping success rate is around 98 to 99 percent.

View 11 Replies View Related

Linksys Wireless Router :: WRT120n Dropping Incoming Fragmented IP Packets?

Oct 13, 2011

I am trying to use my WRT120n as access device  for an IP Centrex service using SIP protocol. My SIP phone is located right behind the router.My problem is sometimes the router is dropping incoming calls because signalling packets are fragmented at IP level. So I cannot receive those calls.Is there a way to enable the router to accept these packets?

View 9 Replies View Related

Cisco VPN :: ASA5505 - Site To Site VPN Keeps Dropping

Sep 20, 2012

I have a site to site VPN. Every few days my site stops transmitting data to the remote site but I do receive data from the remote site. Only way to fix it is to rebuild the tunnel. I dont have any idle time set for the vpn. so not sure why the tunnel keeps going down. I have  a ASA 5505 running 7.2 (3) IOS.

View 5 Replies View Related

Cisco Firewall :: Users Behind ASA5505 Firewall Are Unable To Access Internet

Feb 24, 2011

I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.

When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.

The ASA5505 configuration is shown below.

hostname Firewall

interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA5505 Lose Configuration If Upgrade Firewall

May 17, 2011

i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.

View 2 Replies View Related

Cisco Firewall :: ASA5505 Can't Ping New Firewall On Inside Interface

Jul 14, 2011

I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.

View 32 Replies View Related

Cisco Firewall :: Unable To Ping Internet IPs From ASA5505 Firewall

Jan 9, 2013

Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2  -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
 
1.  Internet  is connected to Juniper Ge0/0/0  via /30 IP.
 
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to  Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.

From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
 
Issue:

1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
 
Troubleshooting Done so far.
 
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3.  Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **

View 2 Replies View Related

Cisco Firewall :: 5545 OSPF Input Packets Ignored

Sep 26, 2012

I am trying to configure my ASA 5545 firewall in area 0 but when I do so, the neighbor relationship never establishes.  A debug on OSPF gives only one response: [code] Why the ASA is ignoring the input packets?

View 4 Replies View Related

Cisco Firewall :: 6509 - FWSM With Packets Dropped

Jun 9, 2013

I happen to noticed the FWSM was dropping packets at about 387 packets every 5 minutes. My outside FWSM is WAN facing and has a 1gig link (35% utilized) my inside facing has about 100 downstream switches to the closets. I do not see my 6509's back plane is being over utilized and my understanding of the FWSM show be go for 5 gig so it isn't oversubscribe. Why i am seeing packets dropped?

[Code] ......

View 2 Replies View Related

Cisco Firewall :: 3700 - ASA Drops HTTP Packets

Mar 13, 2013

My config:
 
Windows 7 host 
MS Loopback Adapter with ICS
GNS3 
ASA 8.42 with ASDM 6.4 
Vmware Workstation 7 with Windows XP SP3 vm
 
All are working like a charm, from my virtual XP machine I can ping every site, e.g. www.google.com which replies nice with it's ip-address.
 
However, I cannot reach ANY website
 
When I connect through a Cisco 3700 router the webbrowser works perfect, so it must be something in the ASA configuration (I presume )
 
I've tried about all possible Access Rules, but still nothing.

View 13 Replies View Related

Cisco Firewall :: ASA5505 Firewall Rule Not Blocking

Apr 1, 2013

I'm trying to troubleshoot an ASA5505.
 
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
 
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic.  I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did.  That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
 
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below.  However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
  
show ver 
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2) 
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"

[Code].....

View 4 Replies View Related

Cisco Firewall :: PIX-525 Only Allowing 1020 Maximum Size Packets Through

Sep 25, 2012

We've had this firewall in place for years, and there haven't been changes to it in the past few months. Last week, however, we started having problems accessing one of our networks through the PIX, and after working with Microsoft, we determined it was an MTU issue. The maximum sized packet to the PIX and through the PIX is 1020 bytes, and it doesn't matter if the packets are sourced from a server or the PIX itself. From the server, we can ping 1500 byte packets to the core switch with no issues. All interfaces are set for 1500 byte.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved