Cisco Firewall :: ASA5510 Connection Numbers Don't Add Up
Jun 13, 2011
I have a monitoring rule that checks the number of connections on the firewall using the following command: show conn count
My results are always between 3,000 and 9,000.A while back, I had an issue where all 130,000 connections were being used up. I configured a service policy to limit the number of connections between any two end points.
I'm monitoring the error logs and I'm noticing that my connection limit rule is being triggered on a regular basis. I receive the following message.Per-client connection limit exceeded 20000/20000 for output packet from x.x.x.x to x.x.x.x on interface outside
I'm confused as to the difference between the connections limited by my rule and the connections shown by "show conn count". why I never see any connections higher than 9,000 using "show conn count" yet I am seeing alerts stating that the firewall has reached 20000 connections?My firewall is an ASA5510 running.
View 1 Replies
ADVERTISEMENT
Mar 10, 2011
Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
View 3 Replies
View Related
May 14, 2012
I have ASA 5510 with 8.2.4 and 8.0.x OS and all seem to have common problem of idle TCP connections not timing out. The host to host connections are coming over VPN tunnels. I have default timeouts on all the firewalls. I have tried changing global timeouts and as well as host specific timeouts using MPF but doesn't work at all ! The problem is when TCP connections are sitting idle in conn table for days and when connection limit of 50,000 conns reach the firewall starts behaving unpredictably dropping packets or unresponsive! I need the unused idle connections to timeout which is NOT happening either by changing global values or MPF.
View 1 Replies
View Related
Sep 4, 2011
Actually all service from site to site is permitted, without restriction.I want to insert an ASA to block some internet traffic on main site.I try to configure my ASA5510.No problem for outgoing connection or to permit a single service on main site.But impossible to give access to all service/connection from all remote site to main site. [code]
View 7 Replies
View Related
Mar 8, 2011
I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup?
I just configured the ISP DNS :
Dns server-group DefaultDNSname-server 194.2.0.20 name-server 194.2.0.50
View 4 Replies
View Related
Feb 3, 2012
got a crahed 5520 this week and was showing <163>Nov 28 2011 11:34:45: %ASA-3-201013: Per-client connection limit exceeded -125/100 What the negative number tells ? i usually see same numbers like 100/100 with means the connection limited has reached.
View 3 Replies
View Related
Oct 10, 2011
I 've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).Some Users received in there mailbox a system administor error message :Object : Impossible to deliver : testYour message could not be deliver to one or more of its recipients: 421 SMTP connection went away!When they try to re sent it some times later, message is sent whithout problem.
View 3 Replies
View Related
Feb 1, 2012
I run a website for a local football team using Serif Webplus X6. On uploading the weekly updates of the site the process seems ok for a few minutes with progress bars showing uploading of files but then it all stops and I have to reset my wireless network adaptor 1703 and it continues but I can't just leave it to work on its own. Device manager says that the drivers are up to date but I'm fed up with having to nurse the adaptor. This didn't happen with previous computers.
View 2 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related
May 4, 2012
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
View 4 Replies
View Related
Feb 12, 2012
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies
View Related
Jan 29, 2013
I've had this dsl modem for a couple years now and have always to my knowledge been able to use it via only one ip number.i've been streaming video using webcamxp and other software/.today my modem began acting stupid by disconnecting once an hour and if I shut off pc of at all,i wind up having to manually reset the modem by unplugging it for a few seconds and then back in again.i eventually noticed that while the webcam is streaming video ,my lan connection on the pc shows the ip number i'm familiar with while my dsl modem shows one that's new(so to speak)..so I entered both ip numbers in to the webcamxp and found that the modem streams using either ip number..if I go to the what's my ipnumber site,it will display whichever number I have entered in to the webcamxp software//.is it normal for a modem to use 2 numbers as I don't believe this has occurred in my case before.i'm wondering if it has to do with the modem suddenly disconnecting now and then and too,having to reset it everytime I boot.i have att dsl ,no live landline just dead phone cord from the modem to the wall.
View 1 Replies
View Related
Aug 17, 2012
How to get any numbers regarding performance for acs v.5 ? I have looked through the documents but couldnt really get any idea. Especially in a WLAN environment - how many clients can use one appliance as primary without putting the primary under strong load ?
View 1 Replies
View Related
Jul 27, 2011
I have a little experience in LAN management, solving basic connectivity issuesHowever, I am not strong theoretically. Particularly, when it comes to OSI reference model,I feel like I have understood the funda, but at the same time, I get lost, here and there,This is regarding the steps or processes involved, when one PC sends an email to another in a network,When I compose an email and hit enter, this is what I have understood.Each layer, starting from the application layer, passes the data and the control information to the layer below it, until the lowest layer is reached, from where, the actual transmission takes place via the physical medium.What are port numbers? How and when are port numbers chosen? Who takes the decision in choosing them?
View 2 Replies
View Related
Mar 14, 2011
We have to use scp on all of our network devices. It worked quite well on our routers and switches but I can't seem to get it to work for the firewalls and IPS. I enabled scp on my ASA5510 using the command "ssh scopy enable". I also ensured that a rsa key was generated and that ssh ver 2 was enabled. But I can't seem to locate the commands to actually have my firewall either copy it's configuration to a server or reach out to a server to pull down a file. We are using IOS 8.2(1).
View 1 Replies
View Related
Mar 22, 2011
I have a customer who wants to prioritze rdp traffic throgh the firewall.I know that its port 3389, but outgoing traffic is a random port number.Any smart way to catch this traffic and get it in the LLQ ?
View 3 Replies
View Related
May 7, 2013
I am in the process of implementing 750 Cisco Access Points acros the business. I need to make a note of the serial numbers and Mac addresses for our inventory before I get these configured and sent out to their relavent destinations. The AP's have have arrived in boxes of 10 (75 boxes). The sticker on the box with the barcode is either covered with a postage sticker, ripped, or my scanner will not scan it becaise it is too small. There is a sticker with the serial bundle which is larger and therefore scanable. Is there a way that I can scan this and get the MAC address and serial number.
I know that this is not a technical question but I don't want too spend the next 3 weeks opening 75 boxes and removing each AP individually and recording it.
View 4 Replies
View Related
Sep 7, 2011
I want to know, if it is possible to create multiples BGP AS Numbers on a ASR1K6 Router or ASR9K6 Router.
View 3 Replies
View Related
Nov 26, 2011
I would like to block IP numbers. When I tried with one the router festively walked straight through it!
View 6 Replies
View Related
Feb 2, 2012
We have a cisco asa5510 firewall, A user at home has a avaya ip phone which connects in on the VPN to the cisco asa5510, for some reason it keep dropping the connection then re connecting on a different IP address(see attached screen shot) thus losing the phone.
View 0 Replies
View Related
Nov 2, 2011
We have an ASA 5510 with ~100 vpn lan2lan. Now we need to migrate to a new ISP, so we have connected a new asa interface to the internet. Default gw is still on old connection. We are trying to migrate vpn lan2lan using static routes, pointing ip of remote vpn gateway to new isp gateway. VPNs going up, but when they try to send traffic, I can see Rx counter growing up, but Tx remains 0.. I've tried with different vpn (old and completely new), and problem remains.
View 1 Replies
View Related
Sep 13, 2012
we have ASA 5510 which we need to upgrade from 8.0(3) to 8.2.5. can we directly switch to 8.2.5 from 8.0(3) , if not what all versions we need to go from.
What all point needs to check before that following is show flash output.
97 14635008
Jan 01 2003 14:12:16 asa803-k8.bin 98 4096
May 14 2008 21:22:10 tmp 2 4096
Apr 20 2008 02:21:46 log 6 4096
Apr 20 2008 02:22:16 crypto_archive 99 6851212
[Code] .....
View 4 Replies
View Related
Sep 18, 2011
My device has 3 interfaces configured: inside, outside, DMZ. Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement. I am having a few issues setting up DMZ > LAN access however. The servers running on the DMZ need to send information to my LAN such as syslog traffic for example. Will DMZ traffic be NATed or should this somehow be excluded? Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa. Are there any special statements I need to add to the ASA such as nat or ACLs to make this work? My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.
View 1 Replies
View Related
Oct 20, 2011
I have a ASA 5510 with asa8.4(2) and asdm6.4(5)205. Have a new basic config, nothing special at this time. I just cannot seem to get from the inside to the outside. From the outside interface I can ping, so I have a good Internet connection. [code]
View 3 Replies
View Related
Apr 24, 2012
WE have a DMZ on ASA5510 8.4, it can access anything internal interface but cannot get out to internet or outside interface. I try to ping from a host in the DMZ to 8.8.8.8 and get this in the log 6Apr 25 201208:24:431100038.8.8.80172.10.1.1501Routing failed to locate next hop for ICMP from outside:8.8.8.8/0 to inside:172.10.1.150/1. [code]
View 14 Replies
View Related
Apr 5, 2012
I am having ASA5510 firewall which has 1GB RAM currently. I want to upgrade to 2GB. When I opened the box, I can see only 1 slot to insert the RAM. I searched in Cisco website and I got to know that I need to use 2 x 1 GB RAM. So, I need to have 2 slots to do that. But, I am having only 1 slot in the box.
View 5 Replies
View Related
Mar 30, 2011
We have an ASA5510 with a backup ISP connection protecting our corporate network. I also have a mail server and I would like to route SMTP traffic over the backup network. I realize that the ASA5510 does not support PBR, but I also know that I can use static NAT rules as a workaround to direct specific types of traffic over a particular interface (e.g. "static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0" and "static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0"). is it possible to use something similar to force a particular host to use a specific interface? I have tried to make this work on my own without success. Is it even possible?
View 5 Replies
View Related
Dec 5, 2012
I bought a Cisco ASA 5510 (P/N: ASA5510-BUN-K9) and i would like to know if i have to buy some license,What i mean is, for the basics, it still being necessary aquire some license?
View 3 Replies
View Related
