Cisco Firewall :: Connection Failing Intermittently - ASA 5520 Version 8.3 (1)
Oct 19, 2011
I have a server in a DMZ behind the ASA, connections to this server work sometimes and then fail others, so I dont think i'm looking at an ACL or NAT problem here.The syslogs report a SYN Timeout,I have taken a trace on the ASA, it seems that a SYN-ACK does come from the destination server within the 30sec timeout, but its not passed through the ASA back to the source ? Â there is one odd thing, what seems to be an out of sequence ACK from the destination which arrives before the SYN-ACK at the ASA, i'm wondering if this might be the problem ? This only occurs on the connections which fail, the connections that work, the destination responds quickly to the initial SYN, and the 3way handshake completes.
Â
Syslogs :
Â
Oct 18 19:17:32 nzlsudfedsi001-pri Oct 18 2011 19:17:32 NZLSUDFEDSI001 : %ASA-6-302013: Built outbound TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 (172.24.32.31/21) to BPO-TRANSIT:x.x.x.x/59392 (x.x.x.x/59392)
 Oct 18 19:18:02 nzlsudfedsi001-pri Oct 18 2011 19:18:02 NZLSUDFEDSI001 : %ASA-6-302014: Teardown TCP connection 42327212 for IIP-ARCHIVE-PROD:172.24.32.31/21 to BPO-TRANSIT:x.x.x.x/59392 duration 0:00:30 bytes 0 SYN Timeout
[code].....
View 2 Replies
ADVERTISEMENT
Apr 3, 2012
provide me with the important links which can show me how to do the software upgrade for my ASA 5520 ver 7.0(1) to ver 8.4 ? as well as the ASDM
View 10 Replies
View Related
Mar 13, 2013
Im preparing a lab and I have 2 ASA 5520's. I have configured them for failover so the Primarys config will replicate over to the Secondary. They are connected via a 3560 switch. the switch ports are configured as access ports on vlan 1. Spanning-tree portfast is enabled
Â
Firewall (Primary)Â
Cisco Adaptive Security Appliance Software Version 9.1(1) Device Manager Version 7.1(2)
Compiled on Wed 28-Nov-12 10:38 by buildersSystem image file is "disk0:/asa911-k8.bin"Config file at boot was "startup-config"
[Code].....
View 5 Replies
View Related
Jun 5, 2012
I have an ASA 5520 for my firewall. (ver 8.0(4))I have an external hyperlink that works from dsl at home but not from behind my corperate firewall.When I filter my real-time log viewer for this destination address I see the build up and immediate teardown of the session.The log indicates the teardown was initiated from inside.The informational alerts are
Â
Built outbound TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 (65.204.x.x/52001)
Teardown TCP connection 726440542 for outside:201.116.168.172/6666 to inside:172.16.x.x/3586 duration 0:00:00 bytes 77 TCP Reset-I
Â
Reset-I means that something (the firewall or my pc which is the source) is telling the firewall to end the session.
View 2 Replies
View Related
Apr 8, 2012
We want to make an upgrade of one of our customers' ASA 5520 (with failover). They have version 8.2 now and we want to get the more stable newest one. Can we get an 8.6 version? or we need an ASA 5500X for that one?
View 2 Replies
View Related
Feb 13, 2013
VPN tunnel between ASA 5520 ver 8.0(4) and a remote Juniper firewall keep tearing down during Phase 1 rekeying. After the rekeying process fails, manually pinging one of the remote hosts that are proteced behind the Juniper firewall,initates the tunnel renegoation and rebuilds the tunnel successfully.
Â
When the tunnel is down, sh crypto isakmp sa shows no active SA for the remote peer. That indicates the PHASE 1 negotation had indeed failed.When the tunnel is working, sh crypto isakmp sa indicates an IKE role of Responder - always.Clearly that also means Phase 1 negotation works only one way, i.e. negotation initated by the remote Juniper unit only.
 Â
Interestingly, the Syslog server logged the following SNMP trap messages at the time rekeying Phase1.Note, Line#2 and #7 and wrapped to the next line for easy of reading.
 Â
Line#1:Â Â IP = Remote-Peer-IP-#, Starting phase 1 rekey
Line#2:Â Â IP = Remote-Peer-IP-#, IKE Initiator: Rekeying Phase 1, Intf outside,
IKE Peer Remote-Peer-IP-# local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)
Line#3:Â Â IP = Remote-Peer-IP-#, constructing ISAKMP SA payload
[code]...
Â
As I understand from the above syslog trap, the Responder ( the ASA unit this time) started Phase 1 rekey (Line #1). It prepare a message to be sent to IKE Initiator, that it is about to start rekeying Phase 1 (Line #2). Down on the next line, it indicated that the local Proxy, remote Proxy and Crypto map as N/A ( not avaiable).Why would the ASA unit send N/A message as shown in Line#2, is that normal?
View 3 Replies
View Related
Nov 20, 2011
I am now going to configure IPSec VPN connection for Cisco ASA 5505 (Version 8.4)
View 3 Replies
View Related
Apr 3, 2011
Recently been taking my Laptop installed with Win7 Pro to a Friends and was sharing his Wireless connection from Belkin ADSL2+ wireless router and notice that every now and again the wireless connection would drop out and the only way to regain a connection to the reset the router. My friends network has two laptops on it connected wirelessly with Windows XP home edition SP3, and a Desktop PC with XP also on connected to router Via Ethernet, also a Windows Home Server and XBOX 360 also connected by Ethernet, My friend since updated his laptop to Windows 7 Home Premium and is using the Wireless connection which now finds intermittent loss of connection which can only be restored by Resetting the Router. why a Router should lose connection just by connecting a Win7 laptop wirelessly or is there more to it than that.
View 3 Replies
View Related
May 10, 2011
i am using Cisco ASA 5510Â with ASA Version 8.0(4) and memory 256MB. me to Upgrade it to 8.3
View 6 Replies
View Related
Dec 12, 2012
I have a problem with the connections to the remote webservice passing through ASA 5520 firewall. Connections are usually interrupted in perod of half an hour in every few days.
Â
This ASA 5520 firewall is only one firewall in a path to the remote webservice.
Â
During the interruption I find the logs:
Â
UTC: %ASA--4-419002: Duplicate TCP SYN from dmz1:x.x.x.x/.... to outside:y.y.y.y/p with different initial sequence number
Â
Teardown TCP connection 28309406 for outside:y.y.y.y/p to dmz1:x.x.x.x/.... duration 0:00:30 bytes 0 SYN Timeout
Â
How I could find root cause? Could it be solution implemetation of TCP State Bypass?
View 1 Replies
View Related
Oct 7, 2012
We recently replaced our Cisco 5510 with a 5520. I had the SSL Client VPN working on the 5510, I cannot get it working on the 5520. The IOS version is 8.2(5) and the ASDM version is 6.4.I run through the SSL Client wizard and get everything set up. When I try to get to my outside interface Internet Explorer just comes up with an error. When I try to connect through the Cisco AnyConnect client on my Android it used to come up with a "No address available for SVC connection". After deleting an address pool not even related to my SSL VPN profile I cannot get that far. I just get a "login failed". Even after I create a user with level 15 privilege and assign to my vpn group policy.I still get the "No address available for SVC connection" when I try to connect to the default profile, which doesn't really go anywhere.
View 23 Replies
View Related
Apr 9, 2013
Device Cisco ASA
Model:5520
OS 8.4(2)
Â
I am not able to access the device via SSH .After connecting to teh console I have found that allowed SSh session are fully utilized with show resource usage command and the output is [code]
Â
So I used show ssh session command to see who is using the sessions but in the output it has showed only one session and the output was [code]
I was wondering why it shows only one session above instead of showing all the 5 sessions which are utilized as confirmed by show resource usge command.We are usning some internal tool for ssh monitoring on device which is poling the device after a fixed interval for port 22 reachabilty .I dont think these tools are making any issue as this is secondary firewall and we are not facing any reachabilty issue for primary firewall.also we are using 10 min for idle ssh timeout.
View 13 Replies
View Related
Oct 25, 2011
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
Â
There's a notion of inter vlan timeout connection ?
View 5 Replies
View Related
Jul 12, 2011
I installed the RV220W Router in my office about 2 weeks ago and everything works perfectly for 3-4 days but then my connection drops out and the router must be restarted to restore connectivity. When I say the connection drops basically the internet connection drops out and my network connections drop shortly thereafter. Usually the wireless connections lose connectivity followed within a few minutes by the wired connections.
Â
Is there something in my firewall settings that could cause this issue? I have checked with my ISP to verify there are no problems on their end.
View 12 Replies
View Related
May 9, 2012
We recently moved and upgraded our internet service from 1.5 Mbps to 4Mbps with CenturyLink. However, since our service was activated last Thursday, the internet connection intermittently drops and will not recover unless I reboot the modem. The period of up-time will last anywhere between fifteen seconds to several hours, usually falling along the five-to-ten minute range. No difference when using ethernet/wifi. The DSL light stays on, and the Internet light remains on as well.
View 11 Replies
View Related
Jan 15, 2013
My internet connection seems to drop offline randomely while surfing the net. It basically results in yahoo or google freezing for 20-60 seconds before unfreezing and running flawlessly again. I seen a previous post that requested the individual hit start, run, cmd, and enter tracert google.com.
Windows 7 Professional
Service Pack 1
Intel® Core 2 Duo CPU E8400 @ 3.00GHz
[Code].....
View 1 Replies
View Related
Nov 18, 2012
The old 615 has been working very well for some years now, but the last couple of days we have had to turn it off and on again to get internet. It has happened 3 times in the last 24 hours. The globe light on the router remains green, and the notification icon on windows 7 doesn't show any problems yet we cant connect to the web. I've been looking on the forum and trying to understand some of the solutions and checklists already posted, but they don't make a whole load of sense to me unfortunately.
The firmware on the router is 2.27. The only change I have made to the system is that my wife's lan card seems to have died a death last week, and her computer is now connected by wireless. My computer is now the only one connected to the router by a lan cable.
There is something I don't understand. Under setup / network there is a dhcp reservations section. Pretty much every device seems to have a reserved IP address, and some of the devices that are reserved we no longer own. My son does gaming and wants a constant IP address, and my computer might need a permanent IP (don't know - just guessing here). Should all the other computers be allowed to sort themselves an IP every time they log on? Most of the devices have expires never, and some of the devices have the blue link that I can click for revoke and reserve with a time by them.
Am I barking up the wrong tree here and this lot has nothing to do with the dropping connection? What do the revoke / reserve and times mean? What happens when the lease runs out? Will the connection drop on that computer and it will have to try and connect itself again, or does it start a new lease every time it logs on to the router?
View 1 Replies
View Related
Jun 24, 2012
I have a Cisco ASA 5520 that I'd like to be able to connect directly to our gigabit fiber connection (we're currently connected through a media converter that's causing problems). I've found the following:Cisco ASA 5500 Series 4 Port Gigabit Ethernet Security Services Module [URL]. I only need a single fiber connection, as opposed to the 4 copper + 4 fiber.
View 1 Replies
View Related
May 30, 2013
We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it. When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped. When I went to see ASA log and see this log report: ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100 tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet. So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?
View 6 Replies
View Related
Nov 28, 2012
I have a Cisco ASA 5520 that we was working properly. I tried to create a VPN IPSEC to test but when I finished the wizard I lost the conection between the inside interface and outside. I use other interface for DMZ and other for printers network but this adapters are working properly. I have reviewed the NAT's and the ACL's but I don't see the problem?
I have delete the VPN IPSEC but it's still not working and I have the network down
View 2 Replies
View Related
Oct 18, 2011
For eight months we have not had any problems with our new WRVS4400N (V2.0.2.1) connected to a Verizon/Westell 6500 to provide DSL internet for our network with DHCP on our server... No changes have been made to the router or modem since initial setup; but, then it started -- Our internet connection would drop intermittently. Sometimes every 5 or 10 minutes - sometimes every hour. Verizon has tested the lines which came up ok, then they sent a tech who changed the wire pair coming into the building for the DSL line and retested the lines which again came up ok, then they provided us with a new modem (now a Verizon/Westell 7500). After all that, the DSL still connects then disconnects intermittently. I am now wondering if the issue lies with the WRVS4400N.
View 2 Replies
View Related
Jun 28, 2011
I have a desktop computer and a laptop computer both running Windows 7 Home Premium. The desktop is connected to the router directly and the laptop is connected to the wireless network. When I restart both computers, I can see and access the other computer through the home network without problems. But after a while, sometimes just a few minutes, I can only see the other computer but cannot access it. Sometimes, I cannot even see the other computer. If I do a "ipconfig /release" and a "ipconfig /renew", it may sometimes correct the problem for a while.
I have looked at many related discussions on the web and none of the suggestions work for me.I have the firewalls disabled on both computers, as well as the ipv6 and IP service. I have also disabled the Bonjour service.I have turned a number of services, such as computer browser, server, workstation and many others to automatic as people suggested.
View 4 Replies
View Related
Mar 3, 2013
Only at my home network, my HP Pavilion Laptop wifi will sporadically just stop identifying the router. The router (and Intel) shows enabled and good signal and my husband's laptop shows no interruption. My wifi keeps trying to reconnect but can't. I have to power off the router to reboot it so my wifi connects again. This is really annoying...
View 3 Replies
View Related
Jul 27, 2012
ISP - Comcast Cable Internet Modem model SMCD3GNV wired/wireless combo (2 pcs connected 1 wired 1 wireless)When the connection is online, the speeds are fine- the issue is the 2-3 times a day when the connection drops off. The error that we are getting is "cannot connect with primary dns server" however in our attempts to restore the connection we have: [code] is there some issues in the area that we are not aware of? being that the signal levels are within range what do you think the problem resides in? FYI, both connections, the wired and wireless connections both have connectivity issues equally.
View 6 Replies
View Related
Jan 14, 2012
We just upgraded from 8.2.4 to 8.2.5.20 on each firewall. The Primary and Secondary work when they are standalone but, when we connect the fail over link from the Primary to the Secondary, invariably, one of them will go into a constant boot cycle and one will be active but, external users will be intermittently dropped. As soon as we unplug the fail over, the firewall that stays up behaves normally. This is with 8.2.5.20 code or any other code for that matter?
View 2 Replies
View Related
Mar 27, 2011
Ive got a virtualised firewall running 3 security contexts in routed mode. What am experiencing is that i cannot connect to an OUTSIDE host through the security contexts. From the firewall itself i cannot ping the directly attached host on the OUTSIDE interface but i can ping the directly attached host on the INSIDE interface. When i reload the firewall box, the first ping to the OUTSIDE host would be successful but subsequent pings fail and thus total connectivity is lost.
Â
I even tried upgrading to ASA version 8.4(1) but still the same.
View 5 Replies
View Related
May 1, 2013
We have ASA 5520 firewall.For broadband Internet access, we have T1 Router(edge router provided by ISP) which provides public IP's 198.24.210.224 / 29. We have usable public IP's 198.24.210.226 - 198.24.210.230 with default gateway 198.24.210.225. We assigned 198.24.210.230 255.255.255.0 to the outside interface.
Â
If we connect the ASA 5520 outside interface directly to T1 router, can all packets with destination addresses 198.24.210.224/29 reach the outside interface without using other device like another router or switches?I just assume that only packets with destination address 198.24.210.230(outside interface ip) can reach the outside interface from the edge router.Is it wrong assumption? If it is correct, then is there any way to route all packets with destination address 198.24.210.224/29 to the outside interface?
View 3 Replies
View Related
Jun 27, 2012
I am using a pptp server running on windows 2008 server and I have configured my ASA 5520 to let the PPTP traffic to pass throught.
 Â
The solution works quite well but exactly every 120 minutes the connection drops and people have to reconnect. Is there any setting to change? In the PPTP server I haven't found any setting to change.
View 2 Replies
View Related
Nov 11, 2012
Currently in our environment we have have two buildings with an ASA 5520 in each and a core stack of 3750's in each building. I am currently working on a network segmentation project and am thinking of adding another stack of 3750's in each building to add more redundancy to our network. This will allow our access layer switches to have a trunk to each stack and prevent an outage if one of the links or stacks were to go down.
Â
My question is how I would set this up on the ASA end of things while using a common subnet and HSRP on the 3750's. I understand how to use HSRP and STP on the switches to achieve this on the 3750 end of things. I saw you can do etherchannel on the ASA with 8.4 but how does that work in a failover situation?
View 2 Replies
View Related
Nov 3, 2011
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.Â
View 1 Replies
View Related
Jul 29, 2012
I have a Linksys Wireless-N Home Router, WRT120N to be exact, and I have been having problems with my wireless. My wifi losses internet connection intermittently. This does not happen when I am connected directly to the router with a Ethernet cable. I have redone all the settings many times(like 6) and Im still having the same problem.
I really dont want to have to buy a new router
View 8 Replies
View Related
Nov 9, 2010
I have a WAG160N v2 and a UK Online broadbad account, windows xp. The connection intermittmently drops out, approx 15-30 times per day. I have spoken to my ISP and had the line checked (no packet loss issue), checked the settings on the router against my ISP and also updated the router firmware all with no improvement.
View 2 Replies
View Related
Feb 15, 2013
I've been having some issues with my DIR-825, it's been intermittently dropping internet connection. Â This is across multiple OS (Win 7, Ps3 OS, iOS, etc.
View 14 Replies
View Related
