«

Hi Group,


I have an ASA 5510 7.2(2) code.

Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
0:00:01 bytes 39928 TCP FINs
Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside


I am having some issues with intermittent traffic flow problem, what I
am finding is as shown above, the translation for a connection is being
torn down and the next log entry is then denied because the translation
was deleted but was in fact the same connection/translation, like there
was more data to be sent. This is causing some mail flow issues where
email is leaving the senders network and is seen hitting mine but the
email never shows up to the mail server. I have a TAC case open but have
not been to successful with them as of yet.


: Saved
:
ASA Version 7.2(2)
!
hostname aof-fw-01
domain-name blah.local
enable password * encrypted
names
dns-guard
!
interface Ethernet0/0
description Connection to the Internet
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.187.177 255.255.255.240
!
interface Ethernet0/1
description Connection to Internal Network
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd * encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name blah.local
dns server-group Internal_DNS
name-server 192.168.0.240
domain-name amone.local
access-list outside_access_in extended permit icmp any host x.x.187.177
echo-reply
access-list outside_access_in extended permit icmp any host x.x.187.177
time-exceeded
access-list outside_access_in extended permit ip any host x.x.187.181
access-list outside_access_in extended permit ip any host x.x.187.182
access-list outside_access_in extended permit tcp any host x.x.187.189
eq smtp
access-list outside_access_in extended permit tcp any host x.x.187.188
eq https
access-list outside_access_in extended permit tcp host 70.91.116.209
host x.x.187.188 eq smtp
access-list outside_access_in extended permit tcp any host x.x.187.188
eq www
access-list outside_access_in extended permit tcp any host x.x.187.188
eq pop3
access-list SSL_VPN standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0
255.255.255.0 192.168.51.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging from-address aof-fw-
logging recipient-address level errors
logging host inside 192.168.0.241
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_POOL 192.168.51.1-192.168.51.254 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp x.x.187.188 https 192.168.0.245 https
netmask 255.255.255.255
static (inside,outside) tcp x.x.187.188 www 192.168.0.245 www netmask
255.255.255.255
static (inside,outside) tcp x.x.187.188 pop3 192.168.0.245 pop3 netmask
255.255.255.255
static (inside,outside) tcp x.x.187.188 smtp 192.168.0.245 smtp netmask
255.255.255.255
static (inside,outside) x.x.187.181 192.168.0.179 netmask 255.255.255.255
static (inside,outside) x.x.187.182 192.168.0.178 netmask 255.255.255.255
static (inside,outside) x.x.187.189 192.168.0.246 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.187.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
group-policy SSL_VPN internal
group-policy SSL_VPN attributes
dns-server value 192.168.0.240 192.168.0.245
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_VPN
split-dns value blah.local
address-pools value VPN_POOL
webvpn
functions url-entry file-access file-entry file-browsing mapi
port-forward filter http-proxy auto-download citrix
svc required
svc keep-installer installed
username cmahoney password * encrypted privilege 15
username cmahoney attributes
vpn-group-policy SSL_VPN
webvpn
functions url-entry file-access file-entry file-browsing mapi
port-forward filter http-proxy auto-download citrix
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.51.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service resetoutbound interface outside
no service resetoutbound interface inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp enable outside
tunnel-group SSL_VPN type webvpn
tunnel-group SSL_VPN general-attributes
address-pool VPN_POOL
default-group-policy SSL_VPN
tunnel-group SSL_VPN webvpn-attributes
hic-fail-group-policy SSL_VPN
nbns-server 192.168.0.240 master timeout 2 retry 2
group-alias SSL_VPN enable
dns-group Internal_DNS
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.51.0 255.255.255.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp
!
service-policy global_policy global
ntp authenticate
ntp server 193.162.159.97 source outside prefer
webvpn
port 4100
enable outside
enable inside
svc image disk0:/stc.pkg 1
svc enable
tunnel-group-list enable
smtp-server 192.168.0.246 192.168.0.245
prompt hostname context
Cryptochecksum:81fc86e75f175aa1034e32718b20ba0e
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

"Chad Mahoney" <> wrote in message
news:...
> Hi Group,
>
>
> I have an ASA 5510 7.2(2) code.
>
> Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
> for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
> 0:00:01 bytes 39928 TCP FINs
> Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
> 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
>
>
snip

Chad,

This rings a big alarm bell. Could be off radar here but we had massive
problems recently with the same typer of issue.

Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
a hard coded 100 full to auto duplex auto speed. Since we have done this no
more problems.

I know the Cisco preference is to hard code but in the end we had to change
it to get it fixed.

Hope that helps.

Regards

Darren

Darren Green wrote:
> Chad,
>
> This rings a big alarm bell. Could be off radar here but we had massive
> problems recently with the same typer of issue.
>
> Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
> a hard coded 100 full to auto duplex auto speed. Since we have done this no
> more problems.
>
> I know the Cisco preference is to hard code but in the end we had to change
> it to get it fixed.
>
> Hope that helps.
>
> Regards
>
> Darren
>
>

Darren,

Thanks for the reply, which side are you talking about the
inside,outside or both? Also I should elaborate more, in talking with
Cisco TAC we found the issue could be because our multilink T-1's to a
Cisco 2600, I am currently looking at that config to see if anything
stands out:

aof-rtr-01#sh conf
Using 1331 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname aof-rtr-01
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 debugging
no logging console
enable secret 5 *
enable password 7 *
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Multilink1
ip address x.x.187.202 255.255.255.252
no cdp enable
ppp multilink
ppp multilink fragment delay 10
ppp multilink group 1
!
interface FastEthernet0/0
ip address x.x.187.190 255.255.255.240
speed 100
full-duplex
no cdp enable
no mop enabled
!
interface Serial0/0
description T1 to USLEC S0/0
no ip address
encapsulation ppp
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1
description T1 to USLEC S0/1
no ip address
encapsulation ppp
no ip mroute-cache
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.187.201
!
!
logging trap debugging
logging x
no cdp run
!
!
snmp-server community * RO
bridge 1 protocol ieee
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 06545678491E5A1D0C4446
login
!
ntp server 192.43.244.18
!
end


If any has any suggestions I am certainly open to them, as I am no
router guru.

>
> Darren,
>
> Thanks for the reply, which side are you talking about the inside,outside
> or both? Also I should elaborate more, in talking with Cisco TAC we found
> the issue could be because our multilink T-1's to a Cisco 2600, I am
> currently looking at that config to see if anything stands out:
>
> aof-rtr-01#sh conf
> Using 1331 out of 29688 bytes
> !
> version 12.3
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname aof-rtr-01
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 10000 debugging
> no logging console
> enable secret 5 *
> enable password 7 *
> !
> no aaa new-model
> ip subnet-zero
> !
> !
> !
> ip cef
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> interface Multilink1
> ip address x.x.187.202 255.255.255.252
> no cdp enable
> ppp multilink
> ppp multilink fragment delay 10
> ppp multilink group 1
> !
> interface FastEthernet0/0
> ip address x.x.187.190 255.255.255.240
> speed 100
> full-duplex
> no cdp enable
> no mop enabled
> !
> interface Serial0/0
> description T1 to USLEC S0/0
> no ip address
> encapsulation ppp
> no ip mroute-cache
> no fair-queue
> no cdp enable
> ppp multilink
> ppp multilink group 1
> !
> interface Serial0/1
> description T1 to USLEC S0/1
> no ip address
> encapsulation ppp
> no ip mroute-cache
> no fair-queue
> no cdp enable
> ppp multilink
> ppp multilink group 1
> !
> no ip http server
> ip classless
> ip route 0.0.0.0 0.0.0.0 x.x.187.201
> !
> !
> logging trap debugging
> logging x
> no cdp run
> !
> !
> snmp-server community * RO
> bridge 1 protocol ieee
> !
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> password 7 06545678491E5A1D0C4446
> login
> !
> ntp server 192.43.244.18
> !
> end
>
>
> If any has any suggestions I am certainly open to them, as I am no router
> guru.

Chad,

We had a mail server sat off a Cisco 2950 on the DMZ port of the ASA. All
ports - inside, outside and DMZ were hard coded to 100 full. Our issues were
resolved when we modified the interface where the server sat i.e. DMZ to
auto auto.

I have noticed a number of drops on the inside interface also - again
recently I modified this to auto auto and am keeping an eye on things
presently.

I must say the debug output you enclosed originally was uncannily similar
from memory.Connections opened and reset within one or less seconds - many
times over.

If it turns out to be something else let us know.

Regards

Darren

"Chad Mahoney" <> wrote in message
news:...
> Hi Group,
>
>
> I have an ASA 5510 7.2(2) code.
>
> Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
> for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
> 0:00:01 bytes 39928 TCP FINs
> Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
> 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
>
>
> I am having some issues with intermittent traffic flow problem, what I am
> finding is as shown above, the translation for a connection is being torn
> down and the next log entry is then denied because the translation was
> deleted but was in fact the same connection/translation, like there was
> more data to be sent. This is causing some mail flow issues where email is
> leaving the senders network and is seen hitting mine but the email never
> shows up to the mail server. I have a TAC case open but have not been to
> successful with them as of yet.
>
>
Chad,

Something else that I recall reading a while ago in this group posted
originally by Brian V. See link below:

http://groups.google.co.uk/group/com...c389cd6a370de2

Title: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email

Regards

Darren

Wow.... This is Wild!!!!

I had the same issue. My asa5510 would just stop processing data. It
wouldn't crash, just stopped passing data. I worked with Cisco for a
couple of days and we found the following:

The ASA or Switch (HP in this case) would not negogiate properly. Even
though both were hard coded to 100Full I was seeing CRC errors. I've
since moved them both to auto and have not had a problem. I too am
running version 7.2.2 ...


Darren Green wrote:
> "Chad Mahoney" <> wrote in message
> news:...
> > Hi Group,
> >
> >
> > I have an ASA 5510 7.2(2) code.
> >
> > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
> > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
> > 0:00:01 bytes 39928 TCP FINs
> > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
> > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
> >
> >
> snip
>
> Chad,
>
> This rings a big alarm bell. Could be off radar here but we had massive
> problems recently with the same typer of issue.
>
> Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
> a hard coded 100 full to auto duplex auto speed. Since we have done this no
> more problems.
>
> I know the Cisco preference is to hard code but in the end we had to change
> it to get it fixed.
>
> Hope that helps.
>
> Regards
>
> Darren

Well I have found this is not an issue with the duplex settings, it
appears after some sniffing of traffic, that the reason for this error
appears when you have 2 T-1 lines in a Multilink setup, the router is
not assembling packets/frames in the proper order, so the firewall is
dropping the connection forcing the packets to be retransmitted over and
over again, I am running some loopback tests on my router tonight to
find out if the router is the issue or the carrier is the issue.

Thanks for the reply....

Chad

garrisb wrote:
> Wow.... This is Wild!!!!
>
> I had the same issue. My asa5510 would just stop processing data. It
> wouldn't crash, just stopped passing data. I worked with Cisco for a
> couple of days and we found the following:
>
> The ASA or Switch (HP in this case) would not negogiate properly. Even
> though both were hard coded to 100Full I was seeing CRC errors. I've
> since moved them both to auto and have not had a problem. I too am
> running version 7.2.2 ...
>
>

[canadianits]

HI
I am Facing the Same thing,

I Have an Internal Network with IP Address 10.90.3.0 and the Asa is connecting me to an other network thru Cisco 2800 to ip Address 192.168.82.100
I am Able to ping the Server and it is sucessful but some applications are not work,
Same error Because not associated with Conection i think it might be a problem in router nating issues

What do you recomend?

[ironnickro]

Hi Chad,

I am facing the same issue, the only difference being the fact that our multilink is made of 2xE1 circuits.
Could you tell me if the problem was indeed with the ppp multilink or not.

Thank you very much.

Iahim Pmac

[empir3]

Any updates guys? We appear to be having the same issue. New 5510 connecting to 2800 router. When the ASA was set to auto/auto it showed 100/half because the 2800 was set to 100/full hardcoded. We hardcoded the ASA to 100/full and the link status shows correct, but we're seeing latency on the line that is difficult to troubleshoot. The guys that manage the router aren't much help thus far, indicating things look "okay on their side". We might try having them set to auto/auto and do the same on our side. Will post an update if/when we figure this out. Thanks!