ASA 5510 Issue

Discussion in 'Cisco' started by Chad Mahoney, Jan 5, 2007.

  1. Chad Mahoney

    Chad Mahoney Guest

    Hi Group,


    I have an ASA 5510 7.2(2) code.

    Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
    for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
    0:00:01 bytes 39928 TCP FINs
    Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
    192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside


    I am having some issues with intermittent traffic flow problem, what I
    am finding is as shown above, the translation for a connection is being
    torn down and the next log entry is then denied because the translation
    was deleted but was in fact the same connection/translation, like there
    was more data to be sent. This is causing some mail flow issues where
    email is leaving the senders network and is seen hitting mine but the
    email never shows up to the mail server. I have a TAC case open but have
    not been to successful with them as of yet.


    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname aof-fw-01
    domain-name blah.local
    enable password * encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    description Connection to the Internet
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address x.x.187.177 255.255.255.240
    !
    interface Ethernet0/1
    description Connection to Internal Network
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd * encrypted
    boot system disk0:/asa722-k8.bin
    boot system disk0:/asa721-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup outside
    dns domain-lookup inside
    dns server-group DefaultDNS
    domain-name blah.local
    dns server-group Internal_DNS
    name-server 192.168.0.240
    domain-name amone.local
    access-list outside_access_in extended permit icmp any host x.x.187.177
    echo-reply
    access-list outside_access_in extended permit icmp any host x.x.187.177
    time-exceeded
    access-list outside_access_in extended permit ip any host x.x.187.181
    access-list outside_access_in extended permit ip any host x.x.187.182
    access-list outside_access_in extended permit tcp any host x.x.187.189
    eq smtp
    access-list outside_access_in extended permit tcp any host x.x.187.188
    eq https
    access-list outside_access_in extended permit tcp host 70.91.116.209
    host x.x.187.188 eq smtp
    access-list outside_access_in extended permit tcp any host x.x.187.188
    eq www
    access-list outside_access_in extended permit tcp any host x.x.187.188
    eq pop3
    access-list SSL_VPN standard permit 192.168.0.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.0.0
    255.255.255.0 192.168.51.0 255.255.255.0
    pager lines 24
    logging enable
    logging trap debugging
    logging from-address
    logging recipient-address level errors
    logging host inside 192.168.0.241
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool VPN_POOL 192.168.51.1-192.168.51.254 mask 255.255.255.0
    no failover
    monitor-interface outside
    monitor-interface inside
    monitor-interface management
    icmp unreachable rate-limit 1 burst-size 1
    icmp deny any outside
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.0.0 255.255.255.0
    static (inside,outside) tcp x.x.187.188 https 192.168.0.245 https
    netmask 255.255.255.255
    static (inside,outside) tcp x.x.187.188 www 192.168.0.245 www netmask
    255.255.255.255
    static (inside,outside) tcp x.x.187.188 pop3 192.168.0.245 pop3 netmask
    255.255.255.255
    static (inside,outside) tcp x.x.187.188 smtp 192.168.0.245 smtp netmask
    255.255.255.255
    static (inside,outside) x.x.187.181 192.168.0.179 netmask 255.255.255.255
    static (inside,outside) x.x.187.182 192.168.0.178 netmask 255.255.255.255
    static (inside,outside) x.x.187.189 192.168.0.246 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.187.190 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    group-policy SSL_VPN internal
    group-policy SSL_VPN attributes
    dns-server value 192.168.0.240 192.168.0.245
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout none
    vpn-session-timeout none
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SSL_VPN
    split-dns value blah.local
    address-pools value VPN_POOL
    webvpn
    functions url-entry file-access file-entry file-browsing mapi
    port-forward filter http-proxy auto-download citrix
    svc required
    svc keep-installer installed
    username cmahoney password * encrypted privilege 15
    username cmahoney attributes
    vpn-group-policy SSL_VPN
    webvpn
    functions url-entry file-access file-entry file-browsing mapi
    port-forward filter http-proxy auto-download citrix
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.51.0 255.255.255.0 outside
    http 192.168.1.0 255.255.255.0 management
    http 192.168.0.0 255.255.255.0 inside
    http x.x.x.x 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no service resetoutbound interface outside
    no service resetoutbound interface inside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto isakmp enable outside
    tunnel-group SSL_VPN type webvpn
    tunnel-group SSL_VPN general-attributes
    address-pool VPN_POOL
    default-group-policy SSL_VPN
    tunnel-group SSL_VPN webvpn-attributes
    hic-fail-group-policy SSL_VPN
    nbns-server 192.168.0.240 master timeout 2 retry 2
    group-alias SSL_VPN enable
    dns-group Internal_DNS
    telnet timeout 5
    ssh x.x.x.x 255.255.255.255 outside
    ssh 192.168.51.0 255.255.255.0 outside
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect esmtp
    !
    service-policy global_policy global
    ntp authenticate
    ntp server 193.162.159.97 source outside prefer
    webvpn
    port 4100
    enable outside
    enable inside
    svc image disk0:/stc.pkg 1
    svc enable
    tunnel-group-list enable
    smtp-server 192.168.0.246 192.168.0.245
    prompt hostname context
    Cryptochecksum:81fc86e75f175aa1034e32718b20ba0e
    : end
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    Chad Mahoney, Jan 5, 2007
    #1
    1. Advertising

  2. Chad Mahoney

    Darren Green Guest

    "Chad Mahoney" <> wrote in message
    news:...
    > Hi Group,
    >
    >
    > I have an ASA 5510 7.2(2) code.
    >
    > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
    > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
    > 0:00:01 bytes 39928 TCP FINs
    > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
    > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
    >
    >

    snip

    Chad,

    This rings a big alarm bell. Could be off radar here but we had massive
    problems recently with the same typer of issue.

    Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
    a hard coded 100 full to auto duplex auto speed. Since we have done this no
    more problems.

    I know the Cisco preference is to hard code but in the end we had to change
    it to get it fixed.

    Hope that helps.

    Regards

    Darren
    Darren Green, Jan 5, 2007
    #2
    1. Advertising

  3. Chad Mahoney

    Chad Mahoney Guest

    Re: ASA 5510 Issue / Multilink Issue ?

    Darren Green wrote:
    > Chad,
    >
    > This rings a big alarm bell. Could be off radar here but we had massive
    > problems recently with the same typer of issue.
    >
    > Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
    > a hard coded 100 full to auto duplex auto speed. Since we have done this no
    > more problems.
    >
    > I know the Cisco preference is to hard code but in the end we had to change
    > it to get it fixed.
    >
    > Hope that helps.
    >
    > Regards
    >
    > Darren
    >
    >


    Darren,

    Thanks for the reply, which side are you talking about the
    inside,outside or both? Also I should elaborate more, in talking with
    Cisco TAC we found the issue could be because our multilink T-1's to a
    Cisco 2600, I am currently looking at that config to see if anything
    stands out:

    aof-rtr-01#sh conf
    Using 1331 out of 29688 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname aof-rtr-01
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 10000 debugging
    no logging console
    enable secret 5 *
    enable password 7 *
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    !
    ip cef
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface Multilink1
    ip address x.x.187.202 255.255.255.252
    no cdp enable
    ppp multilink
    ppp multilink fragment delay 10
    ppp multilink group 1
    !
    interface FastEthernet0/0
    ip address x.x.187.190 255.255.255.240
    speed 100
    full-duplex
    no cdp enable
    no mop enabled
    !
    interface Serial0/0
    description T1 to USLEC S0/0
    no ip address
    encapsulation ppp
    no ip mroute-cache
    no fair-queue
    no cdp enable
    ppp multilink
    ppp multilink group 1
    !
    interface Serial0/1
    description T1 to USLEC S0/1
    no ip address
    encapsulation ppp
    no ip mroute-cache
    no fair-queue
    no cdp enable
    ppp multilink
    ppp multilink group 1
    !
    no ip http server
    ip classless
    ip route 0.0.0.0 0.0.0.0 x.x.187.201
    !
    !
    logging trap debugging
    logging x
    no cdp run
    !
    !
    snmp-server community * RO
    bridge 1 protocol ieee
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 06545678491E5A1D0C4446
    login
    !
    ntp server 192.43.244.18
    !
    end


    If any has any suggestions I am certainly open to them, as I am no
    router guru.
    Chad Mahoney, Jan 5, 2007
    #3
  4. Chad Mahoney

    Darren Green Guest

    Re: ASA 5510 Issue / Multilink Issue ?

    >
    > Darren,
    >
    > Thanks for the reply, which side are you talking about the inside,outside
    > or both? Also I should elaborate more, in talking with Cisco TAC we found
    > the issue could be because our multilink T-1's to a Cisco 2600, I am
    > currently looking at that config to see if anything stands out:
    >
    > aof-rtr-01#sh conf
    > Using 1331 out of 29688 bytes
    > !
    > version 12.3
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > service password-encryption
    > !
    > hostname aof-rtr-01
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > logging buffered 10000 debugging
    > no logging console
    > enable secret 5 *
    > enable password 7 *
    > !
    > no aaa new-model
    > ip subnet-zero
    > !
    > !
    > !
    > ip cef
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > interface Multilink1
    > ip address x.x.187.202 255.255.255.252
    > no cdp enable
    > ppp multilink
    > ppp multilink fragment delay 10
    > ppp multilink group 1
    > !
    > interface FastEthernet0/0
    > ip address x.x.187.190 255.255.255.240
    > speed 100
    > full-duplex
    > no cdp enable
    > no mop enabled
    > !
    > interface Serial0/0
    > description T1 to USLEC S0/0
    > no ip address
    > encapsulation ppp
    > no ip mroute-cache
    > no fair-queue
    > no cdp enable
    > ppp multilink
    > ppp multilink group 1
    > !
    > interface Serial0/1
    > description T1 to USLEC S0/1
    > no ip address
    > encapsulation ppp
    > no ip mroute-cache
    > no fair-queue
    > no cdp enable
    > ppp multilink
    > ppp multilink group 1
    > !
    > no ip http server
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 x.x.187.201
    > !
    > !
    > logging trap debugging
    > logging x
    > no cdp run
    > !
    > !
    > snmp-server community * RO
    > bridge 1 protocol ieee
    > !
    > !
    > !
    > !
    > line con 0
    > line aux 0
    > line vty 0 4
    > password 7 06545678491E5A1D0C4446
    > login
    > !
    > ntp server 192.43.244.18
    > !
    > end
    >
    >
    > If any has any suggestions I am certainly open to them, as I am no router
    > guru.


    Chad,

    We had a mail server sat off a Cisco 2950 on the DMZ port of the ASA. All
    ports - inside, outside and DMZ were hard coded to 100 full. Our issues were
    resolved when we modified the interface where the server sat i.e. DMZ to
    auto auto.

    I have noticed a number of drops on the inside interface also - again
    recently I modified this to auto auto and am keeping an eye on things
    presently.

    I must say the debug output you enclosed originally was uncannily similar
    from memory.Connections opened and reset within one or less seconds - many
    times over.

    If it turns out to be something else let us know.

    Regards

    Darren
    Darren Green, Jan 5, 2007
    #4
  5. Chad Mahoney

    Darren Green Guest

    "Chad Mahoney" <> wrote in message
    news:...
    > Hi Group,
    >
    >
    > I have an ASA 5510 7.2(2) code.
    >
    > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
    > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
    > 0:00:01 bytes 39928 TCP FINs
    > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
    > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
    >
    >
    > I am having some issues with intermittent traffic flow problem, what I am
    > finding is as shown above, the translation for a connection is being torn
    > down and the next log entry is then denied because the translation was
    > deleted but was in fact the same connection/translation, like there was
    > more data to be sent. This is causing some mail flow issues where email is
    > leaving the senders network and is seen hitting mine but the email never
    > shows up to the mail server. I have a TAC case open but have not been to
    > successful with them as of yet.
    >
    >

    Chad,

    Something else that I recall reading a while ago in this group posted
    originally by Brian V. See link below:

    http://groups.google.co.uk/group/co...co dnssec email&rnum=5&hl=en#d1c389cd6a370de2

    Title: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email

    Regards

    Darren
    Darren Green, Jan 5, 2007
    #5
  6. Chad Mahoney

    garrisb Guest

    Wow.... This is Wild!!!!

    I had the same issue. My asa5510 would just stop processing data. It
    wouldn't crash, just stopped passing data. I worked with Cisco for a
    couple of days and we found the following:

    The ASA or Switch (HP in this case) would not negogiate properly. Even
    though both were hard coded to 100Full I was seeing CRC errors. I've
    since moved them both to auto and have not had a problem. I too am
    running version 7.2.2 ...


    Darren Green wrote:
    > "Chad Mahoney" <> wrote in message
    > news:...
    > > Hi Group,
    > >
    > >
    > > I have an ASA 5510 7.2(2) code.
    > >
    > > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
    > > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
    > > 0:00:01 bytes 39928 TCP FINs
    > > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
    > > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
    > >
    > >

    > snip
    >
    > Chad,
    >
    > This rings a big alarm bell. Could be off radar here but we had massive
    > problems recently with the same typer of issue.
    >
    > Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
    > a hard coded 100 full to auto duplex auto speed. Since we have done this no
    > more problems.
    >
    > I know the Cisco preference is to hard code but in the end we had to change
    > it to get it fixed.
    >
    > Hope that helps.
    >
    > Regards
    >
    > Darren
    garrisb, Jan 11, 2007
    #6
  7. Chad Mahoney

    Chad Mahoney Guest

    Well I have found this is not an issue with the duplex settings, it
    appears after some sniffing of traffic, that the reason for this error
    appears when you have 2 T-1 lines in a Multilink setup, the router is
    not assembling packets/frames in the proper order, so the firewall is
    dropping the connection forcing the packets to be retransmitted over and
    over again, I am running some loopback tests on my router tonight to
    find out if the router is the issue or the carrier is the issue.

    Thanks for the reply....

    Chad

    garrisb wrote:
    > Wow.... This is Wild!!!!
    >
    > I had the same issue. My asa5510 would just stop processing data. It
    > wouldn't crash, just stopped passing data. I worked with Cisco for a
    > couple of days and we found the following:
    >
    > The ASA or Switch (HP in this case) would not negogiate properly. Even
    > though both were hard coded to 100Full I was seeing CRC errors. I've
    > since moved them both to auto and have not had a problem. I too am
    > running version 7.2.2 ...
    >
    >
    Chad Mahoney, Jan 12, 2007
    #7
  8. Chad Mahoney

    canadianits

    Joined:
    Sep 17, 2009
    Messages:
    1
    ASA 5510 (No Conncetion Issue

    HI
    I am Facing the Same thing,

    I Have an Internal Network with IP Address 10.90.3.0 and the Asa is connecting me to an other network thru Cisco 2800 to ip Address 192.168.82.100
    I am Able to ping the Server and it is sucessful but some applications are not work,
    Same error Because not associated with Conection i think it might be a problem in router nating issues

    What do you recomend?
    canadianits, Sep 17, 2009
    #8
  9. Chad Mahoney

    ironnickro

    Joined:
    Dec 30, 2010
    Messages:
    1
    Hi Chad,

    I am facing the same issue, the only difference being the fact that our multilink is made of 2xE1 circuits.
    Could you tell me if the problem was indeed with the ppp multilink or not.

    Thank you very much.

    Iahim Pmac
    ironnickro, Dec 30, 2010
    #9
  10. Chad Mahoney

    empir3

    Joined:
    Feb 4, 2011
    Messages:
    1
    Any Updates?

    Any updates guys? We appear to be having the same issue. New 5510 connecting to 2800 router. When the ASA was set to auto/auto it showed 100/half because the 2800 was set to 100/full hardcoded. We hardcoded the ASA to 100/full and the link status shows correct, but we're seeing latency on the line that is difficult to troubleshoot. The guys that manage the router aren't much help thus far, indicating things look "okay on their side". We might try having them set to auto/auto and do the same on our side. Will post an update if/when we figure this out. Thanks!
    empir3, Feb 4, 2011
    #10
  11. Chad Mahoney

    sysengrnz

    Joined:
    Apr 10, 2012
    Messages:
    1
    Fix

    Hi,

    I have come across this during my journeys. This is an issue with the ESMTP inspection. Remove this from the inspect rules and you will find that traffic will flow optimally.

    We updated an ASA from 6.2(1) to 6.4(5) and what we had found is that ESMTP was now inspected by default. This caused SMTP traffic to not flow correctly. We disabled the inspection on the ASA to resolve this fault as we had a Web Marshal that performed the SMTP inspection.

    I would recommend giving this a crack and let me know how you get on.
    sysengrnz, Apr 10, 2012
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hurgh

    ASA 5510 FTP Issue

    Hurgh, Aug 21, 2006, in forum: Cisco
    Replies:
    6
    Views:
    9,410
  2. Tilman Schmidt
    Replies:
    0
    Views:
    3,208
    Tilman Schmidt
    Jan 24, 2008
  3. Tilman Schmidt
    Replies:
    5
    Views:
    18,374
    Lutz Donnerhacke
    Feb 18, 2008
  4. Alex Tech

    ASA 5510 WebVPN issue

    Alex Tech, Sep 22, 2008, in forum: Cisco
    Replies:
    1
    Views:
    869
    Alex Tech
    Sep 22, 2008
  5. Lirria

    ASA 5510 config issue

    Lirria, Apr 14, 2009, in forum: Cisco
    Replies:
    0
    Views:
    452
    Lirria
    Apr 14, 2009
Loading...

Share This Page