Thank you to all for your replies and advice over the weekend. We are treating the situation as a DoS originating from within our network and are locking things down accordingly. You may be hearing from me again soon depending on how things go!
Adam From: John Kougoulos [mailto:john.kougou...@gmail.com] Sent: Saturday, February 01, 2014 4:30 PM To: Adam Greene Cc: cisco-nsp@puck.nether.net NSP Subject: Re: [c-nsp] ASA5520 latency & OSPF drops Hi, since you don't lose the OSPF session between 5520 and 2921, I would say that this is not related to ASA CPU, DoS from Internet etc. This would also suggest that 2950G in general works ok. The vlan that connects 3750 to 5520 exists only in 2950G and only these 2 devices are connected? Would it be possible that there is some kind of spanning tree instability issue in this VLAN that causes this? Other than this, I would watch the ASA logs carefully, possibly upgrade to the latest 8.2 in case that there is a bug that could lead to some kind of blocking of the input queue. Also I think there is a "show memory xxx" command that allows you to see how much memory is allocated / freed per process since boot. This might give you a hint on which process allocates these few megabytes when the issue occurs. Regards, John On Sat, Feb 1, 2014 at 8:39 PM, Adam Greene <maill...@webjogger.net <mailto:maill...@webjogger.net> > wrote: Octavio, > What about pings from the external world to the ASA? These appear normal, since the ASA5520---2921 OSPF session is not dropping. > Also, I'd increase logging verbosity to a Syslog server with an interface connected to each side of the ASA. Good idea. > And I'd also be prepared to do a packet capture on both sides of the ASA for the next time it happens. Tough since they occur so sporadically, and up to now have been relatively brief. I wonder if there is some way to trigger a capture upon a specific event occurring. Or maybe will we just have to keep tons of logs which roll over, and hope we catch something. We generally have about 40Mbps pumping through the unit. That's a lot of data, and a fast rollover. > You mention spares (I assume cold spares) but also OSPF, do you have your devices HA? Yes, cold spares. Devices are not HA. I have seen posts about OSPF failing in 8.2 when the active host of a failover pair fails, due to a bug, but that doesn't seem to be our case here as far as I can tell. Any other ideas welcome. Sounds like people's thoughts are tending toward DoS ... Thanks, Adam -----Original Message----- From: Octavio Alvarez [mailto:alvar...@alvarezp.ods.org <mailto:alvar...@alvarezp.ods.org> ] Sent: Saturday, February 01, 2014 1:24 PM To: Adam Greene Cc: cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] ASA5520 latency & OSPF drops On 02/01/2014 08:27 AM, Adam Greene wrote: > Every so often (it started three months ago, about once per month, now > it's about once per week, but it's not regular), we're getting very > high latency on pings from our Internal Network to the ASA5520, and > the OSPF adjacency between the 3750 and the ASA5520 is dropping. The > issue was lasting about 60 seconds each time up to this morning, when it lasted about 3 hours. Ugh! > > Pings from the Internal Network to the 3750 and 2950G are fine. What about pings from the external world to the ASA? ALso, I'd increase logging verbosity to a Syslog server with an interface connected to each side of the ASA. And I'd also be prepared to do a packet capture on both sides of the ASA for the next time it happens. You mention spares (I assume cold spares) but also OSPF, do you have your devices HA? _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/