Re: [c-nsp] ASA 5505 stops servicing inbound connections
Hi, Post a show ver, you might be hitting a 10 user license count issue. we hit a wierd bug a while back in which the connection counts were being lowered by an extra 1 for each session finished by another user. which then led to a situation where users lost ability to connect to any new session (active sessions fine). nasty. fixed. why 7.x - join the 8.x train? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
You could also have exhausted your translation of number of connections. Try 'show xlate' and 'show conn' to see what this is like. Rebooting would clear all xlates and connections so you should do this before you reboot if it happens again. Jason -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Alan Buxey Sent: Tuesday, August 11, 2009 5:40 AM To: Ryan West Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections Hi, Post a show ver, you might be hitting a 10 user license count issue. we hit a wierd bug a while back in which the connection counts were being lowered by an extra 1 for each session finished by another user. which then led to a situation where users lost ability to connect to any new session (active sessions fine). nasty. fixed. why 7.x - join the 8.x train? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
Are you logging via TCP or UDP ? If you are logging via TCP to a logging server and the logging server is down, the pix will only permit a limited number of logs to be uncomfirmed and then it will stop all traffic as a security measure. At least this was the rule in pix 6.3.5, I've not researched it on the ASA platform... W. Kevin Hunt On 8/10/09 9:11 PM, Meenoo Shivdasani mee...@gmail.com wrote: I have an ASA 5505 that randomly stops handling incoming connections to the servers that are behind it. When it fails, the only solution that I have (since it's remote) is to have it power-cycled. I have it logging to a log server, but nothing in the logs seems to be illuminating. System image file is disk0:/asa724-k8.bin Anyone run into this one? Thanks in advance, M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- W. Kevin Hunt CCIE #11841 Linux+ SME ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
The license is a 10-user license, but that's 10 internal hosts, not external hosts. trap logging was set to informational -- now set to debug. 7.x rather than 8.x because there was a deadline for installing the system and that's what it shipped with. It's not dying because of the logging -- this is the 3rd time it's done this and logging wasn't set up the first time. It also continues to log other messages -- it logs that it's sending syslog data to an internal server and it logs that certain traffic is denied: Deny tcp src outside for example. Shortly before it died, it logged %ASA-6-302010: 190 in use, 837 most used and right after it stopped handling connections it logged %ASA-6-302010: 2 in use, 837 most used so I don't think that it's a connection limitation. M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
Have you tried sh local ? That should tell you if you're hitting the 10 user limit. # sh loc Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 4, towards licensed host limit of: 10 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Meenoo Shivdasani Sent: Tuesday, August 11, 2009 2:12 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections The license is a 10-user license, but that's 10 internal hosts, not external hosts. trap logging was set to informational -- now set to debug. 7.x rather than 8.x because there was a deadline for installing the system and that's what it shipped with. It's not dying because of the logging -- this is the 3rd time it's done this and logging wasn't set up the first time. It also continues to log other messages -- it logs that it's sending syslog data to an internal server and it logs that certain traffic is denied: Deny tcp src outside for example. Shortly before it died, it logged %ASA-6-302010: 190 in use, 837 most used and right after it stopped handling connections it logged %ASA-6-302010: 2 in use, 837 most used so I don't think that it's a connection limitation. M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Stevesteve.tillin...@sourcemedia.com wrote: Have you tried sh local ? That should tell you if you're hitting the 10 user limit. Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
OK so it's not the host count. Maybe the number of connections? I'm out of ideas. # sh res usa Resource Current Peak LimitDenied Context SSH 11 5 0 System Conns 15 129 28 0 System Hosts 63 95N/A 0 System -Original Message- From: Meenoo Shivdasani [mailto:mee...@gmail.com] Sent: Tuesday, August 11, 2009 4:07 PM To: Tillinger, Steve Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Stevesteve.tillin...@sourcemedia.com wrote: Have you tried sh local ? That should tell you if you're hitting the 10 user limit. Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
Look in the log files for the following error : 160Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; possible out-of-memory condition This kills our asa's (running version 8) on a regular basis (once a month), reload is the only way to resolve this. We have a case open for this, but without any good respons from cisco yet. Wim Holemans Network Services University of Antwerp -Oorspronkelijk bericht- Van: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Namens Meenoo Shivdasani Verzonden: dinsdag 11 augustus 2009 22:07 Aan: Tillinger, Steve CC: cisco-nsp@puck.nether.net Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Stevesteve.tillin...@sourcemedia.com wrote: Have you tried sh local ? That should tell you if you're hitting the 10 user limit. Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
Is this on 8.2.x or 8.0? I'm making an assumption that it's not a 5580-SMP. If it is 8.2.x, you may not have enough memory, our test FW is having similar issues with 8.2.1(3). I just ordered some Cisco compatible RAM (Kingston Value Select) to help out with it. -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Holemans Wim Sent: Tuesday, August 11, 2009 4:36 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections Look in the log files for the following error : 160Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; possible out-of-memory condition This kills our asa's (running version 8) on a regular basis (once a month), reload is the only way to resolve this. We have a case open for this, but without any good respons from cisco yet. Wim Holemans Network Services University of Antwerp -Oorspronkelijk bericht- Van: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Namens Meenoo Shivdasani Verzonden: dinsdag 11 augustus 2009 22:07 Aan: Tillinger, Steve CC: cisco-nsp@puck.nether.net Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Stevesteve.tillin...@sourcemedia.com wrote: Have you tried sh local ? That should tell you if you're hitting the 10 user limit. Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 5505 stops servicing inbound connections
I have an ASA 5505 that randomly stops handling incoming connections to the servers that are behind it. When it fails, the only solution that I have (since it's remote) is to have it power-cycled. I have it logging to a log server, but nothing in the logs seems to be illuminating. System image file is disk0:/asa724-k8.bin Anyone run into this one? Thanks in advance, M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 stops servicing inbound connections
Post a show ver, you might be hitting a 10 user license count issue. What is your trap logging set to? -ryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Meenoo Shivdasani Sent: Monday, August 10, 2009 10:12 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA 5505 stops servicing inbound connections I have an ASA 5505 that randomly stops handling incoming connections to the servers that are behind it. When it fails, the only solution that I have (since it's remote) is to have it power-cycled. I have it logging to a log server, but nothing in the logs seems to be illuminating. System image file is disk0:/asa724-k8.bin Anyone run into this one? Thanks in advance, M ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/