ASA Periodically Loses Connectivity

[usfregale]

We have an a network comprised of about 40 ASAs connected via VPN. We have one particular ASA that periodically locks down and loses the ability to establish new connections. This happens during periods of particularly high data transfer (offsite backup) primarily. Now the weird part: once it happens connections that have already been created complete successfully, but the ability to establish new connections is lost. Additionally, neither outside IPs nor VPN peers can be resolved. I originally thought it was a DNS issue and the ASA was losing access to its DNS server; however, I have changed the DNS server several times with no apparent effect.

A copy of the config is posted below, any thoughts or suggestions are welcome.

Richard

JH13765(config)# show run
: Saved
:
ASA Version 7.2(3)
!
hostname JH13765
domain-name accountingpros1.local
enable password XXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.101.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name accountingpros1.local
same-security-traffic permit intra-interface
access-list vpn_to_jhschq extended permit ip 10.101.0.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list vpn_to_jhschq extended permit ip 10.101.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list vpn_to_jhschq extended permit ip 10.101.0.0 255.255.255.0 10.105.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.20.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.131.0.0 255.255.255.0
access-list nonat extended permit ip 10.101.0.0 255.255.255.0 10.105.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging emblem
logging trap debugging
logging history informational
logging asdm informational
logging device-id hostname
logging host inside 10.101.0.220 format emblem
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 0.0.0.0 255.255.255.255 outside
timeout xlate 12:00:00
timeout conn 12:00:00 half-closed 12:00:00 udp 12:00:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 12:00:00 h225 12:00:00 mgcp 12:00:00 mgcp-pat 12:00:00
timeout sip 12:00:00 sip_media 12:00:00 sip-invite 0:30:00 sip-disconnect 0:10:00
timeout uauth 3:00:00 absolute uauth 3:00:00 inactivity
http server enable
http 10.101.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address vpn_to_jhschq
crypto map outside_map 10 set peer x.x.x.x
crypto map outside_map 10 set transform-set ESP-AES-MD5
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.20.0.10 24.25.5.60
dhcpd domain accountingpros1.local
dhcpd auto_config outside
dhcpd option 176 ascii "TFTPSRVR=10.20.0.33,MCIPADD=10.20.0.32,MCPORT=1719"
!
dhcpd address 10.101.0.150-10.101.0.200 inside
dhcpd domain accountingpros1.local interface inside
dhcpd enable inside
!

priority-queue outside
tx-ring-limit 256
!
class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
class-map Data
match flow ip destination-address
match tunnel-group x.x.x.x
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map Voicepolicy
class Voice
priority
class Data
police output 200000 37500
!
service-policy global_policy global
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:793b8b79c1db29eddbfa6b3687854978
: end
JH13765(config)#

 

[brianinms]

Do a show version and see if this is a 10 user ASA and perhaps you are exceeding the license.

 

[usfregale]

Show version below. I believe this indicates that we're licensed up to 50 hosts. Further, we don't have 10 hosts anyway. There are 7 devices on the network, so even if we have a ten host license it shouldn't be an issue. There is a wifi access point on the network; however, it runs a MAC address filter, so it shouldn't be allowing connections from unauthorized PCs. Further, the odds of 43 PCs existing within wireless N range from this location are very remote.

Great thought though.

Richard

JH13765(config)# show ver

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"

JH13765 up 4 hours 18 mins

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001e.f76a.a130, irq 11
1: Ext: Ethernet0/0 : address is 001e.f76a.a128, irq 255
2: Ext: Ethernet0/1 : address is 001e.f76a.a129, irq 255
3: Ext: Ethernet0/2 : address is 001e.f76a.a12a, irq 255
4: Ext: Ethernet0/3 : address is 001e.f76a.a12b, irq 255
5: Ext: Ethernet0/4 : address is 001e.f76a.a12c, irq 255
6: Ext: Ethernet0/5 : address is 001e.f76a.a12d, irq 255
7: Ext: Ethernet0/6 : address is 001e.f76a.a12e, irq 255
8: Ext: Ethernet0/7 : address is 001e.f76a.a12f, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

Serial Number: JMX1203Z1U4
Running Activation Key: 0x0c187853 0xd8761bf6 0x4c1121b4 0x86108c00 0xc91fb88f
Configuration register is 0x1
Configuration has not been modified since last system restart.
JH13765(config)#

 

[brianinms]

Hum, that is a rather weird issue then. You may want to do a "show local" and a "show arp" and see how many devices you do see. I have never run that version of code, but I don't see any bugs listed on Cisco's site for that rev either. Are you running this same version at other locations without issue? What type of internet connection do you have?

 

[usfregale]

This was rather interesting. More puzzling really, I'm unsure what would have resulted in some 679 separate current connections.

JH13765# show local
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
Current host count: 5, towards licensed host limit of: 50

Interface outside: 679 active, 3314 maximum active, 0 denied

Following by an IP by IP iteration of those 679 active connections that went n for many pages.

JH13765# show arp
inside 10.101.0.150 0009.6e0d.fe5d
inside 10.101.0.153 0021.29f1.38a5
inside 10.101.0.151 001f.cd9b.34d4
inside 10.101.0.154 0026.0881.da57
outside x.x.x.x x.x.x

Richard

 

[usfregale]

Shooting in the dark here.... if we assume the problem is caused by an inability to connect to both DNS servers simultaneously for some reason, then we would resolve it by designating subsequent DNS servers behind the secondary DNS server.

So. How does one add a additional DNS servers behind the secondary DNS server? It doesn't appear as simple as adding the additional DNS server behind the others in the programming.

This is a shot in the dark for me, but its the advice of our Cisco partner to resolve the issue.

Thanks,

Richard

 

[ndinc]

I had the same problem. Update the firmware and it works like a charm. I had 3 going down periodically and i could not figure it out. The only thing they had in common was the firmware. They havent gone down in 6 months.

My 2 cents.

Thanks for your help