Solved

Data Transfer Limited in ASA

Posted on 2008-10-06
11
1,217 Views
Last Modified: 2008-10-15
HI. I am getting a problem that is My ASA is not allowing the Data Transfer more then 3Mbps. Can any one tell me what is the reason. Secondly when i try to ping the firewall it works with 32bytes. Then i increase the bytes to 65500 bytes it stops responding. Due to this my network suddenly becomes dead. Can you please explain this reason.
ASA Version 7.0(7)
!
hostname ASA-Millat
domain-name millat.com.pk
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 duplex full
 nameif test
 security-level 0
 ip address 192.168.13.1 255.255.255.0
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.12.2 255.255.255.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.16.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup DMZ
same-security-traffic permit inter-interface
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any eq www
access-list 101 extended permit tcp any any eq https
access-list 101 extended permit tcp any any eq ftp
access-list 101 extended permit tcp any any eq pop3
access-list 101 extended permit tcp any any eq smtp
access-list 1110 extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any any eq smtp
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any any eq www
access-list DMZ_access_in extended permit tcp any any eq https
access-list DMZ_access_in extended permit tcp any any eq ftp
access-list DMZ_access_in extended permit tcp any any eq pop3
access-list DMZ_access_in extended permit tcp any any eq smtp
!
tcp-map ,m
  reserved-bits clear
!
pager lines 24
logging enable
logging emblem
logging buffered emergencies
logging asdm informational
logging from-address root@asa-millat.com.pk
logging facility 16
logging host inside 192.168.10.171 6/1470
logging host DMZ 192.168.16.2 6/1470
logging permit-hostdown
mtu test 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (test) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group 101 in interface test
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 192.168.1.18 1
!
router ospf 1
 network 192.168.1.0 255.255.255.0 area 0
 network 192.168.12.0 255.255.255.0 area 0
 log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 management
no snmp-server location
snmp-server contact Nasir
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
fragment size 30000 test
sysopt connection tcpmss 0
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.16.2-192.168.16.10 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.1.11
Cryptochecksum:4e45a562e1addb798cc4ae1d83d7bfe4
: end

Open in new window

0
Comment
Question by:nasirsh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22649332


A Ping icmp packet default size is 64bytes, ASA's have IDS capabilities and will drop ping's with a large packet size greate than 1472, this is by design since many attacks utilize large ping packets.

If you want to disable this feature do the following;

ip audit signature 2151 disable

Your ASA most likely thinks you are launching an attack and blackholes your IP, look in your config for :shun", shun is the ASA's way to deny all packets from a particular IP. Look in your config or try sh shun




harbor235 ;}

0
 
LVL 32

Expert Comment

by:harbor235
ID: 22649362

How are you measuring the data transfer rate? Is the firewall busy with other traffic? Can you post a "show interface" for interfaces involved in transfer?
Could it be a server issue or a switch duplex/speed setting issue?


harbor235 ;}

0
 
LVL 4

Author Comment

by:nasirsh
ID: 22650209
Well i am measuring by the ASDM INterface. Secondly what about the status of being network dropped so suddenly. And what about the transfer rate.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 32

Expert Comment

by:harbor235
ID: 22659086

ADSM will show you an average rate over a particular sampling time frame, normally 5 minute average and also a 1 minute average.  So if the traffic you are generating is spikey then the averages will round it doen a bit. Also, perhaps you are not generating that much traffic,  how are you generating traffic?

Again, if you try to send pings over 1472 bytes the firewall thinks this is an attack and may shun your IP.
Shun means to deny all your traffic through the firewall. I do not see any "ip audit" commands to enable the IDS/IDP capabilities, how do you resolve the issue when this happens? If it happens again you need to look at the firewall log and see whats happening, make sure logging is on

logging on
logging buffered informational

harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22659964
Well we have our application servers in our DMZ and other people from the network (inside) connect to it. We have a share server on which users take their Backup. OUR DMZ is 192.168.1.0 and all our servers are located in it. In the syslog i get an error with syslog ID 302014 to 302016. Can you please help me. I am desperate.
===========================
The is the ping to the DMZ
===========================
ASA-Millat# ping 192.168.1.19 size 35000
Sending 5, 35000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
 
 
ASA-Millat# ping 192.168.1.19 size 36000
Sending 5, 36000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
 
 
=========================================
This is the ping on the inside Interface.
=========================================
ASA-Millat# ping 192.168.12.1 size 18000
Sending 5, 9000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
 
ASA-Millat# ping 192.168.12.1 size 19000
Sending 5, 19000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Open in new window

0
 
LVL 32

Expert Comment

by:harbor235
ID: 22660109


Log into the firewall and issue this command;

show shun

Can you paste the output?

If there are entries like "shun 192.168.x.x" then the firewall has reacted to a attack and blackholed traffic from this device, to remove them do the following;    "no shun 192.168.x.x"

How do you resolve the issue, can you ever communicate on through the firewall again with that device?

302014 to 302016 these are ok, they are informational messages about setting up and tearing down connections.

The config you posted, is it the one currently in use? if IDS/IDP is enabled in the ASA then it treats pings greater than 1472 as attacks, do not do them until we figure out what is going on, if you do you may continue to blackhole additional internal servers.




harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22661265
There is no output of show shun.
Secondly when data is broken communication is again resumed after some time.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22661390


Is there a IDS/IDP device on your network other than the asa?

harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22662004
no
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22662027
could it be that we have symantec end point server and client configured. Could that be causing the problem
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22662055


The Cisco IDS/IDP device can specify a duration in minutes or hours to block a host. Since your configs on the ASA do not enable IDS/IDP functionality and that your traffic is being blocked when a potential attack is initiated it seems as if there is a device acting as a IDS/IDP is on your network.

good luck

harbor235 ;}
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to safely test out TFTP server software 12 119
Dell PowerConnect 2824 w/ two DHCP 6 54
creating SVI on layer 3 switch 1 56
Turning Verizon Fios Router into a Bridge? 28 65
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question