Data Transfer Limited in ASA
HI. I am getting a problem that is My ASA is not allowing the Data Transfer more then 3Mbps. Can any one tell me what is the reason. Secondly when i try to ping the firewall it works with 32bytes. Then i increase the bytes to 65500 bytes it stops responding. Due to this my network suddenly becomes dead. Can you please explain this reason.
ASA Version 7.0(7)
!
hostname ASA-Millat
domain-name millat.com.pk
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
duplex full
nameif test
security-level 0
ip address 192.168.13.1 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.12.2 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.16.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup DMZ
same-security-traffic permit inter-interface
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any eq www
access-list 101 extended permit tcp any any eq https
access-list 101 extended permit tcp any any eq ftp
access-list 101 extended permit tcp any any eq pop3
access-list 101 extended permit tcp any any eq smtp
access-list 1110 extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any any eq smtp
access-list DMZ_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any any eq www
access-list DMZ_access_in extended permit tcp any any eq https
access-list DMZ_access_in extended permit tcp any any eq ftp
access-list DMZ_access_in extended permit tcp any any eq pop3
access-list DMZ_access_in extended permit tcp any any eq smtp
!
tcp-map ,m
reserved-bits clear
!
pager lines 24
logging enable
logging emblem
logging buffered emergencies
logging asdm informational
logging from-address root@asa-millat.com.pk
logging facility 16
logging host inside 192.168.10.171 6/1470
logging host DMZ 192.168.16.2 6/1470
logging permit-hostdown
mtu test 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (test) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group 101 in interface test
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 192.168.1.18 1
!
router ospf 1
network 192.168.1.0 255.255.255.0 area 0
network 192.168.12.0 255.255.255.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 management
no snmp-server location
snmp-server contact Nasir
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
fragment size 30000 test
sysopt connection tcpmss 0
telnet 192.168.12.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.16.2-192.168.16.10 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.1.11
Cryptochecksum:4e45a562e1addb798cc4ae1d83d7bfe4
: end
How are you measuring the data transfer rate? Is the firewall busy with other traffic? Can you post a "show interface" for interfaces involved in transfer?
Could it be a server issue or a switch duplex/speed setting issue?
harbor235 ;}
ASKER
Well i am measuring by the ASDM INterface. Secondly what about the status of being network dropped so suddenly. And what about the transfer rate.
ADSM will show you an average rate over a particular sampling time frame, normally 5 minute average and also a 1 minute average. So if the traffic you are generating is spikey then the averages will round it doen a bit. Also, perhaps you are not generating that much traffic, how are you generating traffic?
Again, if you try to send pings over 1472 bytes the firewall thinks this is an attack and may shun your IP.
Shun means to deny all your traffic through the firewall. I do not see any "ip audit" commands to enable the IDS/IDP capabilities, how do you resolve the issue when this happens? If it happens again you need to look at the firewall log and see whats happening, make sure logging is on
logging on
logging buffered informational
harbor235 ;}
ASKER
Well we have our application servers in our DMZ and other people from the network (inside) connect to it. We have a share server on which users take their Backup. OUR DMZ is 192.168.1.0 and all our servers are located in it. In the syslog i get an error with syslog ID 302014 to 302016. Can you please help me. I am desperate.
===========================
The is the ping to the DMZ
===========================
ASA-Millat# ping 192.168.1.19 size 35000
Sending 5, 35000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
ASA-Millat# ping 192.168.1.19 size 36000
Sending 5, 36000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
=========================================
This is the ping on the inside Interface.
=========================================
ASA-Millat# ping 192.168.12.1 size 18000
Sending 5, 9000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
ASA-Millat# ping 192.168.12.1 size 19000
Sending 5, 19000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)Log into the firewall and issue this command;
show shun
Can you paste the output?
If there are entries like "shun 192.168.x.x" then the firewall has reacted to a attack and blackholed traffic from this device, to remove them do the following; "no shun 192.168.x.x"
How do you resolve the issue, can you ever communicate on through the firewall again with that device?
302014 to 302016 these are ok, they are informational messages about setting up and tearing down connections.
The config you posted, is it the one currently in use? if IDS/IDP is enabled in the ASA then it treats pings greater than 1472 as attacks, do not do them until we figure out what is going on, if you do you may continue to blackhole additional internal servers.
harbor235 ;}
ASKER
There is no output of show shun.
Secondly when data is broken communication is again resumed after some time.
Secondly when data is broken communication is again resumed after some time.
Is there a IDS/IDP device on your network other than the asa?
harbor235 ;}
ASKER
no
ASKER
could it be that we have symantec end point server and client configured. Could that be causing the problem
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A Ping icmp packet default size is 64bytes, ASA's have IDS capabilities and will drop ping's with a large packet size greate than 1472, this is by design since many attacks utilize large ping packets.
If you want to disable this feature do the following;
ip audit signature 2151 disable
Your ASA most likely thinks you are launching an attack and blackholes your IP, look in your config for :shun", shun is the ASA's way to deny all packets from a particular IP. Look in your config or try sh shun
harbor235 ;}