Solved

Data Transfer Limited in ASA

Posted on 2008-10-06
11
1,196 Views
Last Modified: 2008-10-15
HI. I am getting a problem that is My ASA is not allowing the Data Transfer more then 3Mbps. Can any one tell me what is the reason. Secondly when i try to ping the firewall it works with 32bytes. Then i increase the bytes to 65500 bytes it stops responding. Due to this my network suddenly becomes dead. Can you please explain this reason.
ASA Version 7.0(7)

!

hostname ASA-Millat

domain-name millat.com.pk

enable password 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 duplex full

 nameif test

 security-level 0

 ip address 192.168.13.1 255.255.255.0

!

interface Ethernet0/1

 speed 100

 duplex full

 nameif inside

 security-level 100

 ip address 192.168.12.2 255.255.255.0

!

interface Ethernet0/2

 speed 100

 duplex full

 nameif DMZ

 security-level 50

 ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/3

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.16.1 255.255.255.0

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns domain-lookup DMZ

same-security-traffic permit inter-interface

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any any eq www

access-list 101 extended permit tcp any any eq https

access-list 101 extended permit tcp any any eq ftp

access-list 101 extended permit tcp any any eq pop3

access-list 101 extended permit tcp any any eq smtp

access-list 1110 extended permit tcp any any eq https

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit tcp any any eq https

access-list inside_access_in extended permit tcp any any eq ftp

access-list inside_access_in extended permit tcp any any eq pop3

access-list inside_access_in extended permit tcp any any eq smtp

access-list DMZ_access_in extended permit tcp any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit tcp any any eq www

access-list DMZ_access_in extended permit tcp any any eq https

access-list DMZ_access_in extended permit tcp any any eq ftp

access-list DMZ_access_in extended permit tcp any any eq pop3

access-list DMZ_access_in extended permit tcp any any eq smtp

!

tcp-map ,m

  reserved-bits clear

!

pager lines 24

logging enable

logging emblem

logging buffered emergencies

logging asdm informational

logging from-address root@asa-millat.com.pk

logging facility 16

logging host inside 192.168.10.171 6/1470

logging host DMZ 192.168.16.2 6/1470

logging permit-hostdown

mtu test 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp permit any inside

icmp permit any DMZ

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (test) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

access-group 101 in interface test

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route DMZ 0.0.0.0 0.0.0.0 192.168.1.18 1

!

router ospf 1

 network 192.168.1.0 255.255.255.0 area 0

 network 192.168.12.0 255.255.255.0 area 0

 log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.16.0 255.255.255.0 management

no snmp-server location

snmp-server contact Nasir

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

fragment size 30000 test

sysopt connection tcpmss 0

telnet 192.168.12.0 255.255.255.0 inside

telnet timeout 30

ssh 192.168.12.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

management-access inside

dhcpd address 192.168.16.2-192.168.16.10 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

smtp-server 192.168.1.11

Cryptochecksum:4e45a562e1addb798cc4ae1d83d7bfe4

: end

Open in new window

0
Comment
Question by:nasirsh
  • 6
  • 5
11 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22649332


A Ping icmp packet default size is 64bytes, ASA's have IDS capabilities and will drop ping's with a large packet size greate than 1472, this is by design since many attacks utilize large ping packets.

If you want to disable this feature do the following;

ip audit signature 2151 disable

Your ASA most likely thinks you are launching an attack and blackholes your IP, look in your config for :shun", shun is the ASA's way to deny all packets from a particular IP. Look in your config or try sh shun




harbor235 ;}

0
 
LVL 32

Expert Comment

by:harbor235
ID: 22649362

How are you measuring the data transfer rate? Is the firewall busy with other traffic? Can you post a "show interface" for interfaces involved in transfer?
Could it be a server issue or a switch duplex/speed setting issue?


harbor235 ;}

0
 
LVL 4

Author Comment

by:nasirsh
ID: 22650209
Well i am measuring by the ASDM INterface. Secondly what about the status of being network dropped so suddenly. And what about the transfer rate.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22659086

ADSM will show you an average rate over a particular sampling time frame, normally 5 minute average and also a 1 minute average.  So if the traffic you are generating is spikey then the averages will round it doen a bit. Also, perhaps you are not generating that much traffic,  how are you generating traffic?

Again, if you try to send pings over 1472 bytes the firewall thinks this is an attack and may shun your IP.
Shun means to deny all your traffic through the firewall. I do not see any "ip audit" commands to enable the IDS/IDP capabilities, how do you resolve the issue when this happens? If it happens again you need to look at the firewall log and see whats happening, make sure logging is on

logging on
logging buffered informational

harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22659964
Well we have our application servers in our DMZ and other people from the network (inside) connect to it. We have a share server on which users take their Backup. OUR DMZ is 192.168.1.0 and all our servers are located in it. In the syslog i get an error with syslog ID 302014 to 302016. Can you please help me. I am desperate.
===========================

The is the ping to the DMZ

===========================

ASA-Millat# ping 192.168.1.19 size 35000

Sending 5, 35000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
 
 

ASA-Millat# ping 192.168.1.19 size 36000

Sending 5, 36000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)
 
 

=========================================

This is the ping on the inside Interface.

=========================================

ASA-Millat# ping 192.168.12.1 size 18000

Sending 5, 9000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
 

ASA-Millat# ping 192.168.12.1 size 19000

Sending 5, 19000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Open in new window

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 32

Expert Comment

by:harbor235
ID: 22660109


Log into the firewall and issue this command;

show shun

Can you paste the output?

If there are entries like "shun 192.168.x.x" then the firewall has reacted to a attack and blackholed traffic from this device, to remove them do the following;    "no shun 192.168.x.x"

How do you resolve the issue, can you ever communicate on through the firewall again with that device?

302014 to 302016 these are ok, they are informational messages about setting up and tearing down connections.

The config you posted, is it the one currently in use? if IDS/IDP is enabled in the ASA then it treats pings greater than 1472 as attacks, do not do them until we figure out what is going on, if you do you may continue to blackhole additional internal servers.




harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22661265
There is no output of show shun.
Secondly when data is broken communication is again resumed after some time.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22661390


Is there a IDS/IDP device on your network other than the asa?

harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22662004
no
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22662027
could it be that we have symantec end point server and client configured. Could that be causing the problem
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22662055


The Cisco IDS/IDP device can specify a duration in minutes or hours to block a host. Since your configs on the ASA do not enable IDS/IDP functionality and that your traffic is being blocked when a potential attack is initiated it seems as if there is a device acting as a IDS/IDP is on your network.

good luck

harbor235 ;}
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now