Solved

Data Transfer Limited in ASA

Posted on 2008-10-06
11
1,200 Views
Last Modified: 2008-10-15
HI. I am getting a problem that is My ASA is not allowing the Data Transfer more then 3Mbps. Can any one tell me what is the reason. Secondly when i try to ping the firewall it works with 32bytes. Then i increase the bytes to 65500 bytes it stops responding. Due to this my network suddenly becomes dead. Can you please explain this reason.
ASA Version 7.0(7)

!

hostname ASA-Millat

domain-name millat.com.pk

enable password 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 duplex full

 nameif test

 security-level 0

 ip address 192.168.13.1 255.255.255.0

!

interface Ethernet0/1

 speed 100

 duplex full

 nameif inside

 security-level 100

 ip address 192.168.12.2 255.255.255.0

!

interface Ethernet0/2

 speed 100

 duplex full

 nameif DMZ

 security-level 50

 ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/3

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.16.1 255.255.255.0

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns domain-lookup DMZ

same-security-traffic permit inter-interface

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any any eq www

access-list 101 extended permit tcp any any eq https

access-list 101 extended permit tcp any any eq ftp

access-list 101 extended permit tcp any any eq pop3

access-list 101 extended permit tcp any any eq smtp

access-list 1110 extended permit tcp any any eq https

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit tcp any any eq https

access-list inside_access_in extended permit tcp any any eq ftp

access-list inside_access_in extended permit tcp any any eq pop3

access-list inside_access_in extended permit tcp any any eq smtp

access-list DMZ_access_in extended permit tcp any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit tcp any any eq www

access-list DMZ_access_in extended permit tcp any any eq https

access-list DMZ_access_in extended permit tcp any any eq ftp

access-list DMZ_access_in extended permit tcp any any eq pop3

access-list DMZ_access_in extended permit tcp any any eq smtp

!

tcp-map ,m

  reserved-bits clear

!

pager lines 24

logging enable

logging emblem

logging buffered emergencies

logging asdm informational

logging from-address root@asa-millat.com.pk

logging facility 16

logging host inside 192.168.10.171 6/1470

logging host DMZ 192.168.16.2 6/1470

logging permit-hostdown

mtu test 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp permit any inside

icmp permit any DMZ

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (test) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

access-group 101 in interface test

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route DMZ 0.0.0.0 0.0.0.0 192.168.1.18 1

!

router ospf 1

 network 192.168.1.0 255.255.255.0 area 0

 network 192.168.12.0 255.255.255.0 area 0

 log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.16.0 255.255.255.0 management

no snmp-server location

snmp-server contact Nasir

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

fragment size 30000 test

sysopt connection tcpmss 0

telnet 192.168.12.0 255.255.255.0 inside

telnet timeout 30

ssh 192.168.12.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

management-access inside

dhcpd address 192.168.16.2-192.168.16.10 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

smtp-server 192.168.1.11

Cryptochecksum:4e45a562e1addb798cc4ae1d83d7bfe4

: end

Open in new window

0
Comment
Question by:nasirsh
  • 6
  • 5
11 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22649332


A Ping icmp packet default size is 64bytes, ASA's have IDS capabilities and will drop ping's with a large packet size greate than 1472, this is by design since many attacks utilize large ping packets.

If you want to disable this feature do the following;

ip audit signature 2151 disable

Your ASA most likely thinks you are launching an attack and blackholes your IP, look in your config for :shun", shun is the ASA's way to deny all packets from a particular IP. Look in your config or try sh shun




harbor235 ;}

0
 
LVL 32

Expert Comment

by:harbor235
ID: 22649362

How are you measuring the data transfer rate? Is the firewall busy with other traffic? Can you post a "show interface" for interfaces involved in transfer?
Could it be a server issue or a switch duplex/speed setting issue?


harbor235 ;}

0
 
LVL 4

Author Comment

by:nasirsh
ID: 22650209
Well i am measuring by the ASDM INterface. Secondly what about the status of being network dropped so suddenly. And what about the transfer rate.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22659086

ADSM will show you an average rate over a particular sampling time frame, normally 5 minute average and also a 1 minute average.  So if the traffic you are generating is spikey then the averages will round it doen a bit. Also, perhaps you are not generating that much traffic,  how are you generating traffic?

Again, if you try to send pings over 1472 bytes the firewall thinks this is an attack and may shun your IP.
Shun means to deny all your traffic through the firewall. I do not see any "ip audit" commands to enable the IDS/IDP capabilities, how do you resolve the issue when this happens? If it happens again you need to look at the firewall log and see whats happening, make sure logging is on

logging on
logging buffered informational

harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22659964
Well we have our application servers in our DMZ and other people from the network (inside) connect to it. We have a share server on which users take their Backup. OUR DMZ is 192.168.1.0 and all our servers are located in it. In the syslog i get an error with syslog ID 302014 to 302016. Can you please help me. I am desperate.
===========================

The is the ping to the DMZ

===========================

ASA-Millat# ping 192.168.1.19 size 35000

Sending 5, 35000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
 
 

ASA-Millat# ping 192.168.1.19 size 36000

Sending 5, 36000-byte ICMP Echos to 192.168.1.19, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)
 
 

=========================================

This is the ping on the inside Interface.

=========================================

ASA-Millat# ping 192.168.12.1 size 18000

Sending 5, 9000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
 

ASA-Millat# ping 192.168.12.1 size 19000

Sending 5, 19000-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Open in new window

0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 32

Expert Comment

by:harbor235
ID: 22660109


Log into the firewall and issue this command;

show shun

Can you paste the output?

If there are entries like "shun 192.168.x.x" then the firewall has reacted to a attack and blackholed traffic from this device, to remove them do the following;    "no shun 192.168.x.x"

How do you resolve the issue, can you ever communicate on through the firewall again with that device?

302014 to 302016 these are ok, they are informational messages about setting up and tearing down connections.

The config you posted, is it the one currently in use? if IDS/IDP is enabled in the ASA then it treats pings greater than 1472 as attacks, do not do them until we figure out what is going on, if you do you may continue to blackhole additional internal servers.




harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22661265
There is no output of show shun.
Secondly when data is broken communication is again resumed after some time.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22661390


Is there a IDS/IDP device on your network other than the asa?

harbor235 ;}
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22662004
no
0
 
LVL 4

Author Comment

by:nasirsh
ID: 22662027
could it be that we have symantec end point server and client configured. Could that be causing the problem
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 22662055


The Cisco IDS/IDP device can specify a duration in minutes or hours to block a host. Since your configs on the ASA do not enable IDS/IDP functionality and that your traffic is being blocked when a potential attack is initiated it seems as if there is a device acting as a IDS/IDP is on your network.

good luck

harbor235 ;}
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot access HTTPS or HTTP sites through EasyVPN site to site tunnel 3 48
Cisco ASA 5506 5 54
Read-only SNMP string example ? 7 72
Unifi AP 4 44
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now