Solved

CISCO ASA, 5510 - SSH CONNECTIONS DROPPING / SETTING UP PING

Posted on 2010-09-14
31
1,795 Views
Last Modified: 2013-11-16
Newly installed CISCO ASA 5510, finding that SSH / Telnet connections to our remote servers are dropping from client terminals...
I was going to set up a ping to monitor but the echo is not set up.

I would like to set up echo’s on the outside interface along with replies from inside to outside requests.
These are the access lists I have currently.

access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host xxx.xxx.x.25 eq www
access-list outside extended permit tcp any host xxx.xxx.x.25 eq https
access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp
access-list outside extended permit tcp any host xxx.xxx.x.25 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.26 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.20 eq 3389
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.25
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.26
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.20


Also dns lookups have slowed……

Thanks for your help
0
Comment
Question by:FlyingFortress
  • 13
  • 9
  • 6
  • +2
31 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 100 total points
ID: 33672231
add inspect icmp to your default map

i.e

Policy-map global_policy
class inspection_default
inspect icmp
0
 
LVL 6

Expert Comment

by:collins23
ID: 33672280
0
 
LVL 6

Expert Comment

by:collins23
ID: 33672294
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672368
Thanks the ping responses are working thanks - Do you have any clues to why our SSH connections keep dropping?......

We have circa 25 client connections through the firewall.

Is this anything to do with the outside interface subnet?

interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx158 255.255.255.248


!
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672379
If our domain controller is issuing DNS through dhcp does the firewall need DNS entries?
0
 
LVL 6

Expert Comment

by:collins23
ID: 33672447
allow port 22 through firewall.
0
 
LVL 6

Expert Comment

by:collins23
ID: 33672463
I think the firewall should have DNS entries for your ISP. and your internal DHCP / DNS should be configured to forward queries for non internal domains to the firewall .
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33672543
D the SSH connection stay established for a period of time? Are they active or inactive most of the time? I'm thinking that they may be affected by timeouts if they are inactive for periods of time.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672557
Ah ok so our domain controller should give the LAN ip of the firewall 192.168.51.1?

Just looking at allowing the port 22 through the firewall
the only access list I have are ones that specify particular spare Public IP's

access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp

Would i do this
access-list outside extended permit tcp any host eq 22

Thanks
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672594
This could be something - the activity on the interfaces the customer service team is intermittent as they use multiple systems – Is there a work around?


Cheers
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672600
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33672639
Which SSH client? They could try setting the TCP Keepalive option in their clients.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672641
We also use port 23 telnet heavily is this handled in the same way?  
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672654
Sure there are settings for this so i am going to test thanks. So there are no formal settings for the firewall to keepalive the connections also?
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33672663
You inactive timeout for connected sessions is 1 hour. This can be extended, but would potentially increase the timeout for everything not listed elsewhere and potentially increase memory usage.

timeout conn 1:00:00
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 6

Assisted Solution

by:collins23
collins23 earned 75 total points
ID: 33672666
yes, that access list should work for you.

Hmm.. just to clarify

DHCP should give out a DNS setting of your internal DNS server

then in this DNS server configuration under forwarders is where you put the LAN ip of the firewall
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672764
Ok,

So currently we have our domain controller as the DHCP server which issues the actual DNS entries.

ip – 192.168.51.100
sn – 255.255.255.0
dg – 192.168.51.1

dns servers
xxx.xxx.xx.30
xxx.xxx.xx.31

Looking at the server the forwarders are set to the above – if I change these to the internal ip of the firewall will I have to activate dns on the inside and outside interface?

As currently it is only on the outside interface..

Thanks

0
 
LVL 6

Expert Comment

by:collins23
ID: 33672830
If this setup is working for you then leave as is.

otherwise you have to allow dns queries to the firewall from internal.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33673018
I tried changing the forward lookups to the firewall for a test and enabled the dns lookup on the outside and inside interface but it practically ground to a halt...

I think I have tried that before with the same result.
0
 
LVL 16

Assisted Solution

by:InteraX
InteraX earned 75 total points
ID: 33680082
Cisco firewalls cannot run DNS servers, even as a proxy.

Your clients DNS servers should be set to you internal DCs.

Your DC's should have their IP stack DNS servers set to one of the DCs as primary and if you have more, another as the secondary. eg. server a is primary for all dc's, server b is secondary for all DCs, server c is tertiary for all DCs etc...

The DNS Server software should be set to forward to your ISP's DNS servers.

The forewall cannot run the keepalives for you.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33680317
Understood.
The ASA has the DNS settings enabled on the outside interface - are these required at all?

Thanks
0
 
LVL 6

Expert Comment

by:collins23
ID: 33680333
are you able to perform DNS queries to your ISPs DNS servers from the DC ?
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33680337
Yes 100%.

When you write mem on an ASA does that temporarily disconnect from the gateway?
0
 
LVL 6

Expert Comment

by:collins23
ID: 33680349
dnt this so..
0
 
LVL 6

Expert Comment

by:collins23
ID: 33680351
write mem only saves the config
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33680573
As soon as the config is entered on the command line, it is running on the device. When you mention that it has the DNS settings enabled on the outside, do you mean it is querying an external DNS server for resolution. This should not cause any problems, but you may prefer to use an internal server so that you can resolve internal addresses.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33680596
Ok thanks,

So i can disable the DNS on the outside interface and enable the inside interface to lookat at the DC internal IP?..

Thanks
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33681896
Ys, you should be able to disable the DNS lookup on the outside interface and enable on the inside int.
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33699525
And on a security note, DNS and Firewalls should not be in 1 sentence together.
Only with IP addresses you know where your traffic goes.
DNS can be manipulated, spoofed etc etc,
Therefor using a firewall to lookup IP's it is using, is very unsecure
So NO DNS resolution in your firewall.

On your problem,

it is most likely here
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
is the telnet and ssh you use related to AS400/Unix systems?
They usually dont send keep alives and have bad IP/TCP habits e.g. keeping half open connections
and they will timeout in 10 min - you can set them higher but then everything else will be on that timer too and memory could be a problem if there is alot of connections on your line cause they will all stay open till the timer runs out
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33699570
Understood.
Yes the telnet and SSh connections are related to Unix shipping systems.

Can the time out be put a little higher as a balance?

Thanks
0
 
LVL 5

Accepted Solution

by:
shirkan earned 250 total points
ID: 33699672
yes, i have had the problem with some of my customers too.
depending on your load on the firewall,
try this
timeout conn 2:00:00 half-closed 0:30:00

if thats not enough, double the half closed
problem is, if there is no traffic during that time, the session will drop again (like lunch break or such)
you dont want it to be too high if you have alot or traffic,
if its not enough, try adding 30 min to the conn timeout and 10 min to the 1/2 closed step by step and
watch you RAM usage on your ASA
At one customer i had it on 3h conn and 1h 1/2 closed,
If possible, ask the Unix guys to add some sort of keepalive to their program if possible.
see if the timers ease up on your timeout problem, but other than that, since Unix wasnt buildt for internet connectivity, there is little you can do....
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now