Solved

TMG and ASA connections issues.

Posted on 2013-02-02
16
888 Views
Last Modified: 2013-02-22
Hello Experts,
I have been facing a very weird problem since I moved TMG behind ASA ( back to back)

Here is the case
I have single ASA 5540 with below interfaces

Gi0/0 Outside Interface
Gi0/1 Inside Interface
Gi0/1.1 TMG Interface
Gi0/2 DMZ Interface


The ASA inside interface is splitted into subinterface and configured with Vlan 3. I have trunk the swithcport at the switch side with below config

int gi0/1
switchport trunk encapsulation dot1q
swicthcport trunk allowed vlan 2,3
switch port trunk vlan 2
switchport mode trunk

The TMG external interface is connected to a switch and is configured with vlan 3

Now here is the problem, frequently and suddently TMG stops pinging to the gateway ( IP of ASA sub interface). In order to resolve I have to reboot the ASA.

Please can someone help me to resolve this issue.
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848192
Start a log on the ASA interface - what does it report when pings cease to be replied to?
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38848412
is threat detection enabled on the ASA ?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848501
Thanks for the response.
Please can you tell me how do I check if the threat detection is turned on/off.

Also how I collect logs on the interface.

Thanks. I appreciate your help
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848655
In TMG select the web policy in the TMG gui. Look along the top; will show you whether you have enabled malware, https inspection etc.

No offence, but if you need help with these basics then you need a tutorial rather than just assistance with a question.

This is a link to the ASA logging guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_logging.html
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848726
I disabled Malware Inspection but in earlier post ArneLovius said to verify if the threat detection turned on/off on ASA. How do I check on ASA if said so.

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848851
Malware inspection on the TMG should be ON. I wouldn't bother about it on the ASA as it will not be relevant. Think about it.... ping (ICMP) traffic is not malware and certainly would not affect whether a ping response is recieved or not.

The one aspect that COULD have a bearing is the regularity of the ping - if the ASA is receiving too mant packets it could be treating it as a flood.

If you are using this simply as a keepalive then you would be better served using the connection verifiers in TMG by checking on a web site availability.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848913
Firstly, I have no continuous ping to ASA from the TMG.
Secondly, I have noticed this issue appears on fixed time ( like between 4 to 5 pm). This problem occurs after 2, 3 or 4 days and suddenly.
Thirdly, once I reboot the ASA everything resumes back as normal.

Lastly, is it related something with sub-interface of ASA

Comments/Suggestions are welcome.

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38849093
One step at a time then.
Run the TMG best practice analyser
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38849300
I have ran the analyzer I have observed some TCP connections related issues, please have a look at the attached.

thanks for your help.
tmg-scan.docx
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38849539
From my post above. "The one aspect that COULD have a bearing is the regularity of the ping - if the ASA is receiving too mant packets it could be treating it as a flood."

Ping/whatever, too many sessions in too short a time will have that effect.

Where is the 192.168 subnet - inside or outside of TMG?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38849945
It is my inside network. ( 192.168.X.X).
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 38850037
Two choices - the first, find why these devices are broadcasting and shut off those services; or second, increase the number of concurrent connections etc that are allowed per second.

First option is always the best as it corrects the issue but.....

The second option is carried out within the TMG gui
Intruder Prevention System, then select behavioural prevention system from the tabs along the top of the right-hand pane. Select Flood Mitigation settings.

Make sure the policy is ticked to enable it then change away as per the comments in the analyser report. Make sure you RECORD SOMEWHERE the default settings so that if you ever fix the internal cause of the problem you can put TMG back to normal afterwards.

Apply the changes

Keith
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38850178
Hi,
Thanks for your valuable suggestions. What if I put my inside subnet under IP exception.

Will it be safe ?

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38852015
The option means what it says - it becomes exempt from the policy and treated as exempt. This is not necessarily 'safety' related and is more a means to control how a configuration is handled for a particular set of circumstances.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38854570
Hi,
Is there any way to make the connection limit on cisco asa as well ? Somehow  I guess this is Cisco ASA issue but not quite sure. However, I've added my subnet in Ip Exeptions under TMG Flood Mitigation.

Samir
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38918813
Thanks :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question