Solved

TMG and ASA connections issues.

Posted on 2013-02-02
16
877 Views
Last Modified: 2013-02-22
Hello Experts,
I have been facing a very weird problem since I moved TMG behind ASA ( back to back)

Here is the case
I have single ASA 5540 with below interfaces

Gi0/0 Outside Interface
Gi0/1 Inside Interface
Gi0/1.1 TMG Interface
Gi0/2 DMZ Interface


The ASA inside interface is splitted into subinterface and configured with Vlan 3. I have trunk the swithcport at the switch side with below config

int gi0/1
switchport trunk encapsulation dot1q
swicthcport trunk allowed vlan 2,3
switch port trunk vlan 2
switchport mode trunk

The TMG external interface is connected to a switch and is configured with vlan 3

Now here is the problem, frequently and suddently TMG stops pinging to the gateway ( IP of ASA sub interface). In order to resolve I have to reboot the ASA.

Please can someone help me to resolve this issue.
0
Comment
Question by:cciedreamer
  • 8
  • 7
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848192
Start a log on the ASA interface - what does it report when pings cease to be replied to?
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38848412
is threat detection enabled on the ASA ?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848501
Thanks for the response.
Please can you tell me how do I check if the threat detection is turned on/off.

Also how I collect logs on the interface.

Thanks. I appreciate your help
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848655
In TMG select the web policy in the TMG gui. Look along the top; will show you whether you have enabled malware, https inspection etc.

No offence, but if you need help with these basics then you need a tutorial rather than just assistance with a question.

This is a link to the ASA logging guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_logging.html
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848726
I disabled Malware Inspection but in earlier post ArneLovius said to verify if the threat detection turned on/off on ASA. How do I check on ASA if said so.

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848851
Malware inspection on the TMG should be ON. I wouldn't bother about it on the ASA as it will not be relevant. Think about it.... ping (ICMP) traffic is not malware and certainly would not affect whether a ping response is recieved or not.

The one aspect that COULD have a bearing is the regularity of the ping - if the ASA is receiving too mant packets it could be treating it as a flood.

If you are using this simply as a keepalive then you would be better served using the connection verifiers in TMG by checking on a web site availability.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848913
Firstly, I have no continuous ping to ASA from the TMG.
Secondly, I have noticed this issue appears on fixed time ( like between 4 to 5 pm). This problem occurs after 2, 3 or 4 days and suddenly.
Thirdly, once I reboot the ASA everything resumes back as normal.

Lastly, is it related something with sub-interface of ASA

Comments/Suggestions are welcome.

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38849093
One step at a time then.
Run the TMG best practice analyser
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 3

Author Comment

by:cciedreamer
ID: 38849300
I have ran the analyzer I have observed some TCP connections related issues, please have a look at the attached.

thanks for your help.
tmg-scan.docx
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38849539
From my post above. "The one aspect that COULD have a bearing is the regularity of the ping - if the ASA is receiving too mant packets it could be treating it as a flood."

Ping/whatever, too many sessions in too short a time will have that effect.

Where is the 192.168 subnet - inside or outside of TMG?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38849945
It is my inside network. ( 192.168.X.X).
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 38850037
Two choices - the first, find why these devices are broadcasting and shut off those services; or second, increase the number of concurrent connections etc that are allowed per second.

First option is always the best as it corrects the issue but.....

The second option is carried out within the TMG gui
Intruder Prevention System, then select behavioural prevention system from the tabs along the top of the right-hand pane. Select Flood Mitigation settings.

Make sure the policy is ticked to enable it then change away as per the comments in the analyser report. Make sure you RECORD SOMEWHERE the default settings so that if you ever fix the internal cause of the problem you can put TMG back to normal afterwards.

Apply the changes

Keith
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38850178
Hi,
Thanks for your valuable suggestions. What if I put my inside subnet under IP exception.

Will it be safe ?

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38852015
The option means what it says - it becomes exempt from the policy and treated as exempt. This is not necessarily 'safety' related and is more a means to control how a configuration is handled for a particular set of circumstances.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38854570
Hi,
Is there any way to make the connection limit on cisco asa as well ? Somehow  I guess this is Cisco ASA issue but not quite sure. However, I've added my subnet in Ip Exeptions under TMG Flood Mitigation.

Samir
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38918813
Thanks :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Resolve DNS query failed errors for Exchange
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now