?
Solved

TMG and ASA connections issues.

Posted on 2013-02-02
16
Medium Priority
?
892 Views
Last Modified: 2013-02-22
Hello Experts,
I have been facing a very weird problem since I moved TMG behind ASA ( back to back)

Here is the case
I have single ASA 5540 with below interfaces

Gi0/0 Outside Interface
Gi0/1 Inside Interface
Gi0/1.1 TMG Interface
Gi0/2 DMZ Interface


The ASA inside interface is splitted into subinterface and configured with Vlan 3. I have trunk the swithcport at the switch side with below config

int gi0/1
switchport trunk encapsulation dot1q
swicthcport trunk allowed vlan 2,3
switch port trunk vlan 2
switchport mode trunk

The TMG external interface is connected to a switch and is configured with vlan 3

Now here is the problem, frequently and suddently TMG stops pinging to the gateway ( IP of ASA sub interface). In order to resolve I have to reboot the ASA.

Please can someone help me to resolve this issue.
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848192
Start a log on the ASA interface - what does it report when pings cease to be replied to?
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38848412
is threat detection enabled on the ASA ?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848501
Thanks for the response.
Please can you tell me how do I check if the threat detection is turned on/off.

Also how I collect logs on the interface.

Thanks. I appreciate your help
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848655
In TMG select the web policy in the TMG gui. Look along the top; will show you whether you have enabled malware, https inspection etc.

No offence, but if you need help with these basics then you need a tutorial rather than just assistance with a question.

This is a link to the ASA logging guide
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_logging.html
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848726
I disabled Malware Inspection but in earlier post ArneLovius said to verify if the threat detection turned on/off on ASA. How do I check on ASA if said so.

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38848851
Malware inspection on the TMG should be ON. I wouldn't bother about it on the ASA as it will not be relevant. Think about it.... ping (ICMP) traffic is not malware and certainly would not affect whether a ping response is recieved or not.

The one aspect that COULD have a bearing is the regularity of the ping - if the ASA is receiving too mant packets it could be treating it as a flood.

If you are using this simply as a keepalive then you would be better served using the connection verifiers in TMG by checking on a web site availability.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38848913
Firstly, I have no continuous ping to ASA from the TMG.
Secondly, I have noticed this issue appears on fixed time ( like between 4 to 5 pm). This problem occurs after 2, 3 or 4 days and suddenly.
Thirdly, once I reboot the ASA everything resumes back as normal.

Lastly, is it related something with sub-interface of ASA

Comments/Suggestions are welcome.

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38849093
One step at a time then.
Run the TMG best practice analyser
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38849300
I have ran the analyzer I have observed some TCP connections related issues, please have a look at the attached.

thanks for your help.
tmg-scan.docx
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38849539
From my post above. "The one aspect that COULD have a bearing is the regularity of the ping - if the ASA is receiving too mant packets it could be treating it as a flood."

Ping/whatever, too many sessions in too short a time will have that effect.

Where is the 192.168 subnet - inside or outside of TMG?
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38849945
It is my inside network. ( 192.168.X.X).
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 38850037
Two choices - the first, find why these devices are broadcasting and shut off those services; or second, increase the number of concurrent connections etc that are allowed per second.

First option is always the best as it corrects the issue but.....

The second option is carried out within the TMG gui
Intruder Prevention System, then select behavioural prevention system from the tabs along the top of the right-hand pane. Select Flood Mitigation settings.

Make sure the policy is ticked to enable it then change away as per the comments in the analyser report. Make sure you RECORD SOMEWHERE the default settings so that if you ever fix the internal cause of the problem you can put TMG back to normal afterwards.

Apply the changes

Keith
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38850178
Hi,
Thanks for your valuable suggestions. What if I put my inside subnet under IP exception.

Will it be safe ?

Thanks
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38852015
The option means what it says - it becomes exempt from the policy and treated as exempt. This is not necessarily 'safety' related and is more a means to control how a configuration is handled for a particular set of circumstances.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38854570
Hi,
Is there any way to make the connection limit on cisco asa as well ? Somehow  I guess this is Cisco ASA issue but not quite sure. However, I've added my subnet in Ip Exeptions under TMG Flood Mitigation.

Samir
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38918813
Thanks :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question