Solved

Cisco ASA5505 keeps disconnecting

Posted on 2014-02-26
13
578 Views
Last Modified: 2014-03-10
Hey guys,

I have a Cisco ASA 5505 here connected to a 5510 VPN.  All has been running well for quite some time (2yrs) no issues.  recently, the last 3 days, I've been getting disconnects.  the local Lan is fine, all internal traffic looks good, the ISP modem is good since I have a seperate device plugged into it and it never drops.  

- For the past few days after doing a couple hard boots it will work for a bit (time is inconsistant, sometimes 15 mins, sometimes an hr).
- I can clear conn, clear xlate and clear arp to make sure nothing binded there.  sometimes it helps after I clear then reload, sometimes it doesn't help at all.
- I've changed External IP, and it seems to help for a little bit. then starts the same thing again.

one thing I am noticing when clearing the connections, when the LAN cannot connect to the internet, it seems there are abnormal amount of outside DNS requests going to the internal IPs, many times each PC have Multiple simultaneous requests. like 10 - 15 per pc so my "sh conn" jump from 15 to easily over 100.  I only have 15 devices at the site.  maybe 20 with phones connecting to wifi.

I'm not sure if this is a DNS DOS attack from someone inside or outside?

I have tried changing the DNS servers and get the same result.  I'm at the point now where I have all devices turned off or disconnected from the network and can't seem to get the ASA internet back up this time at all.

Any all help would be appreciated.
0
Comment
Question by:regmandy
  • 7
  • 5
13 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 39889189
Ours would over heat.. Just a thought.
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39889196
Does the interface bounce between up/down status?

It could be excessive traffic coming in from outside, but I have seen where a failing network interface would cause this.

If you have a spare interface, I would first try swapping them out.  This would at least rule out the possibility.

Also, have you tried changing the network cable?  You wouldn't think a cable would go bad, but I have seen on a number of occasions where we had troubleshot a connectivity issue only to find out the the problem was the network cable.
0
 

Author Comment

by:regmandy
ID: 39889267
heat seems fine, its sitting on top of a cabinet and it's not overly warm in the room.

interfaces show all up.

I have another ASA coming in to replace as I was thinking the outside interface is failing too.  but still trying to figure it out until then.

I swapped out cables the other day.  it was stable for a bit then started again.
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39889298
Have you looked at how many packets are coming in/out compared to packets going out/in?

Sometimes if there is an extremely large discrepancy between the two you might have something spamming the interface.  I have also seen where another computer on the network had a failing nic that was spamming the interface causing similar issues.
0
 

Author Comment

by:regmandy
ID: 39889972
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
       Traffic Statistics for "outside":
        110203 packets input, 5253188 bytes
        4699 packets output, 937682 bytes
        1686 packets dropped
      1 minute input rate 16 pkts/sec,  757 bytes/sec
      1 minute output rate 0 pkts/sec,  73 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 15 pkts/sec,  743 bytes/sec
      5 minute output rate 0 pkts/sec,  72 bytes/sec
      5 minute drop rate, 0 pkts/sec

Incomming seem quite high compared to outgoing.  kinda reflects how I see so many inbound UDP connections coming from ISP DNS address to the local machines.  I've since changed the DNS to Googles DNS and my local and get the same result.
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39890131
If you are really curious, you could setup a packet sniffer between you internet connection and router to see what the incoming traffic is?  you could use something like Wireshark to do the capturing.

Or, you might be able to contact your ISP and see if they have a website you can see that shows the traffic?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:regmandy
ID: 39891868
yeah I suppose, but If I changed external IPs, how long would it take for them to get on it again? a day or so?
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39892009
Changing external IP and updating DNS entries can take up to 3 days (standard ISP answer).  Normally, it is around 24 hours or sooner.  Depends how often DNS providers transfers DNS zone records.
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39892017
However, you can put a computer inline as a passthrough or use a hub/switch and not have to change the external IP address.

Hub, gives you one broadcast domain so all traffic is seen by all other ports.

A switch would have to have spanned ports configured to see the other traffic not destined for the computer port.
0
 

Author Comment

by:regmandy
ID: 39892267
here is an example of what I'm seeing when I try a sh conn.  keep in mind this is the google DNS and some internal IPs.  I had switched the DNS from my ISP DNS to google for an external DNS flushed the DNS on the local PCs and still had the same issue, so I'm not 100% sure where it's coming from.  most cases we have hundreds of these connections showing, and whey I don't see DNS entries like this, the connection is up.  so it's got to be related.

11 in use, 100 most used
UDP outside 8.8.4.4:53 inside 192.168.22.51:54329, idle 0:01:44, bytes 156, flags -
UDP outside 8.8.4.4:53 inside 192.168.22.51:50601, idle 0:01:44, bytes 196, flags -
UDP outside 8.8.4.4:53 inside 192.168.22.51:52147, idle 0:01:45, bytes 196, flags -
UDP outside 8.8.4.4:53 inside 192.168.22.51:65169, idle 0:01:52, bytes 208, flags -
UDP outside 8.8.4.4:53 inside 192.168.22.51:54335, idle 0:01:56, bytes 196, flags -
UDP outside 8.8.4.4:53 inside 192.168.22.51:62276, idle 0:01:57, bytes 164, flags -
UDP outside 8.8.4.4:53 inside 192.168.22.51:53163, idle 0:01:57, bytes 168, flags -
UDP outside 8.8.4.4:53 inside 192.168.22.51:50954, idle 0:01:59, bytes 168, flags -

Tks for your help guys.  I'm going to throw a hub in the mix or configure port mirroring on the ASA to mirror the outside interface and see what I come up with.  i'll post up my results.  

Tks again for the info, keep the recommendations coming!
0
 

Author Comment

by:regmandy
ID: 39903628
Sorry about the delays guys.  I've since travelled to the site, (I've been troubleshooting this remotely as the site is 3hrs away and I have 5 other sites I look after), installed a new ASA 5505 box and configured.  everything was working till this morning.  Connection was solid yesterday till sometime around 3AM when the network started to replicate the same issue again.

I do have my sniffer machine connected with 2 nics so I can see whats going on inside the ASA as well as outside traffic to the ASA.

From what I can see, inside the network, the VPN tunnel seems to be flapping now.  I can see it's up, but it's not receiving traffic sporatically. Tx seems to be normal, but after a little bit, the VPN tunnel closes, then reopens again and on goes the cycle.

I'm not seeing anything too odd in wireshark, however my assumption is the same, the connection seems to drop when I start to see alot of UDP connections from outside DNS address to the inside PC addresses as I posted an example above.

I'm going to continue watching traffic to see if I can find any other trends, but as it stands, the site is online using a SOHO router to the ISP.
0
 

Accepted Solution

by:
regmandy earned 0 total points
ID: 39904019
After more investigating, looks like the ISP made some changes to their DHCP lease time which seems to be the cause.  I assign a new IP it works for a day, then the lease expires.  I'm reconfiguring and testing.  i'll update when I have confirmaiton.
0
 

Author Closing Comment

by:regmandy
ID: 39917011
ISP was the problem 24hr least time made the connection flap, therefore shutting down the tunnel.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now