Cisco ASA disallowing new connections

Hi,

I'm currently having an issue with our Cisco ASA firewall. The ASA had replaced an Pix 515e. Three months into the ASA, the firewall stopped working. All we've been getting is this message on the ASA log:

"Syslog ID: 201008.......... Disallowing new connections"

Any help would be greatly appreciated. Thanks.
ZerodotZerodotZerodotZeroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Have you reached a licensing limit?  Disconnect one or two and try to connect a new connection. If that works, there is a number / license limitation.
0
ZerodotZerodotZerodotZeroAuthor Commented:
Are you referring to our VPN connection?

We use IPsec and not SSL, so that should give us 250. We have less that 5 users that uses vpn ipsec.

The ASA features vs the 515e is superior in every way in terms of quantity of connections etc, but yet we don't experience the same issue with the PIX.
0
JohnBusiness Consultant (Owner)Commented:
If you have 250 VPN connections available, I do not know why you would get stuck on 5. Does Cisco make you license the 250 connections. I think such was true of some Juniper boxes if I recall correctly.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

ZerodotZerodotZerodotZeroAuthor Commented:
Someone can correct me, but I believe IPsec comes with 250 out of the box.

SSL comes with 2, which you will need to purchase more.
0
Sid6_7Commented:
I believe Zerodot is correct, depending on the license, it is 250 out of the box and only 2 SSL connections. This is with the security base license we got with our ASA.
0
JohnBusiness Consultant (Owner)Commented:
If connections are within license, I do not know why you can't make a new connection.

Did you try the "new instead of one old one" to see if that even works?
0
ZerodotZerodotZerodotZeroAuthor Commented:
Yes. Tried a new one and same results.

Keep in mind that we loose all internet connection and unable to hit any of our web servers from the outside or send/receive incoming outbound emails.
0
JohnBusiness Consultant (Owner)Commented:
Can you, in an off time, do a hard reset of the router back to factory specifications and set it up again? You should be able to do a basic setup and the first connection in less than an hour.
0
ZerodotZerodotZerodotZeroAuthor Commented:
We have reset the firewall back to factory specs. We reload a known good back up config and have manually config the firewall. Firewall would work for 2-4 weeks and then we'll get the same error above and looses connection to everything.
0
ZerodotZerodotZerodotZeroAuthor Commented:
We have called our ISP to ensure it wasn't them. We even took a laptop and connect directly to the Internet router bypassing the firewall and we're able to get connected.
0
JohnBusiness Consultant (Owner)Commented:
Let us know what your ISP says. Usually an ISP does not limit connections.

We reload a known good back up config and have manually config the firewall

Any chance it is a configuration error?  I have seen old, known good configuration fail in newer circumstances. It might be worth checking.
0
ZerodotZerodotZerodotZeroAuthor Commented:
ISP continue to say everything is good on their end.

Reload and manually configured the ASA. Will work for a few weeks, then bomb with the same following message: "Disallowing new connections".
0
JohnBusiness Consultant (Owner)Commented:
If you can reload the profile and it works for weeks, it is feasible the router is defective. Either that or build a new config from scratch.

Is there a firmware upgrade available?
0
JohnBusiness Consultant (Owner)Commented:
Another thought is that the router could be in a warm environment and overheating slowly.

It works for weeks, so think overheating, hardware and much less likely, strange configuration.
0
ZerodotZerodotZerodotZeroAuthor Commented:
I think I may found the problem. Will test tomorrow evening and report back.
0
ZerodotZerodotZerodotZeroAuthor Commented:
Firewall is working!

When we enabled TCP based syslog to a syslog server (instead of the default UDP traffic). Unknown to us at that time was that if for any reason the Syslog server was not reached through that TCP connection the ASA would stop allowing new connections through it.

What I did to resolve the issue was to allow users traffic to pass when TCP syslog server is unreachable.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZerodotZerodotZerodotZeroAuthor Commented:
I was able to resolve the issue on my own.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.