[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA disallowing new connections

Posted on 2014-07-14
17
Medium Priority
?
1,046 Views
Last Modified: 2014-08-09
Hi,

I'm currently having an issue with our Cisco ASA firewall. The ASA had replaced an Pix 515e. Three months into the ASA, the firewall stopped working. All we've been getting is this message on the ASA log:

"Syslog ID: 201008.......... Disallowing new connections"

Any help would be greatly appreciated. Thanks.
0
Comment
  • 9
  • 7
17 Comments
 
LVL 99

Expert Comment

by:John Hurst
ID: 40195745
Have you reached a licensing limit?  Disconnect one or two and try to connect a new connection. If that works, there is a number / license limitation.
0
 

Author Comment

by:ZerodotZerodotZerodotZero
ID: 40195815
Are you referring to our VPN connection?

We use IPsec and not SSL, so that should give us 250. We have less that 5 users that uses vpn ipsec.

The ASA features vs the 515e is superior in every way in terms of quantity of connections etc, but yet we don't experience the same issue with the PIX.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40195817
If you have 250 VPN connections available, I do not know why you would get stuck on 5. Does Cisco make you license the 250 connections. I think such was true of some Juniper boxes if I recall correctly.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:ZerodotZerodotZerodotZero
ID: 40195822
Someone can correct me, but I believe IPsec comes with 250 out of the box.

SSL comes with 2, which you will need to purchase more.
0
 
LVL 3

Expert Comment

by:Sid6_7
ID: 40195947
I believe Zerodot is correct, depending on the license, it is 250 out of the box and only 2 SSL connections. This is with the security base license we got with our ASA.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40195959
If connections are within license, I do not know why you can't make a new connection.

Did you try the "new instead of one old one" to see if that even works?
0
 

Author Comment

by:ZerodotZerodotZerodotZero
ID: 40195988
Yes. Tried a new one and same results.

Keep in mind that we loose all internet connection and unable to hit any of our web servers from the outside or send/receive incoming outbound emails.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40196000
Can you, in an off time, do a hard reset of the router back to factory specifications and set it up again? You should be able to do a basic setup and the first connection in less than an hour.
0
 

Author Comment

by:ZerodotZerodotZerodotZero
ID: 40197466
We have reset the firewall back to factory specs. We reload a known good back up config and have manually config the firewall. Firewall would work for 2-4 weeks and then we'll get the same error above and looses connection to everything.
0
 

Author Comment

by:ZerodotZerodotZerodotZero
ID: 40197469
We have called our ISP to ensure it wasn't them. We even took a laptop and connect directly to the Internet router bypassing the firewall and we're able to get connected.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40197541
Let us know what your ISP says. Usually an ISP does not limit connections.

We reload a known good back up config and have manually config the firewall

Any chance it is a configuration error?  I have seen old, known good configuration fail in newer circumstances. It might be worth checking.
0
 

Author Comment

by:ZerodotZerodotZerodotZero
ID: 40232490
ISP continue to say everything is good on their end.

Reload and manually configured the ASA. Will work for a few weeks, then bomb with the same following message: "Disallowing new connections".
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40232497
If you can reload the profile and it works for weeks, it is feasible the router is defective. Either that or build a new config from scratch.

Is there a firmware upgrade available?
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40232531
Another thought is that the router could be in a warm environment and overheating slowly.

It works for weeks, so think overheating, hardware and much less likely, strange configuration.
0
 

Author Comment

by:ZerodotZerodotZerodotZero
ID: 40233025
I think I may found the problem. Will test tomorrow evening and report back.
0
 

Accepted Solution

by:
ZerodotZerodotZerodotZero earned 0 total points
ID: 40239468
Firewall is working!

When we enabled TCP based syslog to a syslog server (instead of the default UDP traffic). Unknown to us at that time was that if for any reason the Syslog server was not reached through that TCP connection the ASA would stop allowing new connections through it.

What I did to resolve the issue was to allow users traffic to pass when TCP syslog server is unreachable.
0
 

Author Closing Comment

by:ZerodotZerodotZerodotZero
ID: 40250429
I was able to resolve the issue on my own.
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question