Cisco ASA 5505 - Annoyingly needs a Power cycle every 2 months or so ?

We don't know why but our small business Cisco ASA 5505 v05 annoyingly needs a Power cycle every 2 months or so .   We host a couple of websites for customers so this is a big problem when it occurs and someone has to run over to our offices just to pull the power plug and reinsert it.    Otherwise our 5505 works fine.  

Cisco ASA 5505 v05    
    ASA version is 8.4(2)
    ASDM version is 7.1(1)52
    Flash 128MB, Memory 1024MB

 We do not have a Cisco service contract.   We admit we are not fluent in managing our  5505.    We know just enough about the ASDM manager program to have set up the unit up a couple of years ago, and since then not much hands on.  

Q1  Is there something wrong with our unit or is this acceptable frequency of annoyance for doing a power cycle?
Q2  Should we figure out how to update our 5505's software ASA & ASDM, perhaps by acquiring the Cisco contract?
Q3  Should we upgrade to a newer Cisco Router?  


Any comments, advice and hints would be truly appreciated.
LVL 1
JReamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,

Q1 i manage hundreds of ASA and i've never had to reboot it for malfunctioning ... so my answer is that is not acceptable: you may have some other issue; for example, should your ASA be limited to 10 or 50 users, when you reach the limit further connections are dropped without warning; then a reboot reset all connections and you start over fine, until next time you reach the limit. You might encounter some other issue, which i can not possibly guess.

Q2 no need to update, 8.4.2 is fine

Q3 no need to upgrade to a newer router, unless you have too many devices connected, as i wrote as an example in Q1. In that case you can upgrade to unlimited devices, it is just an activation key that you buy from cisco.

hope this helps
max
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MattCommented:
Do you have any records in log?

You don't need to upgrade to newer router except if you need BGP routing. Price - performance is clearly on ASA side.

Try to update ASA with newer 8.4 release, the latest version is asa847-22-k8.bin (8.4(7)-22). Check if you have valid CISCO Smartnet support package so you will be eligible to get this version.
0
JReamAuthor Commented:
Hi max king-  thanks for the reply,  I'm guess 'Users' refers to inside hosts, I think we are at 'unlimited'.   We actually only have 2 or 3 public facing hosts, IIS and RDS.    Traffic usage is never very heavy.     The other night the router failed (required a power cycle) at about 10pm at night, which is a real light traffic time of day.  


Our "Show Version" lists:  
Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Open in new window

0
JReamAuthor Commented:
Hi Matt -

You wrote "Do you have any records in log?"

I'm looking at ASDM -> Monitoring -> Log Buffer.    I don't see a way to look back in time to night or two ago when the router last failed.   Is this Logging something I'd would have to keep running on my PC's ASDM program over extended periods in an attempt to catch the issue?
0
MattCommented:
No no, I hope ASDM has the option to set logging buffer to for example 1 Megabyte or more. With this setting you should be able to see events for couple of days, depends on the traffic.
0
MattCommented:
This is how it looks configuring using CLI:

logging enable
logging timestamp
logging standby
logging buffer-size 1024000
logging monitor informational
logging buffered informational
logging trap debugging
logging asdm informational
logging facility 23
0
max_the_kingCommented:
Hi,
you say someone has to unplug power cord: did you try to telnet the CLI interface from inside, is it responsive ?. You may as well try by putting console cable, just to see if you have real time message from the ASA. If something is going wrong and ASA is not freezed, it will tell you why it is not working.
max
0
JReamAuthor Commented:
Hi Matt -    
I'm trying to implement your SAS Logging suggestions.   I've successfully applied the 9 Logging CLI commands you shared, which I did via ASDM's Tools CLI interface, [Apply] and saved everything.    

Q:  I can't seem to be able to figure out how to:  
With this setting you should be able to see events for couple of days, depends on the traffic.
   

Here's a print screen of the ASDM Log I'm looking at, it only seems to keep about 3 minutes of history in the buffer....  perhaps I need to change those CLI Logging command to be more limited severity, such as :  logging buffered notifications  

If I understand this correctly, I should be able to close ASDM app on my PC, fire it up later and look at hours/days of logging history?  

ASDM Log
And print screen of ASA Logging options:  
2014-08-19-16-06-55.jpg
0
MattCommented:
Try to increase ASDM Logging Queue Size - right now you have 512 messages.

If you can login to ASA using telnet or ssh (putty), you can view logs:

show logg
0
JReamAuthor Commented:
512 seems to be the max ASDM Logging Queue Size.  At least in my ASDM 7.1(1).   I don't know about newer versions of ASDM.   Message says "ASDM Logging Queue size must be in the range of 100 - 512."

I believe the only Logging command line I actually needed from Matt's list of 9 was:  logging buffered informational, actually I went with logging buffered notifications.     In either case it's more logging than the previous setting of Disabled.  I don't want to risk over burdening the device with too much Loggings activity.   I also returned settings to Disabled for 'standby', 'trap', 'monitor', etc.  And 'facility' default is 20.    

In ASDM, Tools, CLI,  I'm typing in command "show logging" as Matt instructed.  This looks to be what I need to monitor as it appears to show the internal buffer log of severity notifications and above.

Do I need to "login to ASA using telnet or ssh (putty)" to view the log or is the view from ASDM, Tools, CLI, basically the same?
0
JReamAuthor Commented:
Reply to  max_the_king

Thanks for your replies which are all really appreciated.  Same for Matt of course.

I honestly don't know yet about trying to telnet (or ASDM) the CLI interface from inside to test for device responsiveness.  I totally agree that we need to try this out next time the failure occurs which is only about every 2 months.    Our general reaction to the failure has been to power cycle the device immediately since clients are usually unhappy & waiting.    Now that We're more ASA Logging aware we'll try our best to check them out next event.    We'll discover a) is the ASA totally frozen and unresponsive (ASDM inside access) and/or directly connected Telnet Console COM1 access.     and b) peer into the logs looking for hints at the cause.
0
MattCommented:
You can configure to send syslog messages to syslog server, KiWi Syslog for example and there you will have all the history so you don't have to login to ASA just to see logs.

Regarding response from ASA - do you have IP monitor that can run 24/7? There you will be able to see whether or not ASA does respond to ping or not...
0
JReamAuthor Commented:
Yes we just signed up with Monitis web monitoring service.  Simple Ping tests every 10 minutes 24x7.    So we'll know hopefully, before our clients, the next time the 5505 fails.

About the Syslog server, we haven't set that up as of yet so we're a bit newbie on that topic.  
Q:  How often does the ASA send the logs to the Syslog server?     Isn't our failure issue also going to cause failure to send updated log entries to the syslog server?    I'm guessing that it may not be frequent enough for us to catch and see what is failing on our 5505 especially if the killer events are all right at the exact point of failure.
0
MattCommented:
ASA sends syslog messages all the time to the syslog server. KiWi has an option to make daily syslog files, at the end of the day it saves them to daily zip, on midnight it creates new daily syslog file as soon as the first syslog message arrives from ASA.
0
JReamAuthor Commented:
Before we spring the $$ and time for something like KiWi,
Q:  Is "messages all the time to the syslog server" really going to be frequently enough?   I'm thinking that whatever is killing our 5505 every 2 months or so does so in a very  quick fashion, say in under a minute duration or less.     At which time the 5505 gags a couple of times, maybe creates a couple of internal buffer log entries, then drops off the grid  totally.  The syslog server likely never gets these important last minute log entries.     Does this sound unreasonable?
0
JReamAuthor Commented:
This morning I checked the logs via ASDM, Tools, CLI with command SHOW LOGG and I successfully could see the Notification level entries for the last 3 days.      Looking at these Logs will be our course of action next time the 5505 failure event occurs, assuming our 5505 isn't frozen solid which we'll determine also.

I'll open up another EE question to inquire about the "frequency" of the ASA to KiWi syslogs to determine if that idea will benefit us .  

I wish I could give more than just 500 points for this Q&A.  You both offered terrific answers and valuable helpful suggestions.  Thanks for being the "Experts" for us this week.

Thank you!
0
MattCommented:
You are welcome. If you need anything more regarding ASA and logging, let me know.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.