?
Solved

Cisco ASA 5505 - Annoyingly needs a Power cycle every 2 months or so ?

Posted on 2014-08-18
17
Medium Priority
?
1,003 Views
Last Modified: 2017-04-26
We don't know why but our small business Cisco ASA 5505 v05 annoyingly needs a Power cycle every 2 months or so .   We host a couple of websites for customers so this is a big problem when it occurs and someone has to run over to our offices just to pull the power plug and reinsert it.    Otherwise our 5505 works fine.  

Cisco ASA 5505 v05    
    ASA version is 8.4(2)
    ASDM version is 7.1(1)52
    Flash 128MB, Memory 1024MB

 We do not have a Cisco service contract.   We admit we are not fluent in managing our  5505.    We know just enough about the ASDM manager program to have set up the unit up a couple of years ago, and since then not much hands on.  

Q1  Is there something wrong with our unit or is this acceptable frequency of annoyance for doing a power cycle?
Q2  Should we figure out how to update our 5505's software ASA & ASDM, perhaps by acquiring the Cisco contract?
Q3  Should we upgrade to a newer Cisco Router?  


Any comments, advice and hints would be truly appreciated.
0
Comment
Question by:JReam
  • 8
  • 7
  • 2
17 Comments
 
LVL 18

Accepted Solution

by:
max_the_king earned 1000 total points
ID: 40268172
Hi,

Q1 i manage hundreds of ASA and i've never had to reboot it for malfunctioning ... so my answer is that is not acceptable: you may have some other issue; for example, should your ASA be limited to 10 or 50 users, when you reach the limit further connections are dropped without warning; then a reboot reset all connections and you start over fine, until next time you reach the limit. You might encounter some other issue, which i can not possibly guess.

Q2 no need to update, 8.4.2 is fine

Q3 no need to upgrade to a newer router, unless you have too many devices connected, as i wrote as an example in Q1. In that case you can upgrade to unlimited devices, it is just an activation key that you buy from cisco.

hope this helps
max
0
 
LVL 6

Expert Comment

by:Matt
ID: 40268179
Do you have any records in log?

You don't need to upgrade to newer router except if you need BGP routing. Price - performance is clearly on ASA side.

Try to update ASA with newer 8.4 release, the latest version is asa847-22-k8.bin (8.4(7)-22). Check if you have valid CISCO Smartnet support package so you will be eligible to get this version.
0
 
LVL 1

Author Comment

by:JReam
ID: 40268245
Hi max king-  thanks for the reply,  I'm guess 'Users' refers to inside hosts, I think we are at 'unlimited'.   We actually only have 2 or 3 public facing hosts, IIS and RDS.    Traffic usage is never very heavy.     The other night the router failed (required a power cycle) at about 10pm at night, which is a real light traffic time of day.  


Our "Show Version" lists:  
Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Open in new window

0
 
LVL 1

Author Comment

by:JReam
ID: 40268304
Hi Matt -

You wrote "Do you have any records in log?"

I'm looking at ASDM -> Monitoring -> Log Buffer.    I don't see a way to look back in time to night or two ago when the router last failed.   Is this Logging something I'd would have to keep running on my PC's ASDM program over extended periods in an attempt to catch the issue?
0
 
LVL 6

Expert Comment

by:Matt
ID: 40268311
No no, I hope ASDM has the option to set logging buffer to for example 1 Megabyte or more. With this setting you should be able to see events for couple of days, depends on the traffic.
0
 
LVL 6

Assisted Solution

by:Matt
Matt earned 1000 total points
ID: 40268344
This is how it looks configuring using CLI:

logging enable
logging timestamp
logging standby
logging buffer-size 1024000
logging monitor informational
logging buffered informational
logging trap debugging
logging asdm informational
logging facility 23
0
 
LVL 18

Expert Comment

by:max_the_king
ID: 40268984
Hi,
you say someone has to unplug power cord: did you try to telnet the CLI interface from inside, is it responsive ?. You may as well try by putting console cable, just to see if you have real time message from the ASA. If something is going wrong and ASA is not freezed, it will tell you why it is not working.
max
0
 
LVL 1

Author Comment

by:JReam
ID: 40271152
Hi Matt -    
I'm trying to implement your SAS Logging suggestions.   I've successfully applied the 9 Logging CLI commands you shared, which I did via ASDM's Tools CLI interface, [Apply] and saved everything.    

Q:  I can't seem to be able to figure out how to:  
With this setting you should be able to see events for couple of days, depends on the traffic.
   

Here's a print screen of the ASDM Log I'm looking at, it only seems to keep about 3 minutes of history in the buffer....  perhaps I need to change those CLI Logging command to be more limited severity, such as :  logging buffered notifications  

If I understand this correctly, I should be able to close ASDM app on my PC, fire it up later and look at hours/days of logging history?  

ASDM Log
And print screen of ASA Logging options:  
2014-08-19-16-06-55.jpg
0
 
LVL 6

Expert Comment

by:Matt
ID: 40271812
Try to increase ASDM Logging Queue Size - right now you have 512 messages.

If you can login to ASA using telnet or ssh (putty), you can view logs:

show logg
0
 
LVL 1

Author Comment

by:JReam
ID: 40274181
512 seems to be the max ASDM Logging Queue Size.  At least in my ASDM 7.1(1).   I don't know about newer versions of ASDM.   Message says "ASDM Logging Queue size must be in the range of 100 - 512."

I believe the only Logging command line I actually needed from Matt's list of 9 was:  logging buffered informational, actually I went with logging buffered notifications.     In either case it's more logging than the previous setting of Disabled.  I don't want to risk over burdening the device with too much Loggings activity.   I also returned settings to Disabled for 'standby', 'trap', 'monitor', etc.  And 'facility' default is 20.    

In ASDM, Tools, CLI,  I'm typing in command "show logging" as Matt instructed.  This looks to be what I need to monitor as it appears to show the internal buffer log of severity notifications and above.

Do I need to "login to ASA using telnet or ssh (putty)" to view the log or is the view from ASDM, Tools, CLI, basically the same?
0
 
LVL 1

Author Comment

by:JReam
ID: 40274211
Reply to  max_the_king

Thanks for your replies which are all really appreciated.  Same for Matt of course.

I honestly don't know yet about trying to telnet (or ASDM) the CLI interface from inside to test for device responsiveness.  I totally agree that we need to try this out next time the failure occurs which is only about every 2 months.    Our general reaction to the failure has been to power cycle the device immediately since clients are usually unhappy & waiting.    Now that We're more ASA Logging aware we'll try our best to check them out next event.    We'll discover a) is the ASA totally frozen and unresponsive (ASDM inside access) and/or directly connected Telnet Console COM1 access.     and b) peer into the logs looking for hints at the cause.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40274225
You can configure to send syslog messages to syslog server, KiWi Syslog for example and there you will have all the history so you don't have to login to ASA just to see logs.

Regarding response from ASA - do you have IP monitor that can run 24/7? There you will be able to see whether or not ASA does respond to ping or not...
0
 
LVL 1

Author Comment

by:JReam
ID: 40274318
Yes we just signed up with Monitis web monitoring service.  Simple Ping tests every 10 minutes 24x7.    So we'll know hopefully, before our clients, the next time the 5505 fails.

About the Syslog server, we haven't set that up as of yet so we're a bit newbie on that topic.  
Q:  How often does the ASA send the logs to the Syslog server?     Isn't our failure issue also going to cause failure to send updated log entries to the syslog server?    I'm guessing that it may not be frequent enough for us to catch and see what is failing on our 5505 especially if the killer events are all right at the exact point of failure.
0
 
LVL 6

Expert Comment

by:Matt
ID: 40274324
ASA sends syslog messages all the time to the syslog server. KiWi has an option to make daily syslog files, at the end of the day it saves them to daily zip, on midnight it creates new daily syslog file as soon as the first syslog message arrives from ASA.
0
 
LVL 1

Author Comment

by:JReam
ID: 40274744
Before we spring the $$ and time for something like KiWi,
Q:  Is "messages all the time to the syslog server" really going to be frequently enough?   I'm thinking that whatever is killing our 5505 every 2 months or so does so in a very  quick fashion, say in under a minute duration or less.     At which time the 5505 gags a couple of times, maybe creates a couple of internal buffer log entries, then drops off the grid  totally.  The syslog server likely never gets these important last minute log entries.     Does this sound unreasonable?
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 40278934
This morning I checked the logs via ASDM, Tools, CLI with command SHOW LOGG and I successfully could see the Notification level entries for the last 3 days.      Looking at these Logs will be our course of action next time the 5505 failure event occurs, assuming our 5505 isn't frozen solid which we'll determine also.

I'll open up another EE question to inquire about the "frequency" of the ASA to KiWi syslogs to determine if that idea will benefit us .  

I wish I could give more than just 500 points for this Q&A.  You both offered terrific answers and valuable helpful suggestions.  Thanks for being the "Experts" for us this week.

Thank you!
0
 
LVL 6

Expert Comment

by:Matt
ID: 40279124
You are welcome. If you need anything more regarding ASA and logging, let me know.
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The world seems to conceive of a curious bubble separating IT from “the business.”  More so than just about any other pursuit in the commercial world, people think of IT as some kind of an island.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question