Re: ASA problem from Ryan West on 2012-09-27 (Ccielab archives 09/2012)

From: Ryan West <rwest_at_zyedge.com>
Date: Thu, 27 Sep 2012 14:45:20 +0000

I've had the best luck with 8.2(5)26 or 29. Since you're already in NAT hell, I would run 8.4.4.1. Running first release new train code is just asking for trouble IMO.

Sent from handheld

On Sep 27, 2012, at 10:06 AM, "Tony Singh" <mothafungla_at_gmail.com> wrote:

> Here's my hunch it seems to happen when I'm on my laptop with a lot of tcp sessions i.e tabs on chrome...
>
> Same kind of thing used to happen on other vender all in one wifi routers...until upgrading to code that fixed the issues so I hear you...
>
> Ryan my eyes are hurting with that list wa wa we wa (borat)
>
> What do you guys recommend as a stable code /if
>
> Thanks both for the help
>
> --
> BR
>
> Tony
>
> Sent from my iPhone on 3
>
> On 27 Sep 2012, at 14:48, Ryan West <rwest_at_zyedge.com> wrote:
>
>> I would agree with Joe here. Here is the 8.4 caveat list:
>>
>> http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp536788
>>
>> -ryan
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Joe Sanchez
>> Sent: Thursday, September 27, 2012 9:44 AM
>> To: Tony Singh
>> Cc: Jay McMickle; Haroon; Ciscocertification
>> Subject: Re: ASA problem
>>
>> I've had to upgrade many ASA's even with 2gb ram, with the latest code because of issues with ASA lockups/reboots it doesn't matter which platform other then the 5585x they have been solid. These ASA were running the 8.3 and I believe 1 might have been 8.42? Several issues that Cisco tries to fix with releases that did solve the original issues but caused other issues to raise there heads.
>>
>> Regards,
>> Joe Sanchez
>>
>> ( please excuse the brevity of this email as it was sent via a mobile device. Please excuse misspelled words or sentence structure.)
>>
>> On Sep 27, 2012, at 8:36 AM, Tony Singh <mothafungla_at_gmail.com> wrote:
>>
>>> Will check next time it happens as Haroon suggested to see if default
>>> route is still present, was last time but might be worth some further
>>> debugging and will report back, doesn't seem a common issue at this
>>> code maybe :/
>>>
>>> --
>>> BR
>>>
>>> Tony
>>>
>>> Sent from my iPhone on 3
>>>
>>> On 27 Sep 2012, at 14:32, Tony Singh <mothafungla_at_gmail.com> wrote:
>>>
>>>> Sorry Joe meant latter as in RAM is 512k in reply to Jay (free memory
>>>> when unit locked up showed ample free anyhow)
>>>>
>>>> Code running is 8.4.1 (post pix cli era I believe)
>>>>
>>>> --
>>>> BR
>>>>
>>>> Tony
>>>>
>>>> Sent from my iPhone on 3
>>>>
>>>> On 27 Sep 2012, at 13:23, Joe Sanchez <marco207p_at_gmail.com> wrote:
>>>>
>>>>> I recall lots of bugs in the 8.3 code . Mostly the ASA would lock up and reboot on occasions . Have you tried to upgrade?
>>>>>
>>>>> Regards,
>>>>> Joe Sanchez
>>>>>
>>>>> ( please excuse the brevity of this email as it was sent via a
>>>>> mobile device. Please excuse misspelled words or sentence
>>>>> structure.)
>>>>>
>>>>> On Sep 27, 2012, at 1:34 AM, Tony Singh <mothafungla_at_gmail.com> wrote:
>>>>>
>>>>>> Hi Jay
>>>>>>
>>>>>> Thanks for reply yes it is the latter.
>>>>>>
>>>>>> --
>>>>>> BR
>>>>>>
>>>>>> Sent from my iPhone on 3
>>>>>>
>>>>>> On 27 Sep 2012, at 02:02, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:
>>>>>>
>>>>>>> Tony- how much RAM is in your 5505? If 256 (standard on old ones), this could be your issue with 8.3+ IOS.
>>>>>>>
>>>>>>> If 512, disregard.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent
>>>>>>> from my iPhone
>>>>>>>
>>>>>>> On Sep 26, 2012, at 2:40 PM, Tony Singh <mothafungla_at_gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Haroon
>>>>>>>>
>>>>>>>> Next time it goes down will attempt your suggestion although it
>>>>>>>> did have the gateway of the last resort in the routing table :/
>>>>>>>>
>>>>>>>> --
>>>>>>>> BR
>>>>>>>>
>>>>>>>> Sent from my iPhone on 3
>>>>>>>>
>>>>>>>> On 26 Sep 2012, at 20:27, Haroon <itguy.pro_at_gmail.com> wrote:
>>>>>>>>
>>>>>>>>> what if you hard code default gateway?
>>>>>>>>>
>>>>>>>>> route outside 0.0.0.0 0.0.0.0 isp
>>>>>>>>>
>>>>>>>>> On Wed, Sep 26, 2012 at 1:27 PM, Tony Singh <mothafungla_at_gmail.com> wrote:
>>>>>>>>> Good Evening List,
>>>>>>>>>
>>>>>>>>> I have an issue with my ASA 5505 recently seems to be locking up
>>>>>>>>> and end-result is no default gateway access to my isp router and
>>>>>>>>> bump no internet!
>>>>>>>>>
>>>>>>>>> Its running Version 8.4(1) & is a base license...
>>>>>>>>>
>>>>>>>>> Now some t-shooting has got me no where, no top cpu-usage
>>>>>>>>> processes, enough free memory , asdm logs when it goes down
>>>>>>>>> nothing unusual but the usual pat translations with tcp flags i.e syn timeout etc etc..
>>>>>>>>>
>>>>>>>>> translations showed...
>>>>>>>>>
>>>>>>>>> *ciscoasa# show xlate count *
>>>>>>>>> 323 in use, 583 most used
>>>>>>>>>
>>>>>>>>> tried clearing this - no good still could not ping my default gateway.....
>>>>>>>>>
>>>>>>>>> an arp showed that I could see the default gateway address
>>>>>>>>> (although admittedly did not try clearing this to see if it did
>>>>>>>>> the arp translation again)
>>>>>>>>>
>>>>>>>>> input packets from isp were stuck here, but might be down to above...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ciscoasa(config-if)# sh int Vlan2 Interface Vlan2 "outside", is
>>>>>>>>> up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY
>>>>>>>>> 100 usec
>>>>>>>>> MAC address 001e.4a87.44ab, MTU 1500
>>>>>>>>> IP address x.x.x.x, subnet mask 255.255.254.0 Traffic
>>>>>>>>> Statistics for "outside":
>>>>>>>>> *9747366 packets input*, 1919996429 bytes
>>>>>>>>> 14907915 packets output, 13057288639 bytes
>>>>>>>>> 760415 packets dropped
>>>>>>>>> 1 minute input rate 0 pkts/sec, 0 bytes/sec
>>>>>>>>> 1 minute output rate 8 pkts/sec, 464 bytes/sec
>>>>>>>>> 1 minute drop rate, 0 pkts/sec
>>>>>>>>> 5 minute input rate 0 pkts/sec, 2 bytes/sec
>>>>>>>>> 5 minute output rate 22 pkts/sec, 1297 bytes/sec
>>>>>>>>> 5 minute drop rate, 0 pkts/sec
>>>>>>>>>
>>>>>>>>> ciscoasa(config-if)# sh int Vlan2 Interface Vlan2 "outside", is
>>>>>>>>> up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY
>>>>>>>>> 100 usec
>>>>>>>>> MAC address 001e.4a87.44ab, MTU 1500
>>>>>>>>> IP address x.x.x.x, subnet mask 255.255.254.0 Traffic
>>>>>>>>> Statistics for "outside":
>>>>>>>>> *9747366 packets input*, 1919996429 bytes
>>>>>>>>> 14907919 packets output, 13057288877 bytes
>>>>>>>>> 760415 packets dropped
>>>>>>>>> 1 minute input rate 0 pkts/sec, 0 bytes/sec
>>>>>>>>> 1 minute output rate 8 pkts/sec, 464 bytes/sec
>>>>>>>>> 1 minute drop rate, 0 pkts/sec
>>>>>>>>> 5 minute input rate 0 pkts/sec, 2 bytes/sec
>>>>>>>>> 5 minute output rate 22 pkts/sec, 1297 bytes/sec
>>>>>>>>> 5 minute drop rate, 0 pkts/sec
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ciscoasa(config-if)# sh int Vlan2 Interface Vlan2 "outside", is
>>>>>>>>> up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY
>>>>>>>>> 100 usec
>>>>>>>>> MAC address 001e.4a87.44ab, MTU 1500
>>>>>>>>> IP address x.x.x.x, subnet mask 255.255.254.0 Traffic
>>>>>>>>> Statistics for "outside":
>>>>>>>>> *9747366 packets input*, 1919996429 bytes
>>>>>>>>> 14907920 packets output, 13057288946 bytes
>>>>>>>>> 760415 packets dropped
>>>>>>>>> 1 minute input rate 0 pkts/sec, 0 bytes/sec
>>>>>>>>> 1 minute output rate 8 pkts/sec, 464 bytes/sec
>>>>>>>>> 1 minute drop rate, 0 pkts/sec
>>>>>>>>> 5 minute input rate 0 pkts/sec, 2 bytes/sec
>>>>>>>>> 5 minute output rate 22 pkts/sec, 1297 bytes/sec
>>>>>>>>> 5 minute drop rate, 0 pkts/sec
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> config on the outside interface is
>>>>>>>>>
>>>>>>>>> interface Vlan2 (eth0/0)
>>>>>>>>> nameif outside
>>>>>>>>> security-level 0
>>>>>>>>> ip address dhcp setroute
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> my outside interface picks up or still has the dhcpd binding
>>>>>>>>> from the isp and the outside svi vlan 2 pings from the asa ok...
>>>>>>>>>
>>>>>>>>> been getting tired of reloading recently, so decided to shut the
>>>>>>>>> vlan 2 svi down and take the dhcp config off & re-applied this
>>>>>>>>> and it seemed to let me ping the default gateway again...
>>>>>>>>>
>>>>>>>>> google dns 8.8.8.8 pings ok now, but xlates were showing 0 when
>>>>>>>>> attempting to connect from various devices and in the end had to reload the asa again.
>>>>>>>>>
>>>>>>>>> apologies for this long mail, any suggestions on what im doing
>>>>>>>>> wrong
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>>
>>>>>>>>> ________________________________________________________________
>>>>>>>>> _______ Subscription information may be found at:
>>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Virtualization.net
>>>>>>>>> Post Jobs, News, Forums, Tutorials http://www.virtualization.net
>>>>>>>>
>>>>>>>>
>>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>>
>>>>>>>> _______________________________________________________________________
>>>>>>>> Subscription information may be found at:
>>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 27 2012 - 14:45:20 ART

This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART