From: Chad Mahoney on
Hi Group,


I have an ASA 5510 7.2(2) code.

Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
0:00:01 bytes 39928 TCP FINs
Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside


I am having some issues with intermittent traffic flow problem, what I
am finding is as shown above, the translation for a connection is being
torn down and the next log entry is then denied because the translation
was deleted but was in fact the same connection/translation, like there
was more data to be sent. This is causing some mail flow issues where
email is leaving the senders network and is seen hitting mine but the
email never shows up to the mail server. I have a TAC case open but have
not been to successful with them as of yet.


: Saved
:
ASA Version 7.2(2)
!
hostname aof-fw-01
domain-name blah.local
enable password * encrypted
names
dns-guard
!
interface Ethernet0/0
description Connection to the Internet
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.187.177 255.255.255.240
!
interface Ethernet0/1
description Connection to Internal Network
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd * encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
domain-name blah.local
dns server-group Internal_DNS
name-server 192.168.0.240
domain-name amone.local
access-list outside_access_in extended permit icmp any host x.x.187.177
echo-reply
access-list outside_access_in extended permit icmp any host x.x.187.177
time-exceeded
access-list outside_access_in extended permit ip any host x.x.187.181
access-list outside_access_in extended permit ip any host x.x.187.182
access-list outside_access_in extended permit tcp any host x.x.187.189
eq smtp
access-list outside_access_in extended permit tcp any host x.x.187.188
eq https
access-list outside_access_in extended permit tcp host 70.91.116.209
host x.x.187.188 eq smtp
access-list outside_access_in extended permit tcp any host x.x.187.188
eq www
access-list outside_access_in extended permit tcp any host x.x.187.188
eq pop3
access-list SSL_VPN standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0
255.255.255.0 192.168.51.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging from-address aof-fw-01(a)blah.com
logging recipient-address cmahoney(a)blah.com level errors
logging host inside 192.168.0.241
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_POOL 192.168.51.1-192.168.51.254 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp x.x.187.188 https 192.168.0.245 https
netmask 255.255.255.255
static (inside,outside) tcp x.x.187.188 www 192.168.0.245 www netmask
255.255.255.255
static (inside,outside) tcp x.x.187.188 pop3 192.168.0.245 pop3 netmask
255.255.255.255
static (inside,outside) tcp x.x.187.188 smtp 192.168.0.245 smtp netmask
255.255.255.255
static (inside,outside) x.x.187.181 192.168.0.179 netmask 255.255.255.255
static (inside,outside) x.x.187.182 192.168.0.178 netmask 255.255.255.255
static (inside,outside) x.x.187.189 192.168.0.246 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.187.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
group-policy SSL_VPN internal
group-policy SSL_VPN attributes
dns-server value 192.168.0.240 192.168.0.245
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_VPN
split-dns value blah.local
address-pools value VPN_POOL
webvpn
functions url-entry file-access file-entry file-browsing mapi
port-forward filter http-proxy auto-download citrix
svc required
svc keep-installer installed
username cmahoney password * encrypted privilege 15
username cmahoney attributes
vpn-group-policy SSL_VPN
webvpn
functions url-entry file-access file-entry file-browsing mapi
port-forward filter http-proxy auto-download citrix
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.51.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
http x.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service resetoutbound interface outside
no service resetoutbound interface inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp enable outside
tunnel-group SSL_VPN type webvpn
tunnel-group SSL_VPN general-attributes
address-pool VPN_POOL
default-group-policy SSL_VPN
tunnel-group SSL_VPN webvpn-attributes
hic-fail-group-policy SSL_VPN
nbns-server 192.168.0.240 master timeout 2 retry 2
group-alias SSL_VPN enable
dns-group Internal_DNS
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 192.168.51.0 255.255.255.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp
!
service-policy global_policy global
ntp authenticate
ntp server 193.162.159.97 source outside prefer
webvpn
port 4100
enable outside
enable inside
svc image disk0:/stc.pkg 1
svc enable
tunnel-group-list enable
smtp-server 192.168.0.246 192.168.0.245
prompt hostname context
Cryptochecksum:81fc86e75f175aa1034e32718b20ba0e
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

From: Darren Green on

"Chad Mahoney" <chad(a)mahoney.com> wrote in message
news:12psqb0ie63mg6c(a)news.supernews.com...
> Hi Group,
>
>
> I have an ASA 5510 7.2(2) code.
>
> Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
> for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
> 0:00:01 bytes 39928 TCP FINs
> Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
> 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
>
>
snip

Chad,

This rings a big alarm bell. Could be off radar here but we had massive
problems recently with the same typer of issue.

Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
a hard coded 100 full to auto duplex auto speed. Since we have done this no
more problems.

I know the Cisco preference is to hard code but in the end we had to change
it to get it fixed.

Hope that helps.

Regards

Darren


From: Darren Green on

"Chad Mahoney" <chad(a)mahoney.com> wrote in message
news:12psqb0ie63mg6c(a)news.supernews.com...
> Hi Group,
>
>
> I have an ASA 5510 7.2(2) code.
>
> Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
> for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
> 0:00:01 bytes 39928 TCP FINs
> Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
> 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
>
>
> I am having some issues with intermittent traffic flow problem, what I am
> finding is as shown above, the translation for a connection is being torn
> down and the next log entry is then denied because the translation was
> deleted but was in fact the same connection/translation, like there was
> more data to be sent. This is causing some mail flow issues where email is
> leaving the senders network and is seen hitting mine but the email never
> shows up to the mail server. I have a TAC case open but have not been to
> successful with them as of yet.
>
>
Chad,

Something else that I recall reading a while ago in this group posted
originally by Brian V. See link below:

http://groups.google.co.uk/group/comp.dcom.sys.cisco/browse_thread/thread/ab70d7f4d07ecb25/d1c389cd6a370de2?lnk=st&q=cisco+dnssec+email&rnum=5&hl=en#d1c389cd6a370de2

Title: DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email

Regards

Darren


From: garrisb on
Wow.... This is Wild!!!!

I had the same issue. My asa5510 would just stop processing data. It
wouldn't crash, just stopped passing data. I worked with Cisco for a
couple of days and we found the following:

The ASA or Switch (HP in this case) would not negogiate properly. Even
though both were hard coded to 100Full I was seeing CRC errors. I've
since moved them both to auto and have not had a problem. I too am
running version 7.2.2 ...


Darren Green wrote:
> "Chad Mahoney" <chad(a)mahoney.com> wrote in message
> news:12psqb0ie63mg6c(a)news.supernews.com...
> > Hi Group,
> >
> >
> > I have an ASA 5510 7.2(2) code.
> >
> > Jan 4 10:11:23 aof-fw-01 %ASA-6-302014: Teardown TCP connection 1691135
> > for outside:198.104.142.140/3900 to inside:192.168.0.246/25 duration
> > 0:00:01 bytes 39928 TCP FINs
> > Jan 4 10:11:23 aof-fw-01 %ASA-6-106015: Deny TCP (no connection) from
> > 192.168.0.246/25 to 198.104.142.140/3900 flags RST on interface inside
> >
> >
> snip
>
> Chad,
>
> This rings a big alarm bell. Could be off radar here but we had massive
> problems recently with the same typer of issue.
>
> Our problem on 7.2(2) turned out to be a duplex issue. We had to change from
> a hard coded 100 full to auto duplex auto speed. Since we have done this no
> more problems.
>
> I know the Cisco preference is to hard code but in the end we had to change
> it to get it fixed.
>
> Hope that helps.
>
> Regards
>
> Darren

From: Chad Mahoney on
Well I have found this is not an issue with the duplex settings, it
appears after some sniffing of traffic, that the reason for this error
appears when you have 2 T-1 lines in a Multilink setup, the router is
not assembling packets/frames in the proper order, so the firewall is
dropping the connection forcing the packets to be retransmitted over and
over again, I am running some loopback tests on my router tonight to
find out if the router is the issue or the carrier is the issue.

Thanks for the reply....

Chad

garrisb wrote:
> Wow.... This is Wild!!!!
>
> I had the same issue. My asa5510 would just stop processing data. It
> wouldn't crash, just stopped passing data. I worked with Cisco for a
> couple of days and we found the following:
>
> The ASA or Switch (HP in this case) would not negogiate properly. Even
> though both were hard coded to 100Full I was seeing CRC errors. I've
> since moved them both to auto and have not had a problem. I too am
> running version 7.2.2 ...
>
>