Hello,

I have an ASA 5505 that has intermittent issues and I was wondering if someone can point me in the right direction. I do not have the config right in front of me, but will post it when I get it. It is acting as an IPsec VPN server. The device intermittently will not respond to pings eternally or internally, and intermittently will not allow users to connect to VPN. Also it seems to be extremely slow when trying to connect via SSH. I am going to definably do a show proc when I get the opportunity, but I was wondering if there were any other commands that might help trouble shoot this?

Thanks for your help,

Dan

How many vpns terminate on it? What type of encryption? Sh process CPU will be good, is it during peak connections that ssh is slow?

Sent from my HTC One X using Tapatalk 2

Also, if you have the 10-user och 50-user edition, check if you're maxing that out. That could cause problems like this

The weird thing is currently 0 users are terminating there. It is the 10 user bundle. It is not just ssh it seems as if the whole device is under extreme load. Pining internally and externally will intermittently fail, telnet on the inside will also be extremely slow. Sometimes I can type one letter and wait 30 seconds for it to show up. I keep getting broken pipe on ssh because it times out.

Thanks for the suggestions!!

Here is some more information.

asa# show processes

PC SP STATE Runtime SBASE Stack Process
Mwe 00c9bb24 01bb8700 013e3250 0 01733fc8 15616/16384 emweb/cifs
Lwe 001072ac 0176f9c4 013e32d0 0 0176d9f0 8132/8192 block_diag
Mrd 00223a67 01783d5c 013e33b0 1685 0177be18 29144/32768 Dispatch Unit
Msi 00f82847 01b07b84 013e3250 166 01b05bc0 7984/8192 y88acs06 OneSec Thread
Mwe 0011b1a5 01b09cfc 013e3250 0 01b07d88 7864/8192 Reload Control Thread
Mwe 00120606 01b1260c 013e5258 0 01b10988 4720/8192 aaa
Mwe 001486aa 01b19404 013e5ae8 0 01b15450 16020/16384 CMGR Server Process
Mwe 0014c3c5 01b1b4d4 013e3250 0 01b19570 7968/8192 CMGR Timer Process
Lwe 002227a1 01b239b4 013ee360 0 01b219f0 7684/8192 dbgtrace
Mwe 004e1ba5 01b29c34 013e3250 145 01b27d50 6436/8192 eswilp_svi_init
Mwe 01064b1d 01b4a7f4 013e3250 0 01b48890 7848/8192 Chunk Manager
Msi 008b61b6 01b52d54 013e3250 156 01b50da0 7764/8192 PIX Garbage Collector
Lsi 00ecb6ac 01b54e94 013e3250 13 01b52ec0 7552/8192 route_process
Mwe 008a5ddc 01b5dc04 0133b430 0 01b5bc40 7648/8192 IP Address Assign
Mwe 00acb779 01b60604 01346e10 0 01b5e640 8116/8192 QoS Support Module
Mwe 0091eba9 01b6275c 0133c530 0 01b60798 8116/8192 Client Update Task
Lwe 01083c8e 01b656d4 013e3250 127171 01b63770 7840/8192 Checkheaps
Mwe 00acfd7d 01b6b824 013e3250 605 01b69ad0 3556/8192 Quack process
Mwe 00b2a260 01b6dad4 013e3250 16 01b6bbf0 7364/8192 Session Manager
Mwe 00c55efd 01b78564 031d04b0 4 01b74a50 14768/16384 uauth
Mwe 00be3c9e 01b7aaec 0135c010 0 01b78b28 7524/8192 Uauth_Proxy
Mwe 00c52759 01b80e0c 01361770 0 01b7ee88 7712/8192 SMTP
Mwe 00c3f7b9 01b82eec 01361710 0 01b80fa8 7412/8192 Logger
Mwe 00c3fd26 01b8502c 013e3250 0 01b830c8 7492/8192 Thread Logger
Mwe 00f62272 01b9596c 013ac520 0 01b939c8 7188/8192 vpnlb_thread
Msi 00b4097c 01c598c4 013e3250 140 01c578f0 8000/8192 emweb/cifs_timer
Msi 005bd338 01b48704 013e3250 12811 01b46770 7476/8192 arp_timer
Mwe 005c76bc 01b1d604 013fba50 0 01b1b690 7960/8192 arp_forward_thread
Mwe 00c5a919 023fd514 013619e0 43 023fb560 7968/8192 tcp_fast
Mwe 00c5a6e5 023ff53c 013619e0 18 023fd588 6712/8192 tcp_slow
Mwe 00c754d1 02410344 013628a0 0 0240e390 8100/8192 udp_timer
Mwe 0019cb17 01b40434 013e3250 0 01b3e4c0 7984/8192 CTCP Timer process
Mwe 00efe8b3 0308c54c 013e3250 0 0308a5f8 7952/8192 L2TP data daemon
Mwe 00efef23 0308e584 013e3250 0 0308c620 7968/8192 L2TP mgmt daemon
Mwe 00eea02b 030c669c 013a5c10 23 030c2728 16244/16384 ppp_timer_thread
Msi 00f62d57 030c86e4 013e3250 195 030c6750 7840/8192 vpnlb_timer_thread
Mwe 001b96e6 01b7cbbc 01b1e9c8 2 01b7ac48 5776/8192 IPsec message handler
Msi 001c9bac 01b8d4dc 013e3250 2672 01b8b548 7648/8192 CTM message handler
Mwe 00af93b8 031465ec 013e3250 0 03144678 7984/8192 ICMP event handler
Mwe 00831003 0314a75c 013e3250 440 031467e8 14684/16384 IP Background
Mwe 0021b267 031a83fc 013123c0 52 03188488 123488/131072 tmatch compile thread
Mwe 009f2405 0329007c 013e3250 0 0328c0f8 16072/16384 Crypto PKI RECV
Mwe 009f305a 0329417c 013e3250 0 03290218 16040/16384 Crypto CA
Mwe 0064d4fd 01b3e24c 013e3250 3 01b3c2f8 7668/8192 ESW_MRVL switch interrupt service
Msi 00646f5c 032c1384 013e3250 3222328 032bf480 7184/8192 esw_stats
Lsi 008cbb80 032dc73c 013e3250 3 032da768 8000/8192 uauth_urlb clean
Lwe 008afee7 034a094c 013e3250 189 0349e9e8 6636/8192 pm_timer_thread
Mwe 0052f0bf 034a35e4 013e3250 499 034a1680 7880/8192 IKE Timekeeper
Mwe 00520f6b 034a8b14 0132e2b0 246 034a4e70 11956/16384 IKE Daemon
Mwe 00bf5c78 034ac7e4 01360680 0 034aa830 8100/8192 RADIUS Proxy Event Daemon
Mwe 00bc32de 034ae7d4 034dcc18 0 034ac950 7208/8192 RADIUS Proxy Listener
Mwe 00bf5e0f 034b09d4 013e3250 0 034aea70 7968/8192 RADIUS Proxy Time Keeper
Mwe 005aac4c 034b318c 013fb980 0 034b1288 7492/8192 Integrity FW Task
M* 008550a5 0009fefc 013e33b0 138 034e3b58 28388/32768 ci/console
Msi 008eb694 034eda0c 013e3250 1710 034ebc78 6176/8192 update_cpu_usage
Msi 008e6415 034f7de4 013e3250 799 034f5ef0 5468/8192 NIC status poll
Mwe 005b63e6 03517d54 013fbd10 167 03515db0 7688/8192 IP Thread
Mwe 005becbe 03519e84 013fbcb0 3578 03517ed0 5328/8192 ARP Thread
Mwe 004c2b36 0351bf34 013fbae0 18 0351a020 4320/8192 icmp_thread
Mwe 00c7722e 0351e0a4 013e3250 0 0351c140 7848/8192 udp_thread
Mwe 00c5d126 035200c4 013fbd00 11 0351e260 5976/8192 tcp_thread
Mwe 00bc32de 0359fc44 035984c0 0 0359ddd0 7512/8192 EAPoUDP-sock
Mwe 00266c15 035a1adc 013e3250 0 0359fea8 7032/8192 EAPoUDP
Mwe 00bc32de 038ce7e4 03925f08 0 038cc980 7496/8192 IKE Receiver
Mwe 00c5fe0d 03928d5c 035aca88 0 03926ee8 7340/8192 listen/telnet
Mwe 00c5fe0d 0392bbc4 03929148 0 03929d50 7340/8192 listen/ssh
Mwe 00c0f643 0352e9bc 013e3250 0 0352ca58 7920/8192 ssh/timer
Mwe 00f32d0d 03968fac 013aba38 0 03966ff8 8100/8192 vpnfol_thread_msg
Msi 00f38812 0396afc4 013e3250 131 03969020 7952/8192 vpnfol_thread_timer
Mwe 00f37032 0396cfdc 013abba0 0 0396b048 8068/8192 vpnfol_thread_sync
Msi 00f3837c 0396f024 013e3250 670 0396d070 7876/8192 vpnfol_thread_unsent
Mwe 005a6728 034fc094 013e3250 0 034fa130 7968/8192 Integrity Fw Timer Thread
- - - - 49609345 - - scheduler
- - - - 53040439 - - total elapsed
asa#
asa# show processes cpu
asa# sho version

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"

asa up 14 hours 49 mins

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001e.bed0.fdec, irq 11
1: Ext: Ethernet0/0 : address is 001e.bed0.fde4, irq 255
2: Ext: Ethernet0/1 : address is 001e.bed0.fde5, irq 255
3: Ext: Ethernet0/2 : address is 001e.bed0.fde6, irq 255
4: Ext: Ethernet0/3 : address is 001e.bed0.fde7, irq 255
5: Ext: Ethernet0/4 : address is 001e.bed0.fde8, irq 255
6: Ext: Ethernet0/5 : address is 001e.bed0.fde9, irq 255
7: Ext: Ethernet0/6 : address is 001e.bed0.fdea, irq 255
8: Ext: Ethernet0/7 : address is 001e.bed0.fdeb, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

Serial Number: xxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxx
Configuration register is 0x1
Configuration has not been modified since last system restart.
asa#
asa# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname asa
domain-name hxxxxxxxx
enable password cxxxxxxxxx encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan27
nameif outside
security-level 0
ip address xxxxxxxxxxxxxxx
!
interface Vlan69
nameif inside
security-level 100
ip address 10.31.10.253 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 27
!
interface Ethernet0/1
switchport access vlan 69
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx
access-list RemoteVPN extended permit ip 10.31.10.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list NoNat extended permit ip 10.31.10.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list Split_Tunnel standard permit 10.31.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool RemoteVPN 192.168.69.25-192.168.69.59 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 27 interface
nat (inside) 0 access-list NoNat
nat (inside) 69 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 50.193.205.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto dynamic-map RemoteVPN 69 set transform-set ESP-AES-MD5
rypto dynamic-map RemoteVPN 69 set reverse-route
crypto map xxxxxx 65535 ipsec-isakmp dynamic RemoteVPN
crypto map xxxxxx interface outside
crypto isakmp enable outside
crypto isakmp policy 27
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
group-policy Remote_VPN internal
group-policy Remote_VPN attributes
vpn-idle-timeout 86400
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
username xxxxxxxx password xxxxxxxxxxxxxx encrypted privilege 15
tunnel-group water type ipsec-ra
tunnel-group water general-attributes
address-pool RemoteVPN
default-group-policy Remote_VPN
tunnel-group water ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxxxxxx
: end

Thanks for the help!

More info! Thanks!

asa# sh int
Interface Vlan1 "", is down, line protocol is down
Hardware is EtherSVI
Available but not configured via nameif
MAC address 001e.bed0.fdec, MTU not set
IP address unassigned
Interface Vlan27 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001e.bed0.fdec, MTU 1500
IP address xxxxxxxx, subnet mask 255.255.255.252
Traffic Statistics for "outside":
529 packets input, 58081 bytes
274 packets output, 127488 bytes
90 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan69 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001e.bed0.fdec, MTU 1500
IP address 10.31.10.253, subnet mask 255.255.255.0
Traffic Statistics for "inside":
25060 packets input, 2719606 bytes
1869 packets output, 115547 bytes
9765 packets dropped
1 minute input rate 1 pkts/sec, 88 bytes/sec
1 minute output rate 1 pkts/sec, 69 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 100 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001e.bed0.fde4, MTU not set
IP address unassigned
529 packets input, 67693 bytes, 0 no buffer
Received 176 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
274 packets output, 132510 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001e.bed0.fde5, MTU not set
IP address unassigned
25151 packets input, 3180188 bytes, 0 no buffer
Received 18270 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
61 switch ingress policy drops
1873 packets output, 155291 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops

How old is the box? Being on 7.2(3) suggests it may have been out for a while. In my experience the 5505s have about a 5-year reliable service life. Not having cooling fans they rely on ambient air for cooling and tend to slowly cook themselves over time. When they start to go bad they often act erratically, though usually it's that they stop working altogether, work for a while when you reboot them, then stop again, etc.

If it's a newer box I would upgrade it to 8.2(5), which is a pretty straightforward upgrade from the 7 codes. See if that helps.

Ben

Thank you for the reply! It is a fairly old box, so I think you could quite possible be correct with that conclusion. I have had it for awhile and just put it in a few days ago as a "trial" for someone. It worked well for a while then had issues and is now functioning properly again. I do not have access to that image, so I am going to have to keep it running the software it is running now. I just wanted someone to look at it to see if there was something improperly configured that could be causing this isse.

Thanks for the help!

Dan

The other thing you could do is a complete flattening and rebuild of the box. When you put it in did you wipe the old config and do a write erase before rebuilding it? The older Pixes used to be worse about this than the ASAs are but you can corrupt the configs on these if you make too many changes to the configs. When that happens they start behaving erratically. I do this to myself fairly often as whenever I'm trying out some new feature I test it on my ASA here in my office.

You might try grabbing a current copy of the config by using the "more system:running-config" command which will give you all the stuff that doesn't show in a "show run" or "show config" (things like your ISAKMP keys, SNMP strings, etc.). One you have that config saved in a text file do a write erase and reboot the box. Say no to the automatic config wizzard and then just dump the old config back in from the text file at a config prompt. If it is a problem with a corrupted config that should resolve it.

Ben

Thank you for your help! That is an excellent idea! I did a write erase before I installed it unfortunately so that isn't the issue!

Thanks for your help!

Dan