dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
653
zippy83
join:2012-08-30

zippy83

Member

[HELP] Cisco ASA5580-20 SSL VPN intermittent issues

Hello All,
We have a pair of Cisco 5580-20 ASA's in our DataCenter. As of late we have noticed that when on SSL VPN or IpSEC VPN we lose access to internal resources for a minute or two and then it comes right up. As of late there has been no changes to the ASA or the SSL/IPSec VPN configuration. This problem just showed up unannounced. So far we have rebooted both devices and have failed them over once without having any luck. The problem goes away for a longer period of time (2-5hours) and comes back and just repeats. During that time when I checked out the interface all VPN traffic is coming in I have seen nothing out of the ordinary.
Here is some platform specs:
Platform: ASA5580-20
Version: 8.2.2(16)
SSL VPN Licenses: 750
IPsec VPN Licenses: 10,000

When we experience these problems it is affecting multiple users and when I check the obvious like Memory, CPU, SSL/Ipsec Licenses, it all seems to be in good condition. However I do see some input errors on the interface all traffic is coming in. Since last reboot two days ago it has reported some 427 input errors, and as far as I know input errors are never good. I know that the Cisco 5580-20 has the Maximum Throughput of VPN Connections of 1GB and 2,000.000 Concurrent Sessions. How can I check what the current maximum VPN Throughput is and the Concurrent Sessions?
5580# sh int gi3/0
Interface GigabitEthernet3/0 "Outside", is up, line protocol is up
  Hardware is i82571EB 4CU rev06, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Description: Public Internet Space
        MAC address 0015.17f2.6b10, MTU 1500
        IP address 1.1.1.1, subnet mask 255.255.255.248
        585702066 packets input, 469846763095 bytes, 0 no buffer
        Received 5239 broadcasts, 0 runts, 0 giants
        427 input errors, 0 CRC, 0 frame, 427 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        490700096 packets output, 265438887717 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 2 interface resets
        0 late collisions, 0 deferred
        3 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (232/106)
        output queue (blocks free curr/low): hardware (255/134)
  Traffic Statistics for "Outside":
        567789039 packets input, 446968795712 bytes
        490700096 packets output, 256498740341 bytes
        5194495 packets dropped
      1 minute input rate 6870 pkts/sec,  7025703 bytes/sec
      1 minute output rate 4904 pkts/sec,  1615554 bytes/sec
      1 minute drop rate, 58 pkts/sec
      5 minute input rate 7309 pkts/sec,  7500223 bytes/sec
      5 minute output rate 5175 pkts/sec,  1697838 bytes/sec
      5 minute drop rate, 72 pkts/sec
 

Has anyone experienced these issues in the past and what the resolution might have been?
Any help is greatly appreciated.
Thanks
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

- any syslog message(s) present?

- is an SSL client AND an IPSEC client affected at the same time?

- do you have smartnet? May have to get TAC on the line.

Offhand, the commands I usually use for this are

sh vpn-sessiondb ?
 

sh webvpn ?
 

debug webvpn ?
 

Here's a list of the "sh webvpn" commands available ... "show webvpn sso-server" may do what you want.

My 00000010bits

Regards

Nubiatech
soy capitan
join:2007-09-02
Chicago, IL

Nubiatech to zippy83

Member

to zippy83
These overrruns and input errors are really odd. You already ruled out any cpu and memory issues. You still need to check the connection count, and the translation count just in case. Though the 5580 can handle pretty much whatever you can throw at it.

After verifying the conn/xlate, you may want to check the syslogs for any pertinent issues, specially cpu-hogs.

Lastly, you need to check for memory block depletion. The inbound traffic rate at about 7Kpps, 56Mbps, is not really that excessive on a Gig interface, and also it is unlikely there are bursts or microbursts at the outside interface (if it is internet facing, that is). So, that leaves only the memory block depletion as the main candidate. Do you have any modules on this device, or any custom filtering, Websense, or anything similar?
zippy83
join:2012-08-30

zippy83

Member

Update...

Found the problem. We had some other unused ssl profiles with the same Group Policy applied. For some reason the ASA was getting confused. As soon as I separated and created a new Group policy and applied it to the SSL profile everything started to work normal.

Now the question is why did this happen after 4 years. It was always configured like that and I looked at the previous backup configs dating back 2 months, 5 months, and 2 years and it was always the same.

Just happy at the moment that the issues has gone away...
Thanks Everyone
aryoba
MVM
join:2002-08-22

aryoba

MVM

If there are no changes on ASA for 2 years plus, then the culprit ought to be elsewhere; somewhere on server side perhaps?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to zippy83

MVM

to zippy83
...at that point, I'd REALLY put it to TAC... or check the bug database, just for chuckles.

My 00000010bits

Regards