TCP/UDP Filtring on ASA

 

hi all,

since 3 Weeks i have some trouble with ASA 5520. 

ASA block TCP/UDP inbound & outbound connection for some ip address until i issue [clear ip local-host 'ip address' ] command for these spécific ip address.

 

for instance suppose we have 2 externals  host  (Host A and Host B)  communicating through ASA, to same  internal Server  with destination port  TCP/UDP port 10001 and 10002 respectivelly, all worked fine at beginning.at certain moment, Host A  still communicate well with internal Server on destinated port (10001,  but Host B stop communicate to its destinated port (10002) , until i issue [clear ip local-host 'ip address Host B'].

 

Host A ------ASA--------->server port 10001

Host B ------ASA---------->server port 10002

 

what can cause this ?

 

 

thanks so much for your help.

 

Comments

  • May be you have reached the maximum number of hosts limit of your asa's license. Check the no of hosts.

     

    With regards

    Kings

  •  

     

    Yes Kingsley, I thought that too. but when i do sh connexion ,

    i see only 60 000 / 280 000 connexion in use. i think this mean that, there still a sufficient number for other connexion and problem still happen.

  • Ok just try to clear all the connections and try to initiate a connection the one with which you have a problem.

    What is the application that you are using on mapped to port 10002. May be ASA is not able to inspect that application

     

    To reinitalize per-client run-time states such as connection limits and embryonic limits, use the clear local-host command in privileged EXEC mode. As a result, this command removes any connection that uses those limits.

    This command releases the ASA resources such that you can re-initiate the connection

    http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c3.html#wp2166659

    Usage Guidelines

    When you make security policy changes to the configuration, all new connections use the new security policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy using the clear local-host command. You can alternatively use the clear conn command for more granular connection clearing, or the clear xlate command for connections that use dynamic NAT.

    The clear local-host command releases the hosts from the host license limit. You can see the number of hosts that are counted toward the license limit by entering the show local-host command.

    With regards

    Kings

Sign In or Register to comment.