Cisco ASA hangs intermittently

fgasimzade · ‎10-13-2021

Hello Everyone,

We are using a very old Cisco ASA 5520 8.2(3) - I know it is extremely outdated, we will be replacing it next year, but the problem we are facing is quite odd and I want to try to find the root cause of it. It has been working for many years with the same config and version and all was good

ASA hangs intermittently and even reboots sometimes. Pings to the inside interface get too high, CLI hungs, sometimes it gets back to normal, sometimes reboots. We have 6-7 IPsec tunnels and Anyconnect VPN IP Phones on it. CPU is never more that 15-20%, sometimes even less, so it is not a CPU issue

The most interesting part is that we replaced it with another Cisco ASA 5510, same version, same config - and it behaves the same way! Havent rebooted yet, but I already noticed high pings and VPN Phones being disconnected and reconnected.

Looks like it is not a hardware issue, since both ASA's are behaving the same, so I would like to ask for a help or a direction in which I should dig.

Thank you in advance.

balaji.bandi · ‎10-13-2021

post below information :

sh memory

show process cpu

show resource usage

show asp table socket

Since you mentioned you have another kit, Try to get new version 9.X ( ASA 8.2 is tooo old for sure, you wont get much support).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fgasimzade · ‎10-13-2021

Hello,

show memory
Free memory: 107224640 bytes (40%)
Used memory: 161210816 bytes (60%)
------------- ----------------
Total memory: 268435456 bytes (100%)

show cpu
CPU utilization for 5 seconds = 5%; 1 minute: 8%; 5 minutes: 7%

show resource usage
Resource Current Peak Limit Denied Context
SSH            1       4        5        0 System
Conns      1980   2448 130000 0     System
Xlates         2      378     N/A    0      System
Hosts       761   1271    N/A       0       System
Conns [rate] 31   336      N/A    0      System
Inspects [rate] 14 115      N/A    0    System

sh asp table socket

SSL 0000c59f 10.40.50.65:443 0.0.0.0:* LISTEN
SSL 0001738f 85.132.X.X:443 0.0.0.0:* LISTEN
SSL 0001af4f 10.254.17.9:443 0.0.0.0:* LISTEN
SSL 0002137f 192.168.16.32:443 0.0.0.0:* LISTEN
TCP 00030cef 10.254.17.9:22 0.0.0.0:* LISTEN
TCP 00043bdf 10.254.17.17:22 0.0.0.0:* LISTEN
TCP 00055c4f 85.132.X.X:22 0.0.0.0:* LISTEN
TCP 00060a3f 10.40.50.65:22 0.0.0.0:* LISTEN
TCP 000741af 192.168.16.32:22 0.0.0.0:* LISTEN
DTLS 0007b2ef 85.132.X.X:443 0.0.0.0:* LISTEN
SVC 10a980c8 85.132.X.X:443 46.1.160.33:52163 ESTAB
SVC_UDP 10aad5f8 85.132.X.X:443 46.1.160.33:50285 CONNECTED
SVC 10ae95b8 85.132.X.X:443 109.73.46.242:52754 ESTAB
SVC_UDP 10afcc68 85.132.X.X:443 109.73.46.242:50600 CONNECTED
SVC 10b22c78 85.132.X.X:443 46.1.160.33:52304 ESTAB
SVC_UDP 10b3ea28 85.132.X.X:443 46.1.160.33:49462 CONNECTED
SVC 10b5c608 85.132.X.X:443 212.112.111.35:52551 ESTAB
SVC_UDP 10b64338 85.132.X.X:443 212.112.111.35:50169 CONNECTED
SVC 10bc0258 85.132.X.X:443 73.12.77.169:50706 ESTAB
SVC_UDP 10bcddd8 85.132.X.X:443 73.12.77.169:51438 CONNECTED
SVC 10bec4b8 85.132.X.X:443 116.236.253.42:50785 ESTAB
SVC_UDP 10bf5428 85.132.X.X:443 116.236.253.42:49607 CONNECTED
SVC 10c21778 85.132.X.X:443 46.235.74.36:51676 ESTAB
SVC_UDP 10c29c78 85.132.X.X:443 46.235.74.36:52686 CONNECTED
SVC 10fdfd88 85.132.X.X:443 49.206.123.22:19725 ESTAB
SVC_UDP 10fe64b8 85.132.X.X:443 49.206.123.22:19727 CONNECTED
SVC 159fb568 85.132.X.X:443 122.176.113.139:50904 ESTAB
SVC_UDP 15a06f18 85.132.X.X:443 122.176.113.139:52681 CONNECTED
SVC 18c6ac38 85.132.X.X:443 109.73.46.242:50361 ESTAB
SVC_UDP 18c765a8 85.132.X.X:443 109.73.46.242:52254 CONNECTED
SVC 18c786e8 85.132.X.X:443 185.76.110.154:50351 ESTAB
SVC_UDP 18c82298 85.132.X.X:443 185.76.110.154:51859 CONNECTED
SVC 18eed1b8 85.132.X.X:443 46.1.160.33:51978 ESTAB
SVC_UDP 18ef5d28 85.132.X.X:443 46.1.160.33:51493 CONNECTED
SVC 1934c658 85.132.X.X:443 85.132.43.85:52600 ESTAB
SVC 19459508 85.132.X.X:443 84.51.37.66:49490 ESTAB
SVC_UDP 19477da8 85.132.X.X:443 84.51.37.66:52224 CONNECTED
SVC 19c85298 85.132.X.X:443 108.233.240.54:52209 ESTAB
SVC_UDP 19c88918 85.132.X.X:443 108.233.240.54:53027 CONNECTED
TCP 1a06d838 10.40.50.65:22 192.168.1.18:1237 ESTAB
SVC 1a0a9ff8 85.132.X.X:443 104.37.130.112:52424 ESTAB
DTLS 1a0b2e6f 85.132.X.X:443 104.37.130.112:50616 CONNECTED

What we have done today is we moved one of the IPSEC VPNs to another hardware and it seems like ASA is more stable now, but we need to monitor further.

Could it be some kind of a huge traffic flowing though it and affecting its performance? And CPU usage was still low?

fgasimzade · ‎10-13-2021

Just as I said that it became more stable it hunged again for a couple of seconds while I was on call with a test IP Phone connected over SSL VPN

This is what happened to pings at this moment

Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time<1ms TTL=253
Reply from 10.40.50.65: bytes=32 time=930ms TTL=253
Reply from 10.40.50.65: bytes=32 time=3081ms TTL=253
Reply from 10.40.50.65: bytes=32 time=2242ms TTL=253
Reply from 10.40.50.65: bytes=32 time=40ms TTL=253
Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time<1ms TTL=253
Reply from 10.40.50.65: bytes=32 time<1ms TTL=253
Reply from 10.40.50.65: bytes=32 time=1ms TTL=253
Reply from 10.40.50.65: bytes=32 time<1ms TTL=253
Reply from 10.40.50.65: bytes=32 time<1ms TTL=253
Reply from 10.40.50.65: bytes=32 time<1ms TTL=253

I agree, switching to a new version is a good idea, however this one was working for years and the problem exists even after replacing ASA with another one