INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Downloads failing through ASA 5520

Downloads failing through ASA 5520

(OP)
Hi.

We have an ASA 5520 running version 7.2(3), and yes I know that's old, but it has been fine, and up until a few months ago everything was good. We have a 100/100 internet connection, and if you do tests WITHOUT the ASA in place we can download a 100 meg file in 45 seconds. If you have the ASA in place it starts off downloading, pauses, downloads a bit more, and so on. After 45 seconds we'd managed 1%....

Show ASP drop has the following stats:

Frame drop:
Invalid encapsulation 142
No valid adjacency 7
Flow is denied by configured rule 267287
Invalid SPI 29
NAT-T keepalive message 68375
First TCP packet not SYN 19178
Bad TCP flags 56
TCP data exceeded MSS 1880
TCP data send after FIN 6
TCP failed 3 way handshake 542523
TCP RST/FIN out of order 7249
TCP SEQ in SYN/SYNACK invalid 435
TCP SYNACK on established conn 1360
TCP packet SEQ past window 5320
TCP Out-of-0rder packet buffer full 2551017
TCP Out-of-Order packet buffer timeout 337081
TCP RST/SYN in window 1582
TCP DUP and has been ACKed 18938980
TCP packet failed PAWS test 49945368
IPSEC tunnel is down 194
Slowpath security checks failed 93783
ICMP Inspect seq num not matched 1
ICMP Error Inspect different embedded conn 1
DNS Inspect invalid domain label 18
DNS Inspect packet too long 251
DNS Inspect id not matched 74739
FP L2 rule drop 13999
Interface is down 170
Dropped pending packets in a closed socket 47

Flow drop:
NAT failed 482
NAT reverse path failed 15242
Need to start IKE negotiation 96
Inspection failure 3126
SSL bad record detected 2
SSL handshake failed 6
SSL malloc error 7

does anyone have any thoughts as to what can be going on? We'e looking at replacing the firewall, but that's going to take a while with budget approvals, etc, so if I can fix the issue that would be even better!

Thanks
Chris

RE: Downloads failing through ASA 5520

I will assume nothing changed in the configuration of the unit and adjacent devices.
Check / replace the cables. If that does not help, look at the interface stats to see CRC, resets and such. What does the ASA connect to? A router? Modem? Do you have access to it? Inspect the logs on that device - it could be defective.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close