[c-nsp] ASA5520 latency & OSPF drops

[Adam Greene]

Thank you to all for your replies and advice over the weekend. We are
treating the situation as a DoS originating from within our network and are
locking things down accordingly. You may be hearing from me again soon
depending on how things go! 

 

Adam

 

From: John Kougoulos [mailto:john.kougoulos at gmail.com] 
Sent: Saturday, February 01, 2014 4:30 PM
To: Adam Greene
Cc: cisco-nsp at puck.nether.net NSP
Subject: Re: [c-nsp] ASA5520 latency & OSPF drops

 

Hi, 

since you don't lose the OSPF session between 5520 and 2921, I would say
that this is not related to ASA CPU, DoS from Internet etc. 

This would also suggest that 2950G in general works ok. The vlan that
connects 3750 to 5520 exists only in 2950G and only these 2 devices are
connected? Would it be possible that there is some kind of spanning tree
instability issue in this VLAN that causes this?

Other than this, I would watch the ASA logs carefully, possibly upgrade to
the latest 8.2 in case that there is a bug that could lead to some kind of
blocking of the input queue.

Also I think there is a "show memory xxx" command that allows you to see how
much memory is allocated / freed per process since boot. This might give you
a hint on which process allocates these few megabytes when the issue occurs.



Regards,

John

 

 

On Sat, Feb 1, 2014 at 8:39 PM, Adam Greene <maillist at webjogger.net
<mailto:maillist at webjogger.net> > wrote:

Octavio,


> What about pings from the external world to the ASA?

These appear normal, since the ASA5520---2921 OSPF session is not dropping.

> Also, I'd increase logging verbosity to a Syslog server with an interface

connected to each side of the ASA.

Good idea.


> And I'd also be prepared to do a packet capture on both sides of the ASA
for the next time it happens.

Tough since they occur so sporadically, and up to now have been relatively
brief. I wonder if there is some way to trigger a capture upon a specific
event occurring. Or maybe will we just have to keep tons of logs which roll
over, and hope we catch something. We generally have about 40Mbps pumping
through the unit. That's a lot of data, and a fast rollover.


> You mention spares (I assume cold spares) but also OSPF, do you have your
devices HA?

Yes, cold spares. Devices are not HA. I have seen posts about OSPF failing
in 8.2 when the active host of a failover pair fails, due to a bug, but that
doesn't seem to be our case here as far as I can tell.

Any other ideas welcome.

Sounds like people's thoughts are tending toward DoS ...

Thanks,
Adam



-----Original Message-----
From: Octavio Alvarez [mailto:alvarezp at alvarezp.ods.org
<mailto:alvarezp at alvarezp.ods.org> ]
Sent: Saturday, February 01, 2014 1:24 PM
To: Adam Greene
Cc: cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net> 
Subject: Re: [c-nsp] ASA5520 latency & OSPF drops

On 02/01/2014 08:27 AM, Adam Greene wrote:

> Every so often (it started three months ago, about once per month, now
> it's about once per week, but it's not regular), we're getting very
> high latency on pings from our Internal Network to the ASA5520, and
> the OSPF adjacency between the 3750 and the ASA5520 is dropping. The
> issue was lasting about 60 seconds each time up to this morning, when it
lasted about 3 hours. Ugh!
>
> Pings from the Internal Network to the 3750 and 2950G are fine.

What about pings from the external world to the ASA?

ALso, I'd increase logging verbosity to a Syslog server with an interface
connected to each side of the ASA.

And I'd also be prepared to do a packet capture on both sides of the ASA for
the next time it happens.

You mention spares (I assume cold spares) but also OSPF, do you have your
devices HA?


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
<mailto:cisco-nsp at puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/