Normally a Cisco ASA firewall either permits or denies traffic. It’s very rare that traffic works sometimes but not all the time. Here are some troubleshooting tips for when the ASA is causing intermittent or sporadic connectivity issues.
Embryonic Connections issues
Check the show conn output to see if there are a lot of half opened or embryonic connections.
Is the number of embryonic connections very high? This could be filling up the max connection table on the ASA or on the destination system.
You can set the max embryonic connections with this:
This sets a maximum amount of connections to 192.168.1.50 on port 80 to be 100 connections total and 25 per source IP. The
per-client-max 25 statement is optional at the end of the
set connection command.
If the bandwidth of an interface is hitting the max capacity it will drop packets.
show traffic command to verify no interface is nearing the limit.
show int and confirm the BW setting, and duplex settings are correct.
If the CPU reaches 100% it will start dropping packets.
Check interface and memory statistics
Check interface statistics and look for any dropped packet counters rising.
Check the show blocks for memory usage issues.
Some notes on packets, performance, and memory:
If ingress FIFO (queue) is full, frames are dropped
- No free slots in RX ring (CPU/memory bound)
- Unable to acquire bus (used by another component)
- “No buffer” on memory move errors, “overruns” on FIFO drops
FIFO is not affected by packet rates, but RX rings are
- Fixed memory block size regardless of actual frame size
- Ingress packet bursts may cause congestion even at low bits/sec
Fixed bus overhead for memory transfers
- 30% or 80% bus efficiency for 64 or 1400 byte packets
- Maximize frame size and minimize rate for best efficiency
Overruns on all interfaces may mean several things
- Interface oversubscription
- CPU oversubscription on a single core system
- Uneven CPU load distribution on a multi-core system
- Memory block exhaustion