Guest

Preview Tool

Cisco Bug: CSCvs85196 - ASA SIP connections drop after several consecutive failovers: pinhole timeout/closed by inspection

Last Modified

Sep 17, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(4.17) 9.8(3.14) 9.8(4.8)

Description (partial)

Symptom:
After several consecutive failover events ASA is dropping some connections (up to 40% in some incidents).

Following is visible in the logs:
- after failover some pinholes related to affected connections may be closed;
- connection still exists, when firewall received SIP Register message;
- connection is closed by inspection upon receiving SIP Register message;
- further packets belonging to this connection are dropped due to lack of connection ('Deny TCP (no connection)' in logs, 'First TCP packet not SYN' in ASP drops).

Conditions:
Several consecutive failover events hapenning in short intervals (~5 minutes)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.