CISCO ASA 5510 做透明代理的问题

frsky

现在我使用CISCO ASA 5510 做透明代理，  外网网线 接e0/0  内网接e0/1

现在e 0/1 接 服务器目前是正常的， e 0/1 接 cisco 3560 交换机， 开始能够正常运行，但是10分钟后 出现故障，

e 0/1 接交换机的口会断掉，请大家帮我分析下是什么问题。


CISCO 3560的配置信息
Switch#show run
Building configuration...

Current configuration : 2047 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
password-encryption
!
hostname Switch
!

no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascend
!
interface GigabitEthernet0/1
storm-control action shutdown
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/22
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/23
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/24
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
ip address xxx.xx.167.55 255.255.255.
!
interface Vlan2
description Intranet
ip address 192.168.168.254 255.255.25
!
ip default-gateway xxx.xxx.167.1
ip classless
ip http server
!
!
control-plane
!
!

!
end


CISCO ASA 5510 的配置信息如下

ciscoasa(config)# show run
: Saved
:
ASA Version 7.0(
!
firewall transparent
hostname ciscoasa
enable password IGiGgJ8tmF0DUEB5 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/0.1
vlan 2
no nameif
no security-level
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Management0/0
nameif mange
security-level 100
management-only
!
ftp mode passive
access-list out_ports extended permit tcp any any eq ssh
access-list out_ports extended permit tcp any any eq 3389
access-list out_ports extended permit tcp any any eq www
access-list out_ports extended permit tcp any any eq https
access-list out_ports extended permit tcp any any eq 8080
access-list out_ports extended permit tcp any any eq ftp
access-list out_ports extended permit tcp any any eq smtp
access-list out_ports extended permit tcp any any eq 9022
access-list out_ports extended permit tcp any any eq pop3
access-list out_ports extended permit tcp any any eq 9021
access-list out_ports extended permit tcp any any eq 3306
access-list out_ports extended permit tcp any any eq 1433
access-list out_ports extended permit tcp any any eq 8001
access-list out_ports extended permit icmp any any
access-list in_ports extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu mange 1500
ip address xxx.xxx.167.56 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
access-group out_ports in interface outside
access-group in_ports in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.167.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxxx password sYp59AEURUB6GLb9 encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:e8455a26980f883e255ee54ded416763
: end

LAMP-兄弟连

没看懂~~

ssffzz1

你说的断掉是什么意思，
断掉的时候是内网所有的机器，包括服务器都不正常是吗？

frsky

原帖由 ssffzz1 于 2008-12-5 14:26 发表
你说的断掉是什么意思，
断掉的时候是内网所有的机器，包括服务器都不正常是吗？

就是 ASA inside 连接交换机的端口，会出现黄颜色， 内网无法ping同防火墙。

tomyung

3560用哪个口接5510的？贴下show interface的输出看看

frsky

用1号口进行连接的。
Switch#show int
Switch#show interfaces
Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is 0023.5d1f.5240 (bia 0023.5d1f.5240)
  Internet address is xxx.xxx.167.55/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 2 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
     970498 packets input, 65852453 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     94770 packets output, 7430392 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
Vlan2 is up, line protocol is up
  Hardware is EtherSVI, address is 0023.5d1f.5241 (bia 0023.5d1f.5241)
  Description: Intranet
  Internet address is 192.168.168.254/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 1d18h, output 2d21h, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     132 packets input, 7920 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     7 packets output, 448 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0023.5d1f.5201 (bia 0023.5d1f.5201)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (32000 sec)
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is on, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:07, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 296000 bits/sec, 290 packets/sec
  5 minute output rate 277000 bits/sec, 291 packets/sec
     45890248 packets input, 5456703299 bytes, 0 no buffer
     Received 578937 broadcasts (0 multicasts)
     0 runts, 1 giants, 0 throttles
     1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 159080 multicast, 0 pause input
     0 input packets with dribble condition detected
     40422745 packets output, 3792639674 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

tomyung

interface GigabitEthernet0/1
storm-control action shutdown

关掉storm-control试试

frsky

还有没有其他思路？

ssffzz1

你看等黄色时候，两端的接口状态，发上来。还有生成树的协议状态发上来。

另外你可以强制速率和双工模式，以及流控，还有no keeplive 试试。

frsky

原帖由 ssffzz1 于 2008-12-8 11:08 发表
你看等黄色时候，两端的接口状态，发上来。还有生成树的协议状态发上来。

另外你可以强制速率和双工模式，以及流控，还有no keeplive 试试。

上面的都测试过了，没有作用。


日志信息
3d01h: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking GigabitEthernet0/1 on VLAN0001. Inc
onsistent port type.


Log Buffer (4096 bytes):
7-BLOCK_PORT_TYPE: Blocking GigabitEthernet0/1 on VLAN0001. Inconsistent port ty
pe.
3d01h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, chang
ed state to down
3d01h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
3d01h: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk GigabitE
thernet0/1 VLAN1.
3d01h: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking GigabitEthernet0/1 on VLAN0001. Inc
onsistent port type.