ASA 5505 inside interface issue

Unanswered Question
Mar 29th, 2007
User Badges:

I recently deployed an ASA 5505 and after powering this unit up, things seemed to be fine. After a few hours, all internal connections out to the Internet stopped. I have not been able to find the cause of this, but when this happens, I try pinging any internal computers from the ASA inside interface,I get time outs. After reloading the ASA the connections out to the Internet start working again. This seems like a random issue as the inside interface stops responding at various different times. We do run 10 plus individual Cisco VPN client connections out through this device, so maybe the problem lies there?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Thu, 03/29/2007 - 07:36
User Badges:
  • Gold, 750 points or more

when the conenctions stopped,were you able to log into the unit.?


were you able to ping internet ip's.?

is there ip address within your internal network which might have same ip address as the firewall's inside interface?


did you collect logs during the time connections stopped.


everything has a reason and we need data to find that,not speculations.


if you have n't got a syslogs server ,then setup one so that if this happens again,you have necessary logs.


ten vpn clients cannot create that much on connections which could stop other clients/hosts to create more connections.

suschoud Thu, 03/29/2007 - 07:37
User Badges:
  • Gold, 750 points or more

Here are the steps for setting up the syslog server.

First you would need to install a syslog server software on one of the computers. You may

download one of the popular kiwisyslog server from


http://www.kiwisyslog.com/software_downloads.htm . It is listed as Kiwi

Syslog Daemon and latest version is 7.1.0. You may download standard edition that runs as

a program.

Once the syslog server is installed you will then need to login into the PIX in

configuration terminal mode and enter the following commands.

logging host [in_if_name] ip_address

(example: logging host inside 1.2.3.4

We are assuming syslog server is installed on computer with IP address 1.2.3.4 in the

inside network.)

logging timestamp

logging trap 4

logging on

These commands will enable the PIX to start sending syslog messages to the syslog server.

For more information on logging commands you may refer to this URL:



http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer


ence_chapter09186a008010578b.html#1028090

----------------------------------------------------------------------------------

Trap levels


.0-emergencies-System unusable messages

.1-alerts-Take immediate action

.2-critical-Critical condition

.3-errors-Error message

.4-warnings-Warning message

.5-notifications-Normal but significant condition

.6-informational-Information message

.7-debugging-Debug messages and log FTP commands and WWW URLs


---


these steps are applicable to asa too.

DJCanuck1_2 Thu, 03/29/2007 - 12:10
User Badges:

Thank you for this information. The inside interface is the only interface affected. This device is in one of our remote locations. I am able to open an ASDM session to the firewall when the inside interface goes down to reload the ASA.

suschoud Thu, 03/29/2007 - 12:17
User Badges:
  • Gold, 750 points or more

well,in that case you can certainly put a syslog server on dmz/outside.by that when then inside interface goes down,still we'll have the corresponding logs.


hth

sushil.

abinjola Thu, 03/29/2007 - 21:46
User Badges:
  • Cisco Employee,

ok..run the command debug icmp trace and try this :-



1)ping the inside interface of the FW from any inside Machine...see if you get the request on it


2)From the FW itself ping ts own inside interface, if you dont get reply..its a bad hardware

lmanaughkcc Sun, 11/11/2007 - 14:13
User Badges:

Did you ever find out what was wrong? I have a similar problem on my outside interface. I'm collecting logs but nothing was revealed in them that would explain it.

DJCanuck1_2 Wed, 11/14/2007 - 08:52
User Badges:

No I did not. I suspected this was an ISP issue as we did not have any problems for months after. I am not at that particular company anymore, so I don't know if it ever happened again...

lmanaughkcc Wed, 11/14/2007 - 09:35
User Badges:

The issue I'm having on my outside interface of my asa5505 is not related to the ASA it seems. It is located in a remote site and I have contacted the ISP who manages an Cisco 1841 router that the ASA is connected to via cross over cable. They asked us to replace the cross over cable because the router was presenting CRC errors and that is the first line of defense. That didn't do it so I asked them to set the interface to auto from full/100 and so far we haven't had an outage, but the day is young.

agcastle2000 Sat, 12/08/2007 - 06:11
User Badges:

Hi,


We are also experiencing timeouts issue when we ping the inside interface of the ASA5505 from any of the machines in the LAN. Most of the time, we can't ping the inside at all!


Did you manage to find a solution to the problem? Could it be the code? I can ping the inside interface from the firewall.


Archie

lmanaughkcc Sat, 12/08/2007 - 11:36
User Badges:

In my case the behavior was the same as you discribe. Nothing appeared in the logs and I was stumped and thought for sure the issue was the ASA 5505.


However, I contacted the ISP who managed the router, and the indicated that the inside interface of the router was showing many CRC errors.


I asked them to configure their interface to auto/auto instead of trying to force 100/full and all was fine after that. The other choice would have been to configure my firewall to 100/full using the info from this link:


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html


After the ISP set the 1841 router to auto/auto no more CRC errors and we haven't gone down again.


Good luck hope this helps.

agcastle2000 Sat, 12/08/2007 - 20:01
User Badges:

Thanks for your reply.


I already tried manually setting the speed and duplex of the interfaces to auto even though by default they are set auto-negotiate.


We only have 1841 before where the inside interface has 10.0.0.1/24. So when we added ASA5505 and configured the inside interface to 10.0.0.1/24, it is possible that the 10.0.0.1 are somewhere on the cache. Changed the inside interface IP to 10.0.0.253 and the timeouts are gone but Internet is only up to outside interface.


Archie

Hi Archie,


What license are you running on your ASA 5505? The Base license only allows 10 hosts on the inside network through the firewall. I recently had a similar problem that we didn't figure out until running packet-tracer. It showed packets were being dropped at the last step due to the host limit being reached.


Thanks,

John

agcastle2000 Sun, 12/09/2007 - 21:47
User Badges:

Hi,


It's a Security Plus license. Here's the product # and description:

ASA5505-SEC-BUN-K8

ASA 5505 Sec Plus Appliance with SW, UL Users, HA, DES


K8 was upgrade K9.


Thanks.



Archie

agcastle2000 Sat, 12/15/2007 - 00:58
User Badges:

Hi,


The issue that we are facing with ASA5505 is resolved. We found out through the "show arp" command that hosts from the inside (LAN) are appearing in the outside interface (which should not be). The way it's connected is that the inside interface of the router, the outside interface of the ASA5505 and few servers are connected to the same Catalyst 3750 switch. So it's possible that the servers are leaking to the outside interface.


After directly connecting the inside of the router to the outside of the ASA5505 and clearing the arp, it started to work.


Thanks for all your help.


Regards, Archie



Actions

This Discussion