03-29-2007 07:20 AM - edited 03-11-2019 02:53 AM
I recently deployed an ASA 5505 and after powering this unit up, things seemed to be fine. After a few hours, all internal connections out to the Internet stopped. I have not been able to find the cause of this, but when this happens, I try pinging any internal computers from the ASA inside interface,I get time outs. After reloading the ASA the connections out to the Internet start working again. This seems like a random issue as the inside interface stops responding at various different times. We do run 10 plus individual Cisco VPN client connections out through this device, so maybe the problem lies there?
03-29-2007 07:36 AM
when the conenctions stopped,were you able to log into the unit.?
were you able to ping internet ip's.?
is there ip address within your internal network which might have same ip address as the firewall's inside interface?
did you collect logs during the time connections stopped.
everything has a reason and we need data to find that,not speculations.
if you have n't got a syslogs server ,then setup one so that if this happens again,you have necessary logs.
ten vpn clients cannot create that much on connections which could stop other clients/hosts to create more connections.
03-29-2007 07:37 AM
Here are the steps for setting up the syslog server.
First you would need to install a syslog server software on one of the computers. You may
download one of the popular kiwisyslog server from
http://www.kiwisyslog.com/software_downloads.htm . It is listed as Kiwi
Syslog Daemon and latest version is 7.1.0. You may download standard edition that runs as
a program.
Once the syslog server is installed you will then need to login into the PIX in
configuration terminal mode and enter the following commands.
logging host [in_if_name] ip_address
(example: logging host inside 1.2.3.4
We are assuming syslog server is installed on computer with IP address 1.2.3.4 in the
inside network.)
logging timestamp
logging trap 4
logging on
These commands will enable the PIX to start sending syslog messages to the syslog server.
For more information on logging commands you may refer to this URL:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer
ence_chapter09186a008010578b.html#1028090
----------------------------------------------------------------------------------
Trap levels
.0-emergencies-System unusable messages
.1-alerts-Take immediate action
.2-critical-Critical condition
.3-errors-Error message
.4-warnings-Warning message
.5-notifications-Normal but significant condition
.6-informational-Information message
.7-debugging-Debug messages and log FTP commands and WWW URLs
---
these steps are applicable to asa too.
03-29-2007 12:10 PM
Thank you for this information. The inside interface is the only interface affected. This device is in one of our remote locations. I am able to open an ASDM session to the firewall when the inside interface goes down to reload the ASA.
03-29-2007 12:17 PM
well,in that case you can certainly put a syslog server on dmz/outside.by that when then inside interface goes down,still we'll have the corresponding logs.
hth
sushil.
03-29-2007 09:46 PM
ok..run the command debug icmp trace and try this :-
1)ping the inside interface of the FW from any inside Machine...see if you get the request on it
2)From the FW itself ping ts own inside interface, if you dont get reply..its a bad hardware
11-11-2007 02:13 PM
Did you ever find out what was wrong? I have a similar problem on my outside interface. I'm collecting logs but nothing was revealed in them that would explain it.
11-14-2007 08:52 AM
No I did not. I suspected this was an ISP issue as we did not have any problems for months after. I am not at that particular company anymore, so I don't know if it ever happened again...
11-14-2007 09:35 AM
The issue I'm having on my outside interface of my asa5505 is not related to the ASA it seems. It is located in a remote site and I have contacted the ISP who manages an Cisco 1841 router that the ASA is connected to via cross over cable. They asked us to replace the cross over cable because the router was presenting CRC errors and that is the first line of defense. That didn't do it so I asked them to set the interface to auto from full/100 and so far we haven't had an outage, but the day is young.
12-08-2007 06:11 AM
Hi,
We are also experiencing timeouts issue when we ping the inside interface of the ASA5505 from any of the machines in the LAN. Most of the time, we can't ping the inside at all!
Did you manage to find a solution to the problem? Could it be the code? I can ping the inside interface from the firewall.
Archie
12-08-2007 11:36 AM
In my case the behavior was the same as you discribe. Nothing appeared in the logs and I was stumped and thought for sure the issue was the ASA 5505.
However, I contacted the ISP who managed the router, and the indicated that the inside interface of the router was showing many CRC errors.
I asked them to configure their interface to auto/auto instead of trying to force 100/full and all was fine after that. The other choice would have been to configure my firewall to 100/full using the info from this link:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html
After the ISP set the 1841 router to auto/auto no more CRC errors and we haven't gone down again.
Good luck hope this helps.
12-08-2007 08:01 PM
Thanks for your reply.
I already tried manually setting the speed and duplex of the interfaces to auto even though by default they are set auto-negotiate.
We only have 1841 before where the inside interface has 10.0.0.1/24. So when we added ASA5505 and configured the inside interface to 10.0.0.1/24, it is possible that the 10.0.0.1 are somewhere on the cache. Changed the inside interface IP to 10.0.0.253 and the timeouts are gone but Internet is only up to outside interface.
Archie
12-09-2007 03:31 PM
Hi Archie,
What license are you running on your ASA 5505? The Base license only allows 10 hosts on the inside network through the firewall. I recently had a similar problem that we didn't figure out until running packet-tracer. It showed packets were being dropped at the last step due to the host limit being reached.
Thanks,
John
12-09-2007 09:47 PM
Hi,
It's a Security Plus license. Here's the product # and description:
ASA5505-SEC-BUN-K8
ASA 5505 Sec Plus Appliance with SW, UL Users, HA, DES
K8 was upgrade K9.
Thanks.
Archie
12-15-2007 12:58 AM
Hi,
The issue that we are facing with ASA5505 is resolved. We found out through the "show arp" command that hosts from the inside (LAN) are appearing in the outside interface (which should not be). The way it's connected is that the inside interface of the router, the outside interface of the ASA5505 and few servers are connected to the same Catalyst 3750 switch. So it's possible that the servers are leaking to the outside interface.
After directly connecting the inside of the router to the outside of the ASA5505 and clearing the arp, it started to work.
Thanks for all your help.
Regards, Archie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide