Strange ASA problem

Unanswered Question
May 2nd, 2008

I have an ASA 5505 which is having a problem.The customer has to reboot the ASA daily to get working.We have an IPSec tunnel running from this site to their HQ.When the problem occurs the clients on the LAN cannot access internet or the tunnel to HQ. ASA is running DHCP server.I checked the ASA when the problem occurred.No error logged. DHCPD BIND also showed leases.I checked on some LAN PCs they did not have any IP address.They could not renew the lease they could not ping the inside interface of the ASA too which they can when everything is fine.I could ping the inside interface of the ASA while logged in into the ASA but not anything on the LAN not even the hosts with static IPs. So looks like the ASA loses connectivity to the LAN.I even got the LAN switch rebooted to see if that was the problem.But nothing.Things came up only after rebooting the ASA.I even got the port for the inside int of ASA changed on the switch.We are using only OUTSIDE and INSIDE interfaces on the ASA.The INSIDE is connected to the LAN switch.The ASA config is attached:

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 05/02/2008 - 06:05

has this always been a problem?

can you post the output of "show version"?

rkalia1 Fri, 05/02/2008 - 06:22

yes this has been an ongoing problem and has been there from the day ASA was operational. Connectivity to internet and thro the IPSec tunnel are fine when the problem occurs. I can ping to the internet and even login into the ASA thro the IPSec tunnel but no connectivity to LAN. I am wondering if I have to remove the interface Vlan1 and give the IP to the physical INSIDE interface. The file for "sh version" is attached.

rkalia1 Fri, 05/02/2008 - 10:23


Is this a symptom of running out of licenses on the ASA? This ASA 5505 has a Base License of 50 users as you can see in the "sh ver" output attached. I am not sure how many hosts are there on the LAN for this ASA. Will check and then will know. I have read somewhere that the hosts count only when they pass traffic through the box to the internet (usually the outside) interface. Pls help me on this.

rkalia1 Fri, 05/02/2008 - 11:38

I confirmed there are only 10 PCs/Servers on the LAN behind ASA 5505. So can't be the licensing issue. Any ideas folks? I need urgent help on this. But I have another piece of information that there is a Riverbed server (Appl Accelerator box) on the LAN. Dont know anything about this though.

charles.harden Fri, 05/09/2008 - 14:43

Do a 'show local-host' on the ASA to check to see if it is hitting the license limit.

I have a 50 user license on one that claims it is hitting the license limit even though only 8 hosts are connected. I am wondering if there is some sort of licensing bug...

Gian Paolo Boarina Mon, 05/26/2008 - 06:52

I'm having the same problem with an ASA5505 with 50 users limited license.

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

I've tried reducing xlate timeout from

timeout xlate 3:00:00


timeout xlate 0:30:00

and it seems to work for this particular installation. There's still some log about connections denied because host-limit but that's acceptable for my client.

Hope it helps.


This Discussion