Strange ASA problem

rkalia1 · ‎05-02-2008

I have an ASA 5505 which is having a problem.The customer has to reboot the ASA daily to get working.We have an IPSec tunnel running from this site to their HQ.When the problem occurs the clients on the LAN cannot access internet or the tunnel to HQ. ASA is running DHCP server.I checked the ASA when the problem occurred.No error logged. DHCPD BIND also showed leases.I checked on some LAN PCs they did not have any IP address.They could not renew the lease too.so they could not ping the inside interface of the ASA too which they can when everything is fine.I could ping the inside interface of the ASA while logged in into the ASA but not anything on the LAN not even the hosts with static IPs. So looks like the ASA loses connectivity to the LAN.I even got the LAN switch rebooted to see if that was the problem.But nothing.Things came up only after rebooting the ASA.I even got the port for the inside int of ASA changed on the switch.We are using only OUTSIDE and INSIDE interfaces on the ASA.The INSIDE is connected to the LAN switch.The ASA config is attached:

srue · ‎05-02-2008

has this always been a problem?

can you post the output of "show version"?

rkalia1 · ‎05-02-2008

yes this has been an ongoing problem and has been there from the day ASA was operational. Connectivity to internet and thro the IPSec tunnel are fine when the problem occurs. I can ping to the internet and even login into the ASA thro the IPSec tunnel but no connectivity to LAN. I am wondering if I have to remove the interface Vlan1 and give the IP to the physical INSIDE interface. The file for "sh version" is attached.

rkalia1 · ‎05-02-2008

Srue,

Is this a symptom of running out of licenses on the ASA? This ASA 5505 has a Base License of 50 users as you can see in the "sh ver" output attached. I am not sure how many hosts are there on the LAN for this ASA. Will check and then will know. I have read somewhere that the hosts count only when they pass traffic through the box to the internet (usually the outside) interface. Pls help me on this.

chickman · ‎05-02-2008

Just throwing this out there, but, is it possible that your tunnel is closing for some odd reason. Try and restart your tunnel before you restart the entire ASA. See if that solves the connectivity issue. If it does, you may want to look in the configuration a bit more.

rkalia1 · ‎05-02-2008

I confirmed there are only 10 PCs/Servers on the LAN behind ASA 5505. So can't be the licensing issue. Any ideas folks? I need urgent help on this. But I have another piece of information that there is a Riverbed server (Appl Accelerator box) on the LAN. Dont know anything about this though.

charles.harden · ‎05-09-2008

Do a 'show local-host' on the ASA to check to see if it is hitting the license limit.

I have a 50 user license on one that claims it is hitting the license limit even though only 8 hosts are connected. I am wondering if there is some sort of licensing bug...

rkalia1 · ‎05-09-2008

Will try that. Thanks Charles.

Gian Paolo · ‎05-26-2008

I'm having the same problem with an ASA5505 with 50 users limited license.

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

I've tried reducing xlate timeout from

timeout xlate 3:00:00

to

timeout xlate 0:30:00

and it seems to work for this particular installation. There's still some log about connections denied because host-limit but that's acceptable for my client.

Hope it helps.