Cisco ASA Firewall: Disappears randomly, won't respond to PING

Unanswered Question
Nov 7th, 2008
User Badges:

I have a Cisco ASA firewall on an Internet connection - coming through an xrio 400 ADSL bonder.


The problem is that the Cisco firewall - which has a static IP address - disappears completely after a variable amount of time and the Internet connection fails. It doesn't reply to PING requests to the public IP or to the 192.168.0.x IP address on the local LAN. The bonding device (an xrio UBM 400 which is connected on the outside of the firewall) gives an error saying that the link to the Cisco is 'incomplete' and it keeps sending ARP requests to the firewall which are not responded to. The device remains powered on all the time and I have checked all cables and replaced them.


I should say at this point that the Cisco is a new unit which was installed today to replace a Juniper Networks Netscreen firewall which demonstrated exactly the same behaviour.


I can't understand why the firewall just stops responding to PING requests - it has to be unplugged from the mains and then plugged in again in order for it to come up again. It will then PING and work correctly for a while. When it fails, I can't PING anything on the inside of the firewall but the UBM bonder continues to respond.


Any ideas about how to diagnose and fix this problem much appreciated. The only way to bring the firewall back up currently is to unplug it from the mains and then plug it back in again.


The company that manage our Internet connection are saying that there could be a loop connection in the network (to the main network switch) which is causing a storm and bringing down the firewall. I don't believe that it would stop responding altogether to PING requests in this case though, would it?


Any help would be very much appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 11/07/2008 - 14:19
User Badges:
  • Gold, 750 points or more

Hello Evan,

I suggest to connect via console, enable logging with following commands

logging on

logging console informational

And paste some logs here created during downtime.


Also when device first started and pings are successful from inside, type "arp -a" in local client command line and see what mac address is bound to firewalls IP. When pings start failing, again check arp -a and see if it is the same MAC address or not.


Last suggestion, in both PIX and corresponding device's interface (switch or adsl router) set the port settings like duplex and speed manually and do not let them stay in auto negotiation


Regards

evan-brown Fri, 11/07/2008 - 14:56
User Badges:

Thanks very much for your suggestions. I'll be sure to try these steps and post back.

ngotoanthang1986 Sat, 11/08/2008 - 08:46
User Badges:

Can i ask you some questions:

1: Did the cisco firewall operate nomally before and then malfunction or when you attach the new firewall into the network and it can not ping any zone?

2: If you haven't configure any command in the new firewall and it cannot ping anywhere. Try the following command in global mode:

icmp permit any any interface inside (outside/dmz..) and then test again.


evan-brown Sat, 11/08/2008 - 10:11
User Badges:

Thanks for your reply.


ICMP is already permitted through the firewall.


The Cisco firewall will work as intended for a variable period of time after being reset - this can be between 15 minutes and about three hours. Then it stops responding to PINGs and anything inside it which I try to get to (either by PING or http 80 or whatever) is unavailable. Also Internet from inside the organisation stops working because the firewall isn't passing through to the gateway. The only way to resolve the situation is to reset the firewall (unplug it and plug it back in.)


Any help much appreciated.

husycisco Sat, 11/08/2008 - 10:23
User Badges:
  • Gold, 750 points or more

Evan,

Any outputs from my suggestions yet?

evan-brown Sat, 11/08/2008 - 10:38
User Badges:

Hi husycisco


I'm on site on Monday - the network in question is 200 miles away from me at the moment. I'll post back here with outputs when I get my hands on the system.


Thanks for your help.


Evan

Actions

This Discussion