cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1242
Views
0
Helpful
8
Replies

ASA 5505 losing outside interface

Compeat01
Level 1
Level 1

At random times in the day our Internet will go down in the office.  So far the workaround has been to just reboot our ASA and then when it comes back up everything is fine for a little while.

When it is down, both the inside and outside interfaces are still showing as up but only internal traffic is still passing.

I have tried to replace it with a new ASA I had sitting in a box and it is still happening.

Around the time that it happend our ISP upgraded our bandwidth, but since rebooting our equipment fixes the issue they say it is our problem.

This configuration running on both of the routers has been good and working for a few years now with no major changes in the past 6 months.

Anybody have familiar with this issue or have had to deal with anything similar?

Thanks.

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Compeat01 wrote:

At random times in the day our Internet will go down in the office.  So far the workaround has been to just reboot our ASA and then when it comes back up everything is fine for a little while.

When it is down, both the inside and outside interfaces are still showing as up but only internal traffic is still passing.

I have tried to replace it with a new ASA I had sitting in a box and it is still happening.

Around the time that it happend our ISP upgraded our bandwidth, but since rebooting our equipment fixes the issue they say it is our problem.

This configuration running on both of the routers has been good and working for a few years now with no major changes in the past 6 months.

Anybody have familiar with this issue or have had to deal with anything similar?

Thanks.

Harry

What do you mean by "only internal traffic is still passing" ?

When the firewall is running normally can you ping the next-hop ISP address ?

When the firewall is not responding can you ping the next-hop ISP address ?

Jon

Hi Jon,

Thanks for your reply.

When it goes down I still hit resources on the internal network: file server, internal virtual servers etc.  Only trying to get out to the internet or trying to hit our external hosted servers is where the traffic stops.

When the firewall is running I can ping the ISP address.  Haven't had a chance to do this when it is down.  I will try this and let you know.

Thanks again.

Compeat01 wrote:

Hi Jon,

Thanks for your reply.

When it goes down I still hit resources on the internal network: file server, internal virtual servers etc.  Only trying to get out to the internet or trying to hit our external hosted servers is where the traffic stops.

When the firewall is running I can ping the ISP address.  Haven't had a chance to do this when it is down.  I will try this and let you know.

Thanks again.

Harry

If you can't then it suggests there may be an issue with the ISP router. Also you may want to ping a device by IP address on the internet when the link is down if the ISP router responds.

It is a bit suspicious that this only started happening after a bandwidth upgrade.

Also have you checked resources in use on the ASA when it stops working ie. NAT entries, you aren't running out of NAT entries are you ?

Jon

Thanks Jon I will try that as well.  Forgive my ignorance but when you say NAT entries are you referring to the Inside Host limit?  If so it is licensed for unlimited users.

Thanks Again.

Compeat01 wrote:

Thanks Jon I will try that as well.  Forgive my ignorance but when you say NAT entries are you referring to the Inside Host limit?  If so it is licensed for unlimited users.

Thanks Again.

Harry

No, i mean each connection through the firewall uses a NAT entry. You can run out of NAT entries in which case the firewall can no longer pass traffic for new connections. You can view the NAT table with "sh xlate". I suspect though if all connections stop working this is not your issue.

Jon

Hi Jon,

Just went down again and have some more info for you.

I can ping the ISP IP from the firewall when the internet goes down.

I cannot ping an outside address when the firewall goes down.

I did a sh xlate but am not super familiar with what to be looking at as far as output.  A sh xlate count gave: 378 in use, 964 most used.

I have a feeling I am probably going to have to end up getting back with the ISP when the connection goes down before I reboot the firewall so they can look at their equipment yet again.

Thanks for your help.

Compeat01 wrote:

Hi Jon,

Just went down again and have some more info for you.

I can ping the ISP IP from the firewall when the internet goes down.

I cannot ping an outside address when the firewall goes down.

I did a sh xlate but am not super familiar with what to be looking at as far as output.  A sh xlate count gave: 378 in use, 964 most used.

I have a feeling I am probably going to have to end up getting back with the ISP when the connection goes down before I reboot the firewall so they can look at their equipment yet again.

Thanks for your help.

Harry

378 xlate in use kind of rules out NAT translations.

If you can ping the ISP router i'm guessing the ISP will say it's working fine. Could you do a traceroute instead of a ping to an IP address on the internet which should show how far the packets are going.

I'm assuming you tried to ping the IP on the internet from the firewall as well ?

Jon

Hi Jon,

Yes all of my pinging has been done from the firewall.  I will try a tracert next time it comes down.

Thanks Again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: