ASA5505 Losing Internet Connection

sanders-jeff · ‎07-12-2010

I have a Cisco ASA5505 that is dropping it's internet connection at random times. I can clear it by cycling the power on the ASA but with our weekend VPN users this is killing us. I have a copy of the config below and would appreciate any feedback. We have one Site-to-site IPSEC VPN configured that never worked correctly (random drops). I had originally thought this was due to the WRSV4400 we used at the remote site but now wonder if it was our ASA causing the problem.

Any ideas?

: Saved
:
ASA Version 8.0(3)
!
hostname (company)
domain-name (domain).local
enable password XCKcdmYhhzzRWSOJ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 24.123.131.54 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XCKcdmYhhzzRWSOJ encrypted
boot system disk0asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.0.98
domain-name (companyname).local
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq smtp
access-list OI extended permit icmp any any echo-reply
access-list OI extended permit tcp any host 24.123.131.50 eq 3389
access-list OI extended permit tcp any host 24.123.131.51 eq www
access-list OI extended permit tcp any host 24.123.131.51 eq ftp
access-list OI extended permit tcp any host 24.123.131.53 eq www
access-list OI extended permit tcp any host 24.123.131.53 eq ftp
access-list OI remark server526.appriver.com
access-list OI extended permit tcp host 72.32.252.25 host 24.123.131.50 eq smtp
access-list OI remark server527.appriver.com
access-list OI extended permit tcp host 72.32.252.26 host 24.123.131.50 eq smtp
access-list OI remark server510.appriver.com, outbound.appriver.com
access-list OI extended permit tcp host 72.32.253.10 host 24.123.131.50 eq smtp
access-list OI remark server75.appriver.com
access-list OI extended permit tcp host 207.97.224.142 host 24.123.131.50 eq smtp
access-list OI remark server101.appriver.com
access-list OI extended permit tcp host 207.97.229.125 host 24.123.131.50 eq smtp
access-list OI remark server102.appriver.com
access-list OI extended permit tcp host 207.97.230.34 host 24.123.131.50 eq smtp
access-list OI remark server105.appriver.com
access-list OI extended permit tcp host 207.97.230.54 host 24.123.131.50 eq smtp
access-list OI remark server115.appriver.com
access-list OI extended permit tcp host 207.97.242.51 host 24.123.131.50 eq smtp
access-list OI remark server80.appriver.com
access-list OI extended permit tcp host 212.100.247.159 host 24.123.131.50 eq smtp
access-list OI remark server45.appriver.com
access-list OI extended permit tcp host 69.20.58.226 host 24.123.131.50 eq smtp
access-list OI remark server54.appriver.com
access-list OI extended permit tcp host 69.20.58.234 host 24.123.131.50 eq smtp
access-list OI remark gwlb1.appriver.com
access-list OI extended permit tcp host 69.20.60.122 host 24.123.131.50 eq smtp
access-list OI remark server55.appriver.com
access-list OI extended permit tcp host 69.20.68.133 host 24.123.131.50 eq smtp
access-list OI remark server502.appriver.com
access-list OI extended permit tcp host 72.32.252.16 host 24.123.131.50 eq smtp
access-list OI remark server120.appriver.com
access-list OI extended permit tcp host 74.205.4.52 host 24.123.131.50 eq smtp
access-list OI remark server504.appriver.com
access-list OI extended permit tcp host 72.32.252.3 host 24.123.131.50 eq smtp
access-list OI remark server505.appriver.com
access-list OI extended permit tcp host 72.32.252.4 host 24.123.131.50 eq smtp
access-list OI remark Phone system remote access
access-list OI extended permit tcp any host 24.123.131.52 eq www
access-list OI remark Phone system remote access
access-list OI extended permit tcp any host 24.123.131.52 eq 8181
access-list OI remark Phone system remote access
access-list OI extended permit tcp any host 24.123.131.52 eq 8282
access-list OI remark Phone system remtoe access
access-list OI extended permit tcp any host 24.123.131.52 eq 8888
access-list OI extended permit tcp any host 24.123.131.50 object-group DM_INLINE_TCP_1
access-list OI extended permit tcp any host 24.123.131.50 eq www
access-list OI extended permit tcp any host 24.123.131.50 eq https
access-list OI remark server7
access-list OI extended permit tcp any host 70.61.62.13 eq www
access-list OI extended permit tcp any host 70.61.62.13 eq https
access-list OI extended permit tcp any host 70.61.62.13 eq ftp
access-list OI remark server8
access-list OI extended permit tcp any host 70.61.62.14 eq www
access-list OI extended permit tcp any host 70.61.62.14 eq https
access-list OI extended permit tcp any host 70.61.62.14 eq ftp
access-list OI extended permit tcp any host 70.61.62.14 eq smtp
access-list OIded extended permit tcp any host 24.123.131.50 eq https
access-list IOI_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list IOIv2_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list L2LNoNat extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered errors
logging trap errors
logging asdm informational
logging from-address administrator@(CompanyName).com
logging recipient-address administrator@(CompanyName).com level errors
logging host inside 10.0.0.111
logging debug-trace
logging class auth trap emergencies
logging class vpn trap emergencies
mtu inside 1500
mtu outside 1500
ip local pool IOIPOOL 10.0.1.100-10.0.1.200 mask 255.255.255.0
ip local pool IOIv2POOL 10.0.1.210-10.0.1.230 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 24.123.131.53 www 10.0.0.202 www netmask 255.255.255.255
static (inside,outside) tcp 24.123.131.53 ftp 10.0.0.99 ftp netmask 255.255.255.255
static (inside,outside) tcp 24.123.131.51 www 10.0.0.201 www netmask 255.255.255.255
static (inside,outside) tcp 24.123.131.50 www 10.0.0.98 www netmask 255.255.255.255
static (inside,outside) tcp 24.123.131.50 smtp 10.0.0.98 smtp netmask 255.255.255.255
static (inside,outside) tcp 24.123.131.50 https 10.0.0.98 https netmask 255.255.255.255
static (inside,outside) tcp 70.61.62.14 https 10.0.0.111 https netmask 255.255.255.255
static (inside,outside) tcp 70.61.62.14 ftp 10.0.0.111 ftp netmask 255.255.255.255
static (inside,outside) tcp 70.61.62.14 smtp 10.0.0.111 smtp netmask 255.255.255.255
static (inside,outside) tcp 70.61.62.14 www 10.0.0.111 www netmask 255.255.255.255
static (inside,outside) tcp 70.61.62.13 www 10.0.0.36 www netmask 255.255.255.255
static (inside,outside) tcp 70.61.62.13 https 10.0.0.36 https netmask 255.255.255.255
static (inside,outside) tcp 70.61.62.13 ftp 10.0.0.36 ftp netmask 255.255.255.255
static (inside,outside) tcp 24.123.131.50 3389 10.0.0.98 3389 netmask 255.255.255.255
static (inside,outside) 24.123.131.52 10.0.0.231 netmask 255.255.255.255
access-group OI in interface outside
route outside 0.0.0.0 0.0.0.0 24.123.131.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server IOI protocol radius
aaa-server IOI host 10.0.0.98
key ioi
radius-common-pw (password)
aaa authentication ssh console IOI
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
snmp-server host inside 10.0.0.159 community private
no snmp-server location
no snmp-server contact
snmp-server community private
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 70.90.180.254
crypto map outside_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd address 10.0.0.2-10.0.0.254 inside
!

threat-detection basic-threat
threat-detection statistics
ntp server 192.5.41.40
webvpn
enable outside
svc image disk0anyconnect-win-2.4.0202-k9.pkg 1
svc image disk0anyconnect-macosx-i386-2.4.0202-k9.pkg 2
svc image disk0anyconnect-linux-2.4.0202-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy IOIv3 internal
group-policy IOIv3 attributes
wins-server value 10.0.0.98
dns-server value 10.0.0.98
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IOI_splitTunnelAcl
default-domain value avery.local
group-policy IOIv2 internal
group-policy IOIv2 attributes
dns-server value 10.0.0.98
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IOIv2_splitTunnelAcl
webvpn
url-list none
svc ask enable
group-policy IOI internal
group-policy IOI attributes
dns-server value 10.0.0.98
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IOI_splitTunnelAcl
default-domain value avery.local
username administrator password RB6I41AFhttjIePD encrypted privilege 15
username gatestone password nS0NIbkHFVeA8XPR encrypted privilege 15
username gatestone attributes
vpn-group-policy IOI
username mswanson password yVcXDK7MjOha6tg8 encrypted privilege 15
username mswanson attributes
vpn-group-policy IOI
tunnel-group IOI type remote-access
tunnel-group IOI general-attributes
address-pool IOIPOOL
authentication-server-group IOI
default-group-policy IOI
tunnel-group IOI ipsec-attributes
pre-shared-key *
tunnel-group IOIv2 type remote-access
tunnel-group IOIv2 general-attributes
address-pool IOIv2POOL
authentication-server-group IOI
default-group-policy IOIv2
tunnel-group IOIv2 ipsec-attributes
pre-shared-key *
tunnel-group IOISSL type remote-access
tunnel-group IOISSL general-attributes
address-pool IOIv2POOL
authentication-server-group IOI
default-group-policy IOIv2
tunnel-group IOISSL webvpn-attributes
group-alias (CompanyName) enable
tunnel-group IOIv3 type remote-access
tunnel-group IOIv3 general-attributes
address-pool IOIPOOL
authentication-server-group IOI
default-group-policy IOIv3
tunnel-group IOIv3 ipsec-attributes
pre-shared-key *
tunnel-group 70.90.180.254 type ipsec-l2l
tunnel-group 70.90.180.254 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e32c51e1970c75f865cb0b0dda58295
: end

Nagaraja Thanthry · ‎07-12-2010

Hello,

The connection drops could be for many reasons. Some of the probable causes are High CPU/memory utilization on the firewall, interface issues, and ISP issues. The best way to troubleshoot this issue is to narrow down the root cause. When it happens next time, please try the following:

Step 1:Console into the firewall and make sure that it is accessible. Check the memory/cpu utilization (show memory/show cpu)

Step 2: Ping the inside interface of the firewall. If this fails, then the issue could be with the firewall inside interface. Change the cable for the inside interface (to the switch or the host), switch the ports and see if the issue resolves itself.

Step 3: If the above two steps check out, then from the firewall, ping your default gateway. If you do not get a reply, bounce the outside interface (physical interface) and see if that helps.

The above excercise should help you narrow down to the root cause of the problem. If one of the first two steps fail, you might have to contact Cisco Tech Support and have them work on the issue. If the third step fails, then contact your ISP and have them look at their router to see if they have proper ARP settings. If needed, have them configure static ARP entry for your firewall.

Hope this helps.

Regards,

NT