Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA 5505 losing outside interface

At random times in the day our Internet will go down in the office.  So far the workaround has been to just reboot our ASA and then when it comes back up everything is fine for a little while.

When it is down, both the inside and outside interfaces are still showing as up but only internal traffic is still passing.

I have tried to replace it with a new ASA I had sitting in a box and it is still happening.

Around the time that it happend our ISP upgraded our bandwidth, but since rebooting our equipment fixes the issue they say it is our problem.

This configuration running on both of the routers has been good and working for a few years now with no major changes in the past 6 months.

Anybody have familiar with this issue or have had to deal with anything similar?

Thanks.

8 REPLIES
Hall of Fame Super Blue

Re: ASA 5505 losing outside interface

Compeat01 wrote:

At random times in the day our Internet will go down in the office.  So far the workaround has been to just reboot our ASA and then when it comes back up everything is fine for a little while.

When it is down, both the inside and outside interfaces are still showing as up but only internal traffic is still passing.

I have tried to replace it with a new ASA I had sitting in a box and it is still happening.

Around the time that it happend our ISP upgraded our bandwidth, but since rebooting our equipment fixes the issue they say it is our problem.

This configuration running on both of the routers has been good and working for a few years now with no major changes in the past 6 months.

Anybody have familiar with this issue or have had to deal with anything similar?

Thanks.

Harry

What do you mean by "only internal traffic is still passing" ?

When the firewall is running normally can you ping the next-hop ISP address ?

When the firewall is not responding can you ping the next-hop ISP address ?

Jon

New Member

Re: ASA 5505 losing outside interface

Hi Jon,

Thanks for your reply.

When it goes down I still hit resources on the internal network: file server, internal virtual servers etc.  Only trying to get out to the internet or trying to hit our external hosted servers is where the traffic stops.

When the firewall is running I can ping the ISP address.  Haven't had a chance to do this when it is down.  I will try this and let you know.

Thanks again.

Hall of Fame Super Blue

Re: ASA 5505 losing outside interface

Compeat01 wrote:

Hi Jon,

Thanks for your reply.

When it goes down I still hit resources on the internal network: file server, internal virtual servers etc.  Only trying to get out to the internet or trying to hit our external hosted servers is where the traffic stops.

When the firewall is running I can ping the ISP address.  Haven't had a chance to do this when it is down.  I will try this and let you know.

Thanks again.

Harry

If you can't then it suggests there may be an issue with the ISP router. Also you may want to ping a device by IP address on the internet when the link is down if the ISP router responds.

It is a bit suspicious that this only started happening after a bandwidth upgrade.

Also have you checked resources in use on the ASA when it stops working ie. NAT entries, you aren't running out of NAT entries are you ?

Jon

New Member

Re: ASA 5505 losing outside interface

Thanks Jon I will try that as well.  Forgive my ignorance but when you say NAT entries are you referring to the Inside Host limit?  If so it is licensed for unlimited users.

Thanks Again.

Hall of Fame Super Blue

Re: ASA 5505 losing outside interface

Compeat01 wrote:

Thanks Jon I will try that as well.  Forgive my ignorance but when you say NAT entries are you referring to the Inside Host limit?  If so it is licensed for unlimited users.

Thanks Again.

Harry

No, i mean each connection through the firewall uses a NAT entry. You can run out of NAT entries in which case the firewall can no longer pass traffic for new connections. You can view the NAT table with "sh xlate". I suspect though if all connections stop working this is not your issue.

Jon

New Member

Re: ASA 5505 losing outside interface

Hi Jon,

Just went down again and have some more info for you.

I can ping the ISP IP from the firewall when the internet goes down.

I cannot ping an outside address when the firewall goes down.

I did a sh xlate but am not super familiar with what to be looking at as far as output.  A sh xlate count gave: 378 in use, 964 most used.

I have a feeling I am probably going to have to end up getting back with the ISP when the connection goes down before I reboot the firewall so they can look at their equipment yet again.

Thanks for your help.

Hall of Fame Super Blue

Re: ASA 5505 losing outside interface

Compeat01 wrote:

Hi Jon,

Just went down again and have some more info for you.

I can ping the ISP IP from the firewall when the internet goes down.

I cannot ping an outside address when the firewall goes down.

I did a sh xlate but am not super familiar with what to be looking at as far as output.  A sh xlate count gave: 378 in use, 964 most used.

I have a feeling I am probably going to have to end up getting back with the ISP when the connection goes down before I reboot the firewall so they can look at their equipment yet again.

Thanks for your help.

Harry

378 xlate in use kind of rules out NAT translations.

If you can ping the ISP router i'm guessing the ISP will say it's working fine. Could you do a traceroute instead of a ping to an IP address on the internet which should show how far the packets are going.

I'm assuming you tried to ping the IP on the internet from the firewall as well ?

Jon

New Member

Re: ASA 5505 losing outside interface

Hi Jon,

Yes all of my pinging has been done from the firewall.  I will try a tracert next time it comes down.

Thanks Again

653
Views
0
Helpful
8
Replies
CreatePlease to create content