I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side. AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA. Internally, I can ping the IP address and I can ssh into the ASA.
The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM. To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.
Any ideas why the lockouts are occuring? Is it possible my ISP is shutting down the IP?
Below is the configs to the ASA:
enable password IqUJj3NwPkd63BO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
name 10.0.1.0 Net-10
name 192.168.1.20 dbserver
switchport access vlan 2
switchport access vlan 3
ip address 192.168.1.98 255.255.255.0
ip address xxx.xxx.xxx.43 255.255.255.0
ip address 192.168.5.1 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0
access-list outside_access_in extended permit ip host Mac any
pager lines 24
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
It seems to me that traffic flows normally through the ASA when the problem with the VPN connections exists since you can get a remote connection to one of the hosts behind the ASA. Your ASA also seems to only have the single IP address that your external interface holds so it seems there is no problem forwarding traffic from your device to ISP and back from the ISP to your device.
I would probably troubleshoot the situation when the problem is on since you can actually get to the ASA.
You could start by monitoring the logs what happens to the ICMP and VPN connection attempts. If there is no logs of these happening you might have to resort to capturing traffic on the ASA itself to confirm what is actually arriving to the ASAs external interface from the Internet.
Might also be a good idea to start sending logs from the ASA to an internal hosts. It can just be a normal PC hosts running some free software. You could then check later if the ASA has sent anything to the server that might hint at what the problem is.
Has this been a problem since you started using the ASA or has it started after a longer period of the setup working normally?
This problem has started since we implemented the ASA (about 5 months ago). There are days where VPN connections work fine -- no lockout and stays up. And there are days where availability is down during one of those times I listed in the original post.
Typically, when the lockout occurs the VPN user contacts me and I would login using TeamViewer to check the ASA logs before rebooting it. Although vlan 2 (outside) is up, nothing logs from the external ... only on things from internal.
I like your idea of sending logs to an internal PC; that way I can capture whatever happens at the time the external interface becomes unavailable. Can you tell me what software to use on the PC and the ASA command to forward the logs?
I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.
I sometime use it personally when testing different stuff on my home ASA.
It naturally isnt a real option if you actuall setup a separate Syslog server.
You wouldnt really need to add much to your logging configuration
logging device-id hostname
logging trap informational
Where is the name of the interface behind which the server is and the is naturally the IP address of the server.
Though the above would generate a lot of logging.
I am not even 100% sure it would log anything when you are facing the problem.
Best would be to also troubleshoot while the problem is there.
Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?
If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :