Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5505: Outside Interface Becomes Inaccessible

Greetings --

I've been having occurrences of my ASA's 'outside' interface become inaccessible from the internet side.  AnyConnect users that are logged in get kicked out ... can't ping to the IP address ... can't ssh into the ASA.  Internally, I can ping the IP address and I can ssh into the ASA.

The 'lockout' typically occurs around 1PM, 7:30PM, and 10:30PM.  To get the 'outside' interface working again, I would have to log into a host machine on the LAN (via TeamViewer) and then ssh into the ASA and reboot.

Any ideas why the lockouts are occuring?  Is it possible my ISP is shutting down the IP?

Below is the configs to the ASA:

hostname psa-asa

enable password IqUJj3NwPkd63BO9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.0.1.0 Net-10

name 192.168.1.20 dbserver

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.98 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.43 255.255.255.0

!

interface Vlan3

no nameif

security-level 50

ip address 192.168.5.1 255.255.255.0

!

ftp mode passive

object-group service RDP tcp

port-object eq 3389

access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224

access-list inside_nat0_outbound extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list Split_Tunnel_List standard permit Net-10 255.255.255.224

access-list outside_1_cryptomap extended permit ip host chewieOP-host Net-LabCorp 255.255.255.0

access-list outside_access_in extended permit ip host Mac any

pager lines 24

logging enable

logging timestamp

logging monitor errors

logging history errors

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 10 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 10 access-list vpn_nat_inside outside

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 162.134.70.20

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=pas-asa.null

keypair pasvpnkey

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate fecf8751

    308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105

    0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406

    092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134

    3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c

    7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173

    2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a

    02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca

    deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb

    61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2

    86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1

    0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b

    67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711

    c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83

    6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024

    a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1

    62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74

    434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53

    f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e

    14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a

    2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff

    6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0

    f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936

    681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d

  quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

vpn-sessiondb max-session-limit 10

telnet timeout 5

ssh 192.168.1.100 255.255.255.255 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

dhcpd auto_config inside

!

dhcpd address 192.168.1.222-192.168.1.223 inside

dhcpd dns 64.238.96.12 66.180.96.12 interface inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy SSLClientPolicy internal

group-policy SSLClientPolicy attributes

wins-server none

dns-server value 64.238.96.12 66.180.96.12

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

ipv6-vpn-filter none

vpn-tunnel-protocol svc

group-lock value PSA-SSL-VPN

default-domain none

vlan none

nac-settings none

webvpn

  svc mtu 1200

  svc keepalive 60

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression none

group-policy DfltGrpPolicy attributes

dns-server value 64.238.96.12 66.180.96.12

vpn-tunnel-protocol IPSec svc webvpn

username user1 password ks88YmM0AaUUmhfU encrypted privilege 0

username user1 attributes

vpn-group-policy SSLClientPolicy

service-type remote-access

username user2 password 1w1.F5oqiDOWdcll encrypted privilege 0

username user2 attributes

vpn-group-policy SSLClientPolicy

service-type remote-access

username user3 password lQ8frBN8p.5fQvth encrypted privilege 15

username user4 password w4USQXpU8Wj/RFt8 encrypted privilege 15

username user4 attributes

vpn-group-policy SSLClientPolicy

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

service-type admin

username user5 password PElMTjYTU7c1sXWr encrypted privilege 0

username user5 attributes

vpn-group-policy SSLClientPolicy

service-type remote-access

username user6 password /zt/9z7XUifQbEsA encrypted privilege 0

username user6 attributes

vpn-group-policy SSLClientPolicy

service-type remote-access

username user7 password aEGh.k89043.2NUa encrypted privilege 0

username user7 attributes

vpn-group-policy SSLClientPolicy

service-type remote-access

tunnel-group DefaultRAGroup general-attributes

address-pool SSLClientPool-10

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group PSA-SSL-VPN type remote-access

tunnel-group PSA-SSL-VPN general-attributes

address-pool SSLClientPool-10

default-group-policy SSLClientPolicy

tunnel-group PSA-SSL-VPN webvpn-attributes

group-alias PSA_VPN enable

group-url https://xxx.xxx.xxx.43/PSA_VPN enable

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:2298b0ae64f8ff7a5e25d97fe3f02841

3 REPLIES
Super Bronze

ASA 5505: Outside Interface Becomes Inaccessible

Hi,

It seems to me that traffic flows normally through the ASA when the problem with the VPN connections exists since you can get a remote connection to one of the hosts behind the ASA. Your ASA also seems to only have the single IP address that your external interface holds so it seems there is no problem forwarding traffic from your device to ISP and back from the ISP to your device.

I would probably troubleshoot the situation when the problem is on since you can actually get to the ASA.

You could start by monitoring the logs what happens to the ICMP and VPN connection attempts. If there is no logs of these happening you might have to resort to capturing traffic on the ASA itself to confirm what is actually arriving to the ASAs external interface from the Internet.

Might also be a good idea to start sending logs from the ASA to an internal hosts. It can just be a normal PC hosts running some free software. You could then check later if the ASA has sent anything to the server that might hint at what the problem is.

Has this been a problem since you started using the ASA or has it started after a longer period of the setup working normally?

- Jouni

New Member

ASA 5505: Outside Interface Becomes Inaccessible

Hi Jouni-

This problem has started since we implemented the ASA (about 5 months ago).  There are days where VPN connections work fine -- no lockout and stays up.  And there are days where availability is down during one of those times I listed in the original post. 

Typically, when the lockout occurs the VPN user contacts me and I would login using TeamViewer to check the ASA logs before rebooting it.  Although vlan 2 (outside) is up, nothing logs from the external ... only on things from internal.

I like your idea of sending logs to an internal PC; that way I can capture whatever happens at the time the external interface becomes unavailable.  Can you tell me what software to use on the PC and the ASA command to forward the logs?

Thanks!

Super Bronze

ASA 5505: Outside Interface Becomes Inaccessible

Hi,

I guess if you want to temporarily set up a software to receive the logs on some computer you could even use Tftpd (you will find it easily through Google search) The same software can be used for multiple different purposes.

I sometime use it personally when testing different stuff on my home ASA.

It naturally isnt a real option if you actuall setup a separate Syslog server.

You wouldnt really need to add much to your logging configuration

logging device-id hostname

logging trap informational

logging host

Where is the name of the interface behind which the server is and the is naturally the IP address of the server.

Though the above would generate a lot of logging.

I am not even 100% sure it would log anything when you are facing the problem.

Best would be to also troubleshoot while the problem is there.

Can you confirm that you use the Internet connection through the ASA when you are accessing the internal host behind the ASA? I assume that the host connects from the LAN to the Internet which enables you to have a remote connection to the host?

If this is so it makes it a wierd problem as the ASA and your ISP can clearly pass traffic to and from your network since that remote connections is working even if there is other problems.

- Jouni

324
Views
0
Helpful
3
Replies
CreatePlease to create content