topic Re: ASA External Interface Lease renewal ? in Network Security

ASA External Interface Lease renewal ?

HumptyD-UK — Wed, 07 Jan 2026 12:02:24 GMT

Hi folks,

We have a ASA on 9.12(4)67.

There is an ONT that is connected on the external interface and we use DHCP to retrieve our IP and gateway etc. for out internet connection.

If this interface drops and then recovers (ONT is in a different room which is not UPS maintained.) I can see we still have an IP number and gateway, but routing stops.. and thus, so dose any remote access.

I've found that if we then renew the lease via ADSM, routing is then refreshed? and passes traffic.
(this is a pain because I normally work remotely as the ASA is a 30 min drive away.)

If this is known feature, can it be mitigated in any way to force a complete lease renewal, perhaps with a script responding to loss of ping to the remote gateway?

With Thanks

Re: ASA External Interface Lease renewal ?

Cristian Matei — Wed, 07 Jan 2026 12:19:36 GMT

Hi,

I'd first need to understand the exact conditions. When the event happens, the ASA interface goes DOWN or remains in UP state? When you renew the lease after the event to fix it, do you get a different IP address than you previously had before the event happened, or is it the same? When the event happens, from ASA CLI, what is the output of show interface ip brief and show route, do you still have an IP address on the interface and the default route installed in RIB?

Thanks,

Cristian.

Re: ASA External Interface Lease renewal ?

HumptyD-UK — Wed, 07 Jan 2026 14:48:25 GMT

Hello,

Here's some example syslogs.

2025-11-19 03:40:12 Gig-0/5-External <IP> ifAdminStatus: down -> up System
2025-11-19 03:40:12 Gig-0/5-External <IP> ifOperStatus: down -> up System
2025-11-19 03:35:10 Gig-0/5-External <IP> ifAdminStatus: up -> down System
2025-11-19 03:35:10 Gig-0/5-External <IP> ifOperStatus: up -> down

2025-11-19 03:39:07 warning <IP> Nov 19 03:39:34 GMT/BST: %ASA--4-411001: Line protocol on Interface GigabitEthernet0/5, changed state to up warning
2025-11-19 03:39:03 warning <IP> Nov 19 03:39:30 GMT/BST: %ASA--4-411002: Line protocol on Interface GigabitEthernet0/5, changed state to down warning
2025-11-19 03:38:55 warning <IP> Nov 19 03:39:22 GMT/BST: %ASA--4-411001: Line protocol on Interface GigabitEthernet0/5, changed state to up warning
2025-11-19 03:38:51 warning <IP> Nov 19 2025 03:39:18: %ASA--4-411002: Line protocol on Interface GigabitEthernet0/5, changed state to down warning
2025-11-19 03:38:49 warning <IP> Nov 19 03:39:16 GMT/BST: %ASA--4-411001: Line protocol on Interface GigabitEthernet0/5, changed state to up warning
2025-11-19 03:34:51 warning <IP> Nov 19 03:35:18 GMT/BST: %ASA--4-411002: Line protocol on Interface GigabitEthernet0/5, changed state to down warning.

the sh ip bri, shows our external IP number on the external if but don't have a full output on record atm.

S* 0.0.0.0 0.0.0.0 [1/0] via <extenral gw ip>, Gig-0/5-External
C <internal> .0 255.255.255.0 is directly connected, Gig-0/0-Internal-0
L <internal> .2 255.255.255.255 is directly connected, Gig-0/0-Internal-0
C <internal> .4.0 255.255.255.0 is directly connected, Gig-0/4-Wifi
L <internal> .4.1 255.255.255.255 is directly connected, Gig-0/4-Wifi
C <external subnet>.0 255.255.255.0 is directly connected, Gig-0/5-External
L <external ip> 255.255.255.255
is directly connected, Gig-0/5-External

interface GigabitEthernet0/5
nameif Gig-0/5-External
security-level 0
ip address dhcp setroute

Many Thanks

Mark

Re: ASA External Interface Lease renewal ?

Cristian Matei — Wed, 07 Jan 2026 21:26:37 GMT

Hi,

Unfortunately, you didn't answer my questions. You provided some log, however I don't want to assume what it might mean, I need to tie the logs to the sequence of events.

1. When the event happens, the ASA interface goes DOWN or remains in UP state? The event means, you loose Internet access, not you disabling and enabling the interface.

2. When you renew the lease after the event to fix it, do you get a different IP address than you previously had before the event happened, or is it the same?

3. When the event happens, from ASA CLI, what is the output of show interface ip brief and show route, do you still have an IP address on the interface and the default route installed in RIB?

Thanks,

Cristian.

Re: ASA External Interface Lease renewal ?

HumptyD-UK — Thu, 08 Jan 2026 09:56:39 GMT

Hi Again,

1) We loose internet access. The interface goes down, then returns to up as connection is regained to the ONT.
(The ONT is not on a UPS, so if there is a power interruption, it has to re-initialise. Hence the interface going DOWN-UP. The ASA is on a UPS.)

2) The IP number remains the same.

3) yes, we still have an IP number on the interface, and default route.
sh route as above
sh ip int bri as above.

Many thanks

Mark

Re: ASA External Interface Lease renewal ?

Cristian Matei — Thu, 08 Jan 2026 11:20:09 GMT

Hi,

That's weird, as far as if the interface goes down, upon interface coming back UP, it initiates the DHCP DORA process gain, thus it communicates with remote side, you're saying the IP is preserved, so it should work. I suggest to perform the following actions:

1. Upgrade to 9.14(4)24, to maybe fix a bug on the ASA.

2. If above doesn't fix it or for whatever reason you can't perform an upgrade, use an EEM script to automatically renew the lease on the interface upon interface flap:

event manager applet DHCP_RENEW_LEASE event syslog id 411001 occurs 1 period 1 action 0 cli command "interface GigabitEthernet0/5" action 1 cli command "no ip address dhcp setroute" action 2 cli command "ip address dhcp setroute" output console

If you're going ahead with second proposed option, test it, create a link down event and see if it works.

Thanks,

Cristian.

Re: ASA External Interface Lease renewal ?

HumptyD-UK — Mon, 12 Jan 2026 07:17:07 GMT

Good Morning, Thank you for the follow up, and can confirm the script worked nicely.

yes, we could do 9.14(4)24, but that's for another day when I have more £ in the budget later this year.

Mark