When you are logged into the ASA can you ping one of the new PCs?

We have seen the outbound traffic reach the ASA. Packet-tracer shows it goes through OK. Packet capture shows that return traffic is sent on to the PCs.

The one thing we have not checked is can the return traffic reach the new PCs.

From the ASA I cannot ping any new PCs. 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

I can ping any of the old PCs. That works. 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.38, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Are 192.168.0.x and 192.168.1.x in the same subnet (i.e. is the mask /23 or such)?

If they are, all all devices set with the correct netmask?

If they are not, how is the ASA supposed to know to return traffic to the 192.168.1.x host - routing or something?

yes, all devices have the same subnet mask 255.255.254.0

Just for kicks, I rebooted the ASA and it didn't change anything. same problem. 

Nothing was changed on the servers or network before this started happening. The only thing I did was join a new Windows 7 laptop to the network. so strange.

You mentioned it's a 5505.That reminds me...

What license level does it have? The base license on a 5505 is limited to 10 concurrent inside hosts.

show local-host connection | inc licensed

...will show you the status of your system.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html#wp1150495

It shows I have unlimited inside hosts. 

Do the new hosts' addresses show up in the arp cache of the ASA?

"show arp inside"

After some more troubleshooting, I was able to narrow it down to a switch issue. We have seven Cisco 3850 switches spread throughout the campus.

I took the new laptop to each switch and plugged it in. I was able to connect to the network and ping all internal servers on all of them.

On two of the switches, I cannot connect to the Internet with msg "No Internet Access" even though I can still join domain and ping internal servers. 

What's weird is that old computers that's still connected to these two "problem" switches are still working fine with full internet access. It's only when I try to connect a new device that I lose internet access. 

Does this make any sense?

Some of the newer security features in the IOS-XE based switches like 3850s can make simple things not work. Features like Dynamic ARP inspection, IP device tracking etc.

Why they would allow internal but not external access is a bit of a mystery to me. I'd have to dig into the switch directly to see what's going on there. I could imagine some scenarios but they are a bit uncommon (Private VLANs, downloadable ACLs in an 802.1x environment etc.)

Thanks for all your help Marvin. Another forum member here directed me this this bug release that was the root of my switch problems. 

Thanks for letting us know the final resolution. 

It's maddening sometimes to find such basic features not working. The earlier IOS-XE code has been very buggy in this regard.