Solved: Re: ASA 5512-X Suddenly Can't Ping Anything but Itself

plaush · ‎02-25-2024

Hello, all. I currently own a ASA 5512-X at home, I mainly use it as a router and VPN Gateway. However, yesterday my ASA mysteriously decided to stop routing traffic to ANY destination. When you ping any IP but itself, it will return a '?', traceroute doesn't help much as it just shows nothing but '*'.

I haven't made any changes to the configuration in weeks, unless I accidentally clicked something while browsing the logs in ASDM. I have no idea what happened, I've already tried restarting the ASA several times. Any help would be appreciated, thank you!

Running config is attached, only changes I made were the username, as they're my co-workers and/or friends.

plaush · ‎02-26-2024

I've found the issue, it appears that G0/1 somehow broke, swapping over to G0/2 fixes the issue. It might be finally time to get a Fortinet and replace my ASA, I got it for dirt cheap anyways.

View solution in original post

Kasun Bandara · ‎02-25-2024

@plaush hi can you elaborate more. normally checking logs not harm any of device functionality. when you say not working, can you answer below.

1. can you ping locally to device form your PC? is your PC and ASA in same network range?

2. can you access device using ASDM through local network?

3. can you ping DMZ from your PC when PC is in your internal network? and vice versa? for allowed IPs via ACL.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

plaush · ‎02-25-2024

Hello, I would like to make a correction, I can only ping the internet/outside interface. I can ping and even connect to my ASA's VPN from the outside but the internal network is totally inaccessible. Edit: My internal PC can't access the internet

1. No, I can't even ping '.1', which is my ASA and the default gateway of my PC. Yes, they're in the same 192.168.60.0/24 network

2. Nope, for the reason above

3. Nope

I have nothing in my 'IoT' Group.

Kasun Bandara · ‎02-25-2024

@plaush in your config i can see physical interface 0/1 and 0/2 using different interface names and using same BVI 1 which have name inside. i am not sure if that makes complication. also your SSH open to outside which is not recommend. and your NAT rules are need to check again.

do you have any logs at the incident time? also try enabling icmp inspection on device.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

plaush · ‎02-25-2024

Hello, a lot of the configs you pointed out were there for a long time, over 6 months, I was messing around with stuff and must have forgot to rollback some of the changes. I'm almost certain it's not that, because this issue only started to happen a day ago and I also don't think it's NAT because the outside interface seems to be working fine.

I'll do the ICMP inspection and check the logs again tonight, I'll also inspect for any cable damage.

Edit: It was a Physical Layer issue, my g0/1 somehow broke. I'll probably just fix the SSH misconfiguration and just leave the rest alone, will need to get a new firewall soon anyways.

Georg Pauwen · ‎02-25-2024

Hello,

on a side note, how old is your 5512-X ? As far as I recall, the end of life date was 2017. Have you tried a simple reboot ?

plaush · ‎02-25-2024

I've had my ASA for just over a year now but the device itself is way older than that, don't have an exact number. I've rebooted it several times, including turning off the entire rack's power overnight. No dice, still the same issue, I plan to restore one of my older configs from backup and see if that fixes the issue.

Georg Pauwen · ‎02-25-2024

Hello,

good plan, if you have a working backup config.

plaush · ‎02-26-2024

I've found the issue, it appears that G0/1 somehow broke, swapping over to G0/2 fixes the issue. It might be finally time to get a Fortinet and replace my ASA, I got it for dirt cheap anyways.