OK here goes, I have powered down the ASA and reseated the card but still no success.  Here is the result of 'show interface'.

Result of the command: "show interface"

Interface Ethernet0/0 "external", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f58, MTU 1500
IP address 2XX.1XX.1XX.XXX, subnet mask 255.255.255.240
50599 packets input, 43869014 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40389 packets output, 11509330 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/244)
output queue (blocks free curr/low): hardware (255/235)
  Traffic Statistics for "external":
50599 packets input, 42920030 bytes
40389 packets output, 10636033 bytes
656 packets dropped
      1 minute input rate 78 pkts/sec,  78310 bytes/sec
      1 minute output rate 59 pkts/sec,  8896 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 68 pkts/sec,  64069 bytes/sec
      5 minute output rate 55 pkts/sec,  14343 bytes/sec
      5 minute drop rate, 1 pkts/sec
Interface Ethernet0/1 "dmz1", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f59, MTU 1500
IP address 192.168.2.1, subnet mask 255.255.255.0
10626 packets input, 5136754 bytes, 0 no buffer
Received 85 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
14826 packets output, 15929354 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
14 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/246)
output queue (blocks free curr/low): hardware (255/246)
  Traffic Statistics for "dmz1":
10612 packets input, 4910710 bytes
14826 packets output, 15652088 bytes
63 packets dropped
      1 minute input rate 1 pkts/sec,  516 bytes/sec
      1 minute output rate 1 pkts/sec,  494 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 7 pkts/sec,  6167 bytes/sec
      5 minute output rate 6 pkts/sec,  2384 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet0/2 "internal", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f5a, MTU 1500
IP address , subnet mask
59265 packets input, 23635653 bytes, 0 no buffer
Received 9823 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
55517 packets output, 44176321 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
167 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/230)
  Traffic Statistics for "internal":
59098 packets input, 22407185 bytes
55517 packets output, 43110583 bytes
3447 packets dropped
      1 minute input rate 80 pkts/sec,  10312 bytes/sec
      1 minute output rate 88 pkts/sec,  80758 bytes/sec
      1 minute drop rate, 6 pkts/sec
      5 minute input rate 65 pkts/sec,  11128 bytes/sec
      5 minute output rate 64 pkts/sec,  62661 bytes/sec
      5 minute drop rate, 4 pkts/sec
Interface Ethernet0/3 "cdmdmz", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f5b, MTU 1500
IP address 192.168.3.1, subnet mask 255.255.255.0
106 packets input, 18378 bytes, 0 no buffer
Received 57 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
49 packets output, 17150 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
11 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/249)
output queue (blocks free curr/low): hardware (255/251)
  Traffic Statistics for "cdmdmz":
95 packets input, 15728 bytes
49 packets output, 16178 bytes
42 packets dropped
      1 minute input rate 0 pkts/sec,  23 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  18 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Management0/0 "management", is down, line protocol is down
  Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
MAC address 0018.199e.7f57, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "management":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets

Interface GigabitEthernet1/0 "dmz2", is up, line protocol is up
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
MAC address 0172.10a1.21db, MTU 1500
IP address 192.168.4.1, subnet mask 255.255.255.0
234 packets input, 21658 bytes, 0 no buffer
Received 59 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
3 packets output, 192 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
  Traffic Statistics for "dmz2":
231 packets input, 17276 bytes
3 packets output, 84 bytes
229 packets dropped
      1 minute input rate 0 pkts/sec,  5 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  19 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/1 "dmz3", is down, line protocol is down
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
MAC address 0172.10a1.21dc, MTU 1500
IP address 192.168.5.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
  Traffic Statistics for "dmz3":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/2 "", is administratively down, line protocol is down
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
Available but not configured via nameif
MAC address 0172.10a1.21dd, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Interface GigabitEthernet1/3 "", is administratively down, line protocol is down
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
Available but not configured via nameif
MAC address 0172.10a1.21de, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)

Show module command says its up!  Firmware 1.0 never really fills me with confidence though....

Result of the command: "show module 1 detail"

Cisco 4-Port Gigabit Ethernet Module
Model:              SSM-4GE
Hardware version:   1.0
Serial Number:      JAF1327APHP
Firmware version:   1.0(0)8
Software version:   1.0(0)10
MAC Address Range:  0172.10a1.21db to 0172.10a1.21de
Data plane Status:  Up
Status:             Up

The only ACLs are:

external_access_in for incoming mail/www/usual services.

dmz1_access_in for dmz1 to internal mail traffic.

The NAT for dmz2:

object network obj-192.168.4.0

nat (dmz2,external) dynamic 2XX.1XX.1XX.XX

2XX.1XX.1XX.XX is the external IP used for all browsing from any interface.

I have setup remote access to the firewall ADSM so if you need more information please reply to this thread and I should be able to post any results of commands and config info.  This has me stumped it all looks right

Bill

Hi Bill,

I did not went to work, and my alerts are getting there. Sorry for not replying.... well this is weird indeed. Weird, you say you have version 8.0.3, but the commands you attached are from 8.3 or higher...What version are you currently on?

Mike

Sorry I told you a lie there, the version is 8.4(2)8, I was looking at an old config sheet.

Here is the output from a tracer, I have an implicit drop and odd question marks on the output interface when doing a tracer from dmz2 to external. 

From the ports on the ASA....

an implicit allow, scrolling down...

No question marks on the outside interface...

This is of course using the integrated ports on the ASA rather than the ports on the 4GE-SSM.  It looks as though their are different implicit rules on the ports.  I am not sure what else I can test other than a new card.  Would the full config by PM help at all?

Hi,

Well, then lets get deep on this troubleshooting. Can you go to Monitoring--->logging-->enable logging and then try to pass real data and see what the logs say? Also, please do the following:

capture drop type asp-drop all

Send some data and then do a show cap drop

Mike

Please find attached a capture of failed attempts to get to various websites.

The IP of the computer attempting is 192.168.4.100

The IP of the interface port on the ASA is 192.168.4.1

The IPs of the DNS servers on the computer are 8.8.8.8 and 8.8.4.4

The attempts to hit the DNS servers on port 53 can be seen in the log but no reply can be seen coming back.

As for the logging on the ADSM I cannot see any connections from 192.168.4.100 being 'built','teardown' or even failing.  Its almost as if it never gets as far as being in the log at all.

Hi,

Only if it is possible, can you downgrade to a version that is not 8.4? Also, can you download the captures from the ASA on pcap format?

Mike

I have downgraded to 8.3.2 and still no joy.  I can put wireshark on the laptop and capture packets leaving for the firewall if you think it will help, the light on the firewall is flashing when I attempt to open a website so data is hitting it and as the laptop is the only thing plugged in I would say its leaving to the correct place.

Any ideas before I start looking for a different unit?

Replaced the 4GE card, problem fixed.....typical!