Solved: 5505 drops outside connection

Lajja1234 · ‎11-14-2012

Hi!

I am having a problem with a ASA 5505. The users on the inside cannot access internet for the most of the time. When i looked over the configuration and tried a few changes i got out to internet about 5 seconds every 30 minute or so. Very strange.

When i try to access internet i just get the windows post that DNS is not working properly. As you can see in my config i get all adresses dynamic from ISP.

I am not sure what to do next, i tried to set static routes, make nat changes, static dns adresses, searching this forum but nothing works. It seems like there is a ISP problem but i have talked to the support twice today and they say that all is fine from their side.

Have anyone notice an ASA behavie like this?

ASA Version 8.2(2)

!

hostname ciscoasa

domain-name

enable password encrypted

passwd encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Trivec_Kassan tcp

description Kassan

port-object eq 20010

object-group network obj_any_inside

access-list hotellet_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 172.16.10.0 255.255.255.224

access-list outside_access_in extended permit tcp any host x.x.x.x eq https inactive

access-list outside_access_in extended permit tcp any host x.x.x.x 1 object-group Trivec_Kassan inactive

pager lines 24

logging enable

logging buffer-size 10000

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 172.16.10.1-172.16.10.20 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.200.100-192.168.200.130 inside

dhcpd option 43 ip 192.168.200.10 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy hotellet internal

group-policy hotellet attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value hotellet_splitTunnelAcl

username password encrypted privilege 15

username xxx attributes

vpn-group-policy

tunnel-group hotellet type remote-access

tunnel-group hotellet general-attributes

address-pool vpnpool

default-group-policy

tunnel-group hotellet ipsec-attributes

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

: end

joelgooding · ‎11-15-2012

Lets try something here. Remove the ASA if you can and put a laptop at the end of the circuit instead of the ASA. Let it use DHCP and obtain DNS from the ISP. Now try to browse and ping 8.8.8.8. Do a bandwidth test and check to see what your IP address is using a "what is my ip" service. If you are successful in these tests, the problem is not your ISP.
Check these first and then further troubleshooting will continue. Lets just eliminate the ISP as the problem.

Joel

Joel _______________________________ Please rate helpful posts and answered questions!

View solution in original post

Lajja1234 · ‎11-14-2012

I think there is some DNS problem, when i try to access internet it just loads, loads, and then Chrome says that the DNS failed.

lcambron · ‎11-14-2012

Can you try to browse with the IP address instead of the name?

if this works, then the issue is DNS.

If not, you can try the following:

At the time of the issue;

ping the ASA's inside interface

ping 4.2.2.2 or 8.8.8.8

from the ASA; ping your ISP and ping 4.2.2.2 or 8.8.8.8

Let us know if any of those failed or if you have lost packets

Also try to do a nslookup

From the PC's Command Prompt

nslookup google.com

Regards,

Felipe.

Lajja1234 · ‎11-14-2012

I can ping the ASAs inside interface and the wireless controller and the switch. I can ping my ISP default gateway but not any of my ISPs dns servers, neither googles 8.8.8.8 dns server.

Any more suggestions? I have about 1,5h traveltime to the customer and when i get there I have no internet until this works so I want more suggestions

Regards

Lajja

Lajja1234 · ‎11-15-2012

I can only ping the ASA inside interface. The ASA does not get à IP adress now.

joelgooding · ‎11-15-2012

Lets try something here. Remove the ASA if you can and put a laptop at the end of the circuit instead of the ASA. Let it use DHCP and obtain DNS from the ISP. Now try to browse and ping 8.8.8.8. Do a bandwidth test and check to see what your IP address is using a "what is my ip" service. If you are successful in these tests, the problem is not your ISP.
Check these first and then further troubleshooting will continue. Lets just eliminate the ISP as the problem.

Joel

Joel _______________________________ Please rate helpful posts and answered questions!

Lajja1234 · ‎11-15-2012

Tride to remove the ASA, but still couldn't reach internet. So the modem must be broken. Tried the other dsl line with another modem, and then it worked! I will call the ISP and se if they can replace it for free..

So now i can reach internet. BUT when that worked another problem occured, the WCL lost connection to all AP:s. So one problem solved, but another started

Anyway, started a new thread in the wireless part of this forum so this one can be closed.

joelgooding · ‎11-15-2012

Glad to help. Please rate.

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!