ASA 5505 (9.1.1) & Comcast Business Cable stops passing traffic

Douglas Sensenig · ‎04-19-2013

Hi

I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.

Here are the parameters:

The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).

I believe the Comcast modem is not configured correctly but I do not know how to determine if that is the issue. Any troubeshooting command and methodology tips are greatly appreciated. The show version and show startup output are below. Any help is greatly appreciated.

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 7.1(2)

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 20 DMZ Unrestricted

Dual ISPs : Enabled perpetual

VLAN Trunk Ports : 8 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Standby perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : 25 perpetual

Other VPN Peers : 25 perpetual

Total VPN Peers : 25 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

Cluster : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

ASA Version 9.1(1)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.199.xx.xxx 255.255.255.252

!

interface Vlan3

nameif dmz

security-level 0

no ip address

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 75.75.75.75

name-server 75.75.76.76

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 50.199.xxx.xxx 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh scopy enable

ssh 192.168.0.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76

dhcpd option 3 ip 192.168.0.1

!

dhcpd address 192.168.0.20-192.168.0.100 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.250.177.145

ntp server 64.236.96.53

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Thanks!

patrick.preuss · ‎04-19-2013

Hi try to limit nat to the local subnet not any

Hth

Sent from Cisco Technical Support Android App

Jouni Forss · ‎04-19-2013

Hi,

Your setup is pretty much the same as mine.

I have an ASDL connection with a bridged modem and an ASA5505 attached to it. ASA is usually running some 8.4(x) software or 9.x software depending if I am testing something.

Your configuration seems very basic and I cant see why traffic would suddenly stop.

It would probably make more sense if you couldnt reach even the ISP gateway.

Have you monitored the ASA logs through ASDM when the problems starts? Do you for example see TCP connection just being teardown with reason SYN Timeout?

I guess you can configure a traffic capture on the ASA to determine if anything at all is coming back from some remote HTTP server or something similiar

For example to capture all traffic from a single host

access-list CAPTURE-LAN permit ip host 192.168.0.100 any

access-list CAPTURE-LAN permit ip any host 192.168.0.100

capture CAPTURE-LAN type raw-data access-list CAPTURE-LAN interface inside buffer 10000000 circular-buffer

The above configuration would take the capture from a single IP address to any destination address on the "inside" interface side

capture CAPTURE-WAN permit ip host 50.199.xx.xxx any

capture CAPTURE-WAN permit ip any host 50.199.xx.xxx

capture CAPTURE-WAN type raw-data access-list CAPTURE-WAN interface outside buffer 10000000 circular-buffer

The above configuration would take the capture from your ASA "outside" interface (which is used as the PAT address) IP address to any destination IP address. This would furthermore tell (opposed to the above capture) if traffic is leaving towards Internet and if anything was coming back to the ASA.

After you have configured the captures you can use the following commands

You can use this command to show all active captures and if they have captured any data

show capture

You can use these commands to show the content of the individual captures

show capture CAPTURE-LAN

show capture CAPTURE-WAN

You can also use these commands to copy the capture contents to some TFTP server on the LAN and view them with Wireshark for example or attach them here in the post

copy /pcap capture:CAPTURE-LAN tftp://x.x.x.x/CAPTURE-LAN.pcap

copy /pcap capture:CAPTURE-WAN tftp://x.x.x.x/CAPTURE-WAN.pcap

You can use the following commands to remove the captures

no capture CAPTURE-LAN

no capture CAPTURE-WAN

You will have to remove the ACLs separately also.

The capture on the "outside" interface should atleast tell if anything is coming back from the Internet for the HTTP connection attempts after the connection problems start.

- Jouni

Douglas Sensenig · ‎04-22-2013

Hi

Quick update. Had Comcast replace the modem (Netgear CG3000DCR) with a SMC cable modem, which fixed the issue. I believe the Netgear proxy arp was the reason the firewall would stop passing traffic after 10-20 minutes.

I will update this post shortly with steps used to determine the Netgear cable modem, not the 5505, was the problem.

d

Andrew Smith · ‎05-11-2013

Did swapping out the Netgear fix your issue? I was dealing with the exact same problem yesterday and Comcast continued to indicate there was nothing wrong on their end. So very frustrating..This was also the first time I've dealt with a Netgear gateway it's usually the SMC gateway which we haven't had any problems with.

Douglas Sensenig · ‎05-11-2013

Yes, swapping out the Netgear for an SMC cable modem fixed the issue. The Netgear is slowly replacing the SMC cable modem.

d

CSCO12318778 · ‎10-19-2013

hello Even i have the same issue and in my case it is 4 hours after which i loose the traffic...!!

is changing the modem is the only solution for this..??

can anyone help me with this..!!

Douglas Sensenig · ‎10-19-2013

Good Morning,

In my case, the only solution we tried was swapping out the cable modem for an SMC model modem. Tell your cable provider to replace the modem with an SMC or other brand as the Netgear is known to have issues with firewalls.

d