cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1354
Views
4
Helpful
4
Replies

ASA 5505 loses internet

erwee1973
Level 1
Level 1

Hello,

I have a problem with an internet connection with a customer.

They have a Zyxel 660 in bridge mode and the public ip is delivered to the eth0/0 outside interface of a 5505 ASA.

They lose internet connectivity a couple of times per hour. What solves the problem immediately is disconnecting the ethernet cable from the eth0/0 and then directly plugging it back. Then it runs for 20-30 minutes or so.

The isp doesnt't notice any errors on the dsl connection, only that they cannot ping the outside interface from time to time (duhhh)

However, yesterday, when problem appeared for first time , I noticed that this Zyxel was very hot since it was placed on top of the ASA. Now it is set apart.

In the meantime I already replaced all cables, but I think it's the Zyxel so I urged that the ISP send a new Zyxel.

Though it sounds strange. But maybe anyone has seen this before?

Details:

Asa5505 (has been replaced also) with software version 8.4.3

the interface (eth0/0 and vlan2) don't give strange counters

ASA# sh inter det

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address 2894.0ff8.c548, MTU not set

        IP address unassigned

        235089 packets input, 221884537 bytes, 0 no buffer

        Received 402 broadcasts, 0 runts, 0 giants

        2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        7 switch ingress policy drops

        163925 packets output, 31513917 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

  Topology Information:

        This interface, a , is connected

        with Internal-Data0/0, a .

  Control Point Interface States:

        Interface number is 3

        Interface config status is active

        Interface state is active

--------------------

Interface Vlan2 "outside", is up, line protocol is up

  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

        MAC address 2894.0ff8.c550, MTU 1500

        IP address xx.xx.21.237, subnet mask 255.255.255.192

  Traffic Statistics for "outside":

        239894 packets input, 223410645 bytes

        166949 packets output, 28496263 bytes

        545 packets dropped

      1 minute input rate 82 pkts/sec,  94048 bytes/sec

      1 minute output rate 54 pkts/sec,  8022 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 24 pkts/sec,  22481 bytes/sec

      5 minute output rate 18 pkts/sec,  3536 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Control Point Interface States:

        Interface number is 15

        Interface config status is active

        Interface state is active

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If there has been no changes to the connection, ISP equipment or the ASA itself it would seem the problem is probably with the Zyxel.

I personally run to strange problems with customer modems (pretty much always in bridged mode and a Cisco device behind them). Sometimes its simply the modem and sometimes it might be a problem with the DSLAM on the provider side.

Best situation would ofcourse be if you could do tests during the problem.

  • Ping the outside gateway
  • If the gateway doesnt reply to the ping check if the ASA shows ARP for the gateway address.
    • "show arp" or "show arp | inc "
  • If there is an ARP for the gateway IP do a "clear arp " which will clear all ARP for the outside interface. Now ping the gateway again and check if there is any ARP for the gateway address. If there is no ARP visible for the gateway address even after the ping it should be clear that theres something wrong with the modem of ISP settings.

Few months ago I had a situation where a customers connection would continuosly stop working. What always corrected the problem was clearing the ARP from the gateway device (Even though the IP/MAC address pair was always the same). The gateway device had to do ARP again to enable connections to the office. This seemed to always correct the problem. Later on we found the problem to be in the ISP DSLAM settings related to ARP. What also was strange about the situation was that the setting that was changed was supposedly already configured the way it was supposed to. And considering I know it had been working for ages it was really strange that the settings had to be changed suddenly. Then again I don't know if the DSLAM had undergone any updates that might explain the strange behaviour.

But anyway, I would start by replacing the local modem. If it has more than a single Ethernet port you could plug the ASA into another port also to see if that has any effect. Ofcourse then you would have to make sure that new port is also bridged.

- Jouni

Hello,

I did a show arp and the gateway mac is showed every time. The line provider isn't familiar with this kind of problems, they verified their end but couldnt find anything special. They suggested to replace the dsl splitter (the only thing I didn't change yet) and secondary if that doesn't work, to put the Zyxel in routed mode (what I personally do not prefer)

My colleague will be onsite there today and do these steps. Will let you know the outcome.

With kind regards,

Ralph

Hi there,

May be of use.  My home ISP is the Post Office and they ship zyxel routers.  I had similar symptoms and had to keep rebooting the router. Eventually they sent me a new router which fixed the issue straight away.

Tim

Hello I'm sorry to forget to mention, but the customer was sent a new Zyxel dsl router, what didn't solve this problem, grrrr

Ralph

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: