06-24-2011 07:14 PM - edited 03-11-2019 01:50 PM
I have an ASA-5510 in a location that loses connectivity to the wan gateway after anywhere from five to fifteen minutes. At first I thought that the unit might be defective, but I replaced it with an ASA-5505 with similar results. A reload of the ASA-5510 will restore connectivity for the next quarter hour.
Here's the version information on the 5510:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 4 hours 42 mins
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
-----------------------------------------------------------------------------------------------------------------------------------
And here is the problem:
ciscoasa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 205.144.214.1 to network 0.0.0.0
C 192.168.150.0 255.255.255.0 is directly connected, inside
C 205.144.214.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 205.144.214.1, outside
ciscoasa# ping 205.144.214.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 205.144.214.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
-----------------------------------------------------------------------------------------------------------------------------------
After a reload:
Cryptochecksum (unchanged): 6f930004 780efeb0 4c77a6e2 620d502d
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# ping 205.144.214.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 205.144.214.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/20 ms
Has anyone seen a problem like this before? Or have any clue as to where to start debugging? This configuration works in other locations. The line is probably good because we've temporarily replaced the ASA-5510 with an RVS-4000 (and it has been working for a week).
06-24-2011 08:59 PM
Hi Clark,
Yes, I have faced this issue muktiple times, and most of the times it turned out to be a arp issue on the upstream device. Let me tell you wat to do to verify it:
Take captures on the firewall, when it loses connection:
access-list cap permit ip host
access-list cap permit ip host 4.2.2.2 host
cap capout access-list cap interface outside
And the initiate a ping from the outside interface:
ping outside 4.2.2.2
Check the captures:
show capture capout
It would show you that the replies are not coming back from the router.
Call your ISP and ask them to have a look at it, may be they need to put a static arp entry for the firewall on the router.
Hope this would help you.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide