I have been trying to figure it out but unable to know what's the problem. My ASA is connected to comcast modem directly and everything was working normally when I first installed it but after 4 hours (approx) I can't reach the internet. but my interfaces are UP. I have interface reset and CRC errors on my external interface..!! collisions and late collision on my internal interface...
One more thing i would like to mention here... I was able to ping 22.214.171.124 from commcast modem but couldn't do that from Local LAN and ASA as well
my network is pretty straight forward...! Comcast modem <---------->ASA<--------------->Local LAN
I had to reboot my comcast modem in order to get the ASA work properly
can some one please help me...!!
When the issue happens,
Are you able to ping the comcast modem from the ASA itself?
Do you see the MAC address of the next-hop device on the arp table of both the modem and ASA?
Sounds like an ARP issue,
I don't have the access to the ASA right now I can give that details tomorrow. But we have replaced a router which used to act as a firewall with the ASA and I have copied the mac address of the external interface from the router and assigned it to the external interface of the ASA. If it is an ARP issue what might be it and what is the best way to resolve it..!!
Thank you very much for your reply...!!
Let's first work on the tests I have asked before,
Then we will move forward.
so tomorrow when the issue happens:
do a ping from the ASA to the comcast router.
Then clear the ARP table on the ASA, do the ping again and check whether there is an ARP entry or not.
Afterwards clear the ARP on the Comcast routed and do the ping (and again check the ARP table)
Are they directly connected?
sorry for the late reply..!! Yes they are directly connected. We though that the issue was with my comcast smg modem and replaced it with the netgear CG3000d but this time i was not able to go out as well as come in.
From the ASA I was not even able to ping the default gateway (modem is my default gateway)
I can't test it becuase it has to be taken down and put the router back to have the traffic going.
this time I had no CRC errors but there were interface resets on my external interface and there are collissions and interface resets on my internal interface. it's been two weeks since i was facing this problem...!!
Let's do something.
Next time the issue happens do a clear arp and then see if you can connect?
Note: I would go ahead and configure the COMCAST modem with a static ARP entry pointing to the ASA.
If you ask why to use a Clear ARP is because with that we will force the ASA to send a gratitious ARP that will update the ARP table on the Comcast Router.
Let me know how it goes.
Follow me on http://laguiadelnetworking.com
Check your license. Once it reaches the limits, ASA drops the connection.
Follow these commands, are very helpful.
sho ver | inc Inside Hosts
ASA5505# show local ?
Hostname or A.B.C.D Show local host information corresponding to this ip
Hostname or X:X:X:X::X Show local host information corresponding to an IPV6
all To show connections including to-the-box and
brief Enter this keyword for brief information
connection Show local host information based on the number of
detail Enter this keyword for detailed information
| Output modifiers
ASA5505# show local
I dont think about a licensing issue as Julito mentioned, maybe you can clear the interface counters by using the clear interface command and then issue the show interface after about 1 minute to see errors incrementing, I see that you dont have CRCs any more but we could verify how are the interfaces setup.,
If you are not able to ping your DG any more maybe we can look for the ARP issue mentioned
In the meantime you could share the previous command requested and maybe the following outputs if possible
sh run nat (show run global for previous 8.3 versions)
I have once more question related to this post..!
Is it necessary to have the modem which is conneted to ASA in bridge mode. what is the difference between a routed mode and a bridge mode of a modem when conncted to an ASA...?
It's not a requirement.
I mean leave it the way it is and then add the static arp entry as I recommended.
Rate all of the helpful posts!!!
Follow me on http://laguiadelnetworking.com
We need configuration, show tech, this could be so many things, that ARP, NAT, PAT, bug, DHCP, bla, bla, bla
If it is working with the router and not the ASA ARP would not be my first troubleshooting step but it also needs to be checked.
Enable logging on the ASA and check to see if you see anything on them:
logging asdm debugging
logging buffered debugging
logging buffer-size 1048576
clear log buffer
You can check the logs via ASDM or log into CLI via putty and record the log output and then tell us the time of the failure.
Also confirm that the router has been removed completely when the issue happens.
Please update the ticket as resolved or answered so we can close out followup.