05-24-2012 11:03 AM - edited 03-11-2019 04:11 PM
I have a simple network with an ASA5505 mainly used for AnyConnect so there is little traffic. There is 1 laptop connected to the E0/1 of the ASA and then E0/0 is going to the internet port. I've noticed about ever 15-20 minutes, I lose all connection. The laptop can no longer browse the web and handsets can no longer VPN into the network. I've noticed a few seconds after performing a clear arp, all the connectinos are restored. The laptop can browse the web and handsets can VPN in again. Any idea what could be causing this?
Thanks
05-24-2012 11:28 AM
Hi Joffroi,
One very simple test to check:
when the issue occurs, take captures on ASA interface:
access-list cap permit icmp any any
capture capo access-list cap interface outside
capture capin access-list cap interface inside
Now do a ping to 4.2.2.2 from your laptop, and then check "show cap capin" & "show cap capo", see if the request is going through the ASA or not and if you are getting any replies or not.
If no replies, then check the upstream device, that device might be losing the arp entries for the ASA and hence sending no replies, when you clear arp on ASA, an arp request is send again and it builts the arp table. Check if there is any arp timeout.
Hope this helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-24-2012 11:54 AM
Thanks for the reply Varun.
I waited until I lost connection and did what you suggested.
)# show cap capin
6 packets captured
1: 13:42:28.785695 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
2: 13:42:29.786092 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
3: 13:42:30.787282 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
4: 13:42:31.788396 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
5: 13:42:32.789494 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
6: 13:42:33.790623 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
6 packets shown
# show cap capo
26 packets captured
1: 13:41:07.228046 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
2: 13:41:07.228335 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
3: 13:41:08.228931 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
4: 13:41:08.228976 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
5: 13:41:09.229587 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
6: 13:41:09.229632 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
7: 13:41:10.230700 802.1Q vlan#1 P0 192.168.1.4 > 4.2.2.2: icmp: echo request
....
192.168.1.4 is the IP assigned to my laptop connected to E0/1
After I performed the clear arp, I got echo reply request.
With that being said, are you suggested I need to talk to my IT about whats being the port for my internet? Maybe they are losing my arp entry for my ASA?
Thanks
05-24-2012 11:58 AM
Absolutely, now you atlesat know, which device stops responding and my gut feeling is, your ISP device is losing arps pretty frequently.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-24-2012 12:05 PM
Thanks, I'll reach out to them. I do notice I occasionally get another entry on my arp table on the outside interface with an IP very similar to what I have assigned to me. I suspect that is probably what is causing my problem.
05-24-2012 12:10 PM
Hi Joffroi,
Sure I will wait for your update.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-24-2012 01:30 PM
Hi
That sound a lot like an arp poisoning attack.
when the Internet works what is the mac address of your def gateway ?
what is the mac addres of the def gateway when it stopps working ?
if they are different I would talk to the isp and set the mac address entry manually until the issue is resolved..
Good luck
HTH
05-24-2012 01:34 PM
My mac-address stays the same in both cases. Thanks for the suggestion though.
05-24-2012 09:43 PM
Hello Joffroi,
One hundred porcent sure you see the real mac address of your DG when the issue happens from the ASA perspective.
I mean from the ASA perspective we can see he is sending the traffic out the right interface, he is doing the NAT properly but he is not receiving any traffic comming back.
I would say call the ISP people and explain them the behavior you are having, they will understand and help.
Regards,
Do rate all the helpful posts
Julio
05-25-2012 08:24 AM
I stlil waiting on a response from my IT department. I have noticed that on my arp tables, I do get an IP address that shows up and I'm not sure what it is. As I mentioned before, the network I'm working with is
LAPTOP <-----> ASA <-------> INTERNET PORT Thats it.
ASA5505# show arp
inside 192.168.1.4 001f.f353.da5f 24 <---- Laptop connected to E0/1
outside XX.XX.167.66 3ce5.a614.e06b 1703 <---- Unknown device
outside XX.XX.167.70 0024.c9cf.2c50 2946 <---- Default Gateway
05-25-2012 02:11 PM
Hello Joffroi,
Please keep us updated.
Regards,
Julio
11-24-2012 09:25 PM
Was there ever a final resolution to this and if so, what was it?
A client of mine has an identical problem. Their ISP is Verizon FIOS who is notorius for their poor technical support in matters like this. If it turns out to be a downstream Verizon router, I may recommend the client change ISP's. Knowing Joffroi's outcome may influence what we do.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide