bandwidth = 200 Mbps

Client = 50 users

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)

Yes, I think it's enough performance for our internet usage.
I've no IPS on this firewall.

Please find attached for the config below.

============

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.61.x.x 255.255.254.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

object network Internal

subnet 10.61.0.0 255.255.0.0

access-list inside_to_outside extended permit tcp any any

access-list inside_to_outside extended permit icmp any any

access-list inside_to_outside extended permit udp any any

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network Internal

nat (inside,outside) dynamic interface

access-group inside_to_outside in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside 10.61.0.0 255.255.0.0 10.xx.xx.247 1

Are you using separate physical interfaces for inside and outside interfaces or is it a port-channel?

Have you check the logs on the ASA and the switch it connects to?

Next time the issue occurs, also check the connection table (show conn).  The output can be big so make sure your terminal emulator buffer is large enough to handle it.  Check that, for example, when pinging 8.8.8.8 from a client, the connection is between inside and outside interface and not being sent to another interface or being black-holed.

Hi Bud

I've one lan cable is connect from L3 to ASA, no etherchannel function.

========================================

I took the step when I found the issue.

ping asa from client = okay

ping 8.8.8.8 from client = not okay

telnet asa from client = okay

ping 8.8.8.8 from asa = okay

I think this is a ASA issue but I don't know what's happened?

sometime internet is work fine all day but sometime the internet is loss in 15 minutes or every 1 hour.

as requested before pleas post - can you post show version as requested along with your config and translation to understand the issue ?>

Also for testing, if you can arrange a device to bypass FW and check if you have an issue, on that PC to eliminate what causing the issue.

there is couple issue i can think of now - may be your TCP multiplexing conn overflow, so no NAT taking place. this may be due to any device compromised network and sending huge traffic out or randomly

Dear Bud

When I found the issue I do telnet to ASA and I've ping to 8.8.8.8 from ASA, yes I can ping but the client can not ping 8.8.8.8.

I agreed with you about NAT translation and TCP multiplexing conn overflow but how I can prove this issue?

Please advise me.

here is the step by step instructions :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html

Since you have an issue to resolve i also suggest to setup an SYSLOG Server for some time or Long Term send the Logs.

Make some script as soon as you hit the connection limit or any other issue you get an email from out of the box monitor system.

you can use EEM script example :

https://thwack.solarwinds.com/t5/NPM-Discussions/Monitoring-Cisco-router-NAT-translations/m-p/246895

I found this issue when I've changed the firewall to Fortigate. It's the same.

No, I have not.