09-07-2016 12:02 PM - edited 03-12-2019 01:14 AM
Hi everyone
I have a problem that's driving me nuts trying to troubleshoot. Brand new install of Windows 7 Dell latitude. I'm connected to our domain, but cannot browse the Internet with exclamation icon and msg "No Internet Access."
I can ping all internal servers and gateway. No issues there.
I took the laptop home and connected to my home network fine. Internet connection works perfectly.
But when I get back to the office, I tried connecting with both wired and wireless, both gives msg "No Internet Access."
Firewall is ASA 5505. I did some googling, and found some info on IP Shunning, but when I check my firewall settings, shunning is not enabled.
Any help is greatly appreciated. Thanks.
09-08-2016 01:53 PM
what should i try next?
btw, thanks so much for helping me this problem.
09-08-2016 03:08 PM
When you are logged into the ASA can you ping one of the new PCs?
We have seen the outbound traffic reach the ASA. Packet-tracer shows it goes through OK. Packet capture shows that return traffic is sent on to the PCs.
The one thing we have not checked is can the return traffic reach the new PCs.
09-08-2016 03:16 PM
From the ASA I cannot ping any new PCs.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
I can ping any of the old PCs. That works.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.38, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
09-08-2016 04:25 PM
Are 192.168.0.x and 192.168.1.x in the same subnet (i.e. is the mask /23 or such)?
If they are, all all devices set with the correct netmask?
If they are not, how is the ASA supposed to know to return traffic to the 192.168.1.x host - routing or something?
09-08-2016 04:50 PM
yes, all devices have the same subnet mask 255.255.254.0
Just for kicks, I rebooted the ASA and it didn't change anything. same problem.
Nothing was changed on the servers or network before this started happening. The only thing I did was join a new Windows 7 laptop to the network. so strange.
09-08-2016 05:04 PM
You mentioned it's a 5505.That reminds me...
What license level does it have? The base license on a 5505 is limited to 10 concurrent inside hosts.
show local-host connection | inc licensed
...will show you the status of your system.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html#wp1150495
09-09-2016 06:29 AM
It shows I have unlimited inside hosts.
09-09-2016 07:58 AM
Do the new hosts' addresses show up in the arp cache of the ASA?
"show arp inside"
09-09-2016 08:30 AM
After some more troubleshooting, I was able to narrow it down to a switch issue. We have seven Cisco 3850 switches spread throughout the campus.
I took the new laptop to each switch and plugged it in. I was able to connect to the network and ping all internal servers on all of them.
On two of the switches, I cannot connect to the Internet with msg "No Internet Access" even though I can still join domain and ping internal servers.
What's weird is that old computers that's still connected to these two "problem" switches are still working fine with full internet access. It's only when I try to connect a new device that I lose internet access.
Does this make any sense?
09-09-2016 08:34 AM
Some of the newer security features in the IOS-XE based switches like 3850s can make simple things not work. Features like Dynamic ARP inspection, IP device tracking etc.
Why they would allow internal but not external access is a bit of a mystery to me. I'd have to dig into the switch directly to see what's going on there. I could imagine some scenarios but they are a bit uncommon (Private VLANs, downloadable ACLs in an 802.1x environment etc.)
09-12-2016 12:38 PM
Thanks for all your help Marvin. Another forum member here directed me this this bug release that was the root of my switch problems.
Bug Id: |
|
Title: |
3850: traffic L3 routed on 1 switch/member fails for newly added devices |
Description: |
Symptom:The following symptoms can appear on the impacted switch (which can be standalone or a stack member): |
09-12-2016 02:15 PM
Thanks for letting us know the final resolution.
It's maddening sometimes to find such basic features not working. The earlier IOS-XE code has been very buggy in this regard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide