04-06-2015 06:52 AM - edited 03-11-2019 10:44 PM
im upgrading our pix 506e(bulletproof!) firewall to something more robust, the ASA 5505. i have the configuration moved over, and everything appears to be correct, but... after some time, we randomly lose outbound internet traffic on random machines.
here is an example: i have 2 machines plugged into the same internal network switch, and one of them can continually get internet access, while the other one cannot access the internet.
tracert example:
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.3.248
2 <1 ms <1 ms <1 ms 192.168.2.252
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
in #3 there should be the ip address of 192.168.1.1 which is our ASA 5505 firewall.
I did clear the ARP cache of all of our switches internally
I attached a cleansed version of my ASA configuration
Solved! Go to Solution.
04-06-2015 12:20 PM
yes, at a time only 50 hosts. License for unlimited is available though
04-06-2015 08:06 AM
how many host license do you have? Traceroute is not a good test from ASA unless you have done required configuring related to it, ASA don't decrement ttl value to show its ip address by defualt.
You can take captures on outside and inside interface and test. Also can you enable logging at debug level and see if you get any hint from there.
04-06-2015 08:54 AM
im not sure of host licenses, as these are simply client machines behind the firewall attempting to access the internet.
04-06-2015 09:07 AM
ASA 5505 has license limitation of number of host that can access outbound connection.
please verify it in "show version"
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.html#wp1150495
you can take an output of "show conn count" and see how many connections are already through firewall at the time of problem.
04-06-2015 11:23 AM
here is what its shows
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
so this means i only have 50 hosts allowed from internal network??
04-06-2015 12:20 PM
yes, at a time only 50 hosts. License for unlimited is available though
04-06-2015 01:17 PM
i dont suppose you know the sku for that?? i wasnt able to find it anywhere
04-06-2015 02:15 PM
ASA5505-SW-10-UL
04-07-2015 06:33 AM
i found this sku, and was hoping that it would work
04-07-2015 09:16 AM
Great
Note:- Please mark post as answered, if this helped you to resolve the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide