cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
256
Views
0
Helpful
21
Replies
Highlighted
VIP Mentor

Re: ASA LAN no internet access (sometimes) but Site to Site VPN works

Hello,

 

I am not sure I am missing something, but if you cannot ping 8.8.8.8 with wan_3 being the outgoing interface, then either wan_3 or something on the other side of wan_3 is not configured correctly. How far does a traceroute go ?

Highlighted
Beginner
Beginner

Re: ASA LAN no internet access (sometimes) but Site to Site VPN works

tracert, if this what you mean, doesn't work.

 

a conclusion is that on both LAN3 & LAN4 which are configured with wan_3, they are both redirected to wan_2

LAN4 works ok

LAN3 doesn't have internet, but its site to site vpn works

 

I am currently checking with our ISP for wan_3, in case there is a problem from their side.

 

Thank you,

Highlighted
Beginner
Beginner

Re: ASA LAN no internet access (sometimes) but Site to Site VPN works

I double checked LAN4 and found that it uses wan_2 instead of wan_3!

I just hit what is my ip address on chrome and saw the public IP.

 

so the the problem should be this. somehow traffic is redirected to wan_2 for both interfaces, but LAN4 works.

Highlighted
Beginner
Beginner

Re: ASA LAN no internet access (sometimes) but Site to Site VPN works

Hello,

 

How can I check traffic flow on this interface. Because by what I have found the problem is that all LANs traffic goes to one wan interface.

 

Thank you,

Highlighted
Beginner
Beginner

Re: ASA LAN no internet access (sometimes) but Site to Site VPN works

this is the output from packet tracer

Asa5516X# packet-tracer input lan3 icmp 192.168.15.61 1 15 8.8.8.8

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map LAN3_PBR permit 5
match ip address PBR_LAN3_ACL
set ip next-hop verify-availability 62.38.55.162 1 track 10
Additional Information:
Matched route-map LAN3_PBR, sequence 5, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 195.97.12.114 using egress ifc wan_2

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group lan3_access_in in interface lan3
access-list lan3_access_in extended permit ip any any log disable
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map SFR
class sfr
sfr fail-open
service-policy SFR interface wan_2
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912677, packet dispatched to next module

Result:
input-interface: lan3
input-status: up
input-line-status: up
output-interface: wan_2
output-status: up
output-line-status: up
Action: allow

 

this shouldn't be using 195.97.12.114 as a next hop but only 62.x.55.161

Highlighted
VIP Mentor

Re: ASA LAN no internet access (sometimes) but Site to Site VPN works

Hello


@it wrote:

The problem I am facing is that sporadically this interface loses its internet access but the StoS VPN works with no problem.


I don’t see how the overlay vpn is still active after you lose its transit path- do you mean the vpn shows active but you lose connectivity over it?

How does this interface lose connection, is the interface flapping, Do you receive any errors?

 

Check the cabling, speed/duplex settings,Errors on the interface.

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner
Beginner

Re: ASA LAN no internet access (sometimes) but Site to Site VPN works

our site to site vpn works but we lost internet access (example www.google.com) this interface is up for about 2.5 years and this happened 5-6 times for about 1-2 days and then fixes on its own, know it is the 3rd day.