Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1536
Views
0
Helpful
21
Replies

ASA LAN no internet access (sometimes) but Site to Site VPN works

it
Level 1
Level 1

‎05-20-2020 12:10 AM

Hello,

 

I have an ASA 5516 with many LANs working and having internet access.

I have created a new LAN successfully which also has a site to site VPN with on of our customers (this is the second interface with StS vpn that we have on the same FW).

 

The problem I am facing is that sporadically this interface loses its internet access but the StoS VPN works with no problem.

 

On most cases this fixes, with me doing nothing, after some days.

 

How can I troubleshoot this so I can find what may cause the problem?

 

Thank you,

Labels:
0 Helpful
21 Replies 21

Georg Pauwen
VIP
VIP

‎05-20-2020 12:32 AM

Hello,

 

post the full running configuration of your ASA and indicate which interface is having trouble...

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-20-2020 01:56 AM

This is some of the FWs config, concerning the interface that have the issue.

----------------------------------------------------------------------------
ip local pool RA_NEW_LAN_POOL 192.168.x.1-192.168.x.15 mask 255.255.255.240

interface GigabitEthernet1/1
description === ALL WAN Routers ===
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.200
vlan 200
nameif wan_3
security-level 0
ip address 6.x.55.1 255.255.255.240
!
interface GigabitEthernet1/1.201
vlan 201
nameif wan_1
security-level 0
ip address 6.x.53.x 255.255.255.240
!
interface GigabitEthernet1/1.202
vlan 202
nameif wan_2
security-level 0
ip address 195.x.x.x 255.255.255.240


interface GigabitEthernet1/6
description === NEW_LAN ===
nameif new_lan
security-level 80
ip address 192.168.150.1 255.255.255.0
policy-route route-map NEW_LAN_PBR

 


object network new_lan_lan
subnet 192.168.150.0 255.255.255.0
description new_lan_lan
object network obj-192.168.150.0
subnet 192.168.150.0 255.255.255.0
object network New_lan_x.x.0.0
subnet x.x.0.0 255.255.0.0
object network New_lan_x.x.128.0
subnet x.x.128.0 255.255.255.0
object network new_lanwan_80.x.x.90
host 80.x.x.90
object network New_lan_x.x.8.0
subnet x.x.8.0 255.255.254.0
object network RA_VPN_POOL_NEW_LAN
subnet 192.168.x.0 255.255.255.240
object network New_lan_x.x.10.0
subnet x.x.10.0 255.255.254.0

object-group network DM_INLINE_NETWORK_22
network-object object New_lan_x.x.0.0
network-object object New_lan_x.x.128.0
network-object object New_lan_x.x.8.0
network-object x.x.10.0 255.255.254.0
object-group network DM_INLINE_NETWORK_23
network-object object New_lan_x.x.0.0
network-object object New_lan_x.x.128.0
network-object object New_lan_x.x.8.0
network-object x.x.10.0 255.255.254.0
object-group network DM_INLINE_NETWORK_24
network-object x.x.0.0 255.255.0.0
network-object x.x.128.0 255.255.255.0
network-object x.x.8.0 255.255.254.0
network-object host 192.168.100.101
network-object x.x.10.0 255.255.254.0
object-group network DM_INLINE_NETWORK_25
network-object 192.168.150.0 255.255.255.0
network-object object RA_VPN_POOL_NEW_LAN
object-group network DM_INLINE_NETWORK_26
network-object 192.168.150.0 255.255.255.0
network-object 192.168.x.0 255.255.255.240
object-group network DM_INLINE_NETWORK_27
network-object object New_lan_x.x.0.0
network-object object New_lan_x.x.128.0
network-object object New_lan_x.x.8.0
network-object object New_lan_x.x.10.0


access-list ACL_Split_Tunnel standard permit 192.168.150.0 255.255.255.0


access-list PBR_NEW_LAN_ACL extended deny ip 192.168.150.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list PBR_NEW_LAN_ACL extended permit ip 192.168.150.0 255.255.255.0 any

access-list new_lan_access_in extended permit ip any any log disable

access-list wan_3_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_25 object-group DM_INLINE_NETWORK_22
access-list wan_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_26 object-group DM_INLINE_NETWORK_21
access-list ACL_RA_NEW_LAN_SPLIT_TUNNEL standard permit x.x.0.0 255.255.0.0
access-list ACL_RA_NEW_LAN_SPLIT_TUNNEL standard permit x.x.128.0 255.255.255.0
access-list ACL_RA_NEW_LAN_SPLIT_TUNNEL standard permit x.x.8.0 255.255.254.0
access-list ACL_RA_NEW_LAN_SPLIT_TUNNEL standard permit x.x.10.0 255.255.254.0


nat (new_lan,wan_3) source static new_lan_lan new_lan_lan destination static DM_INLINE_NETWORK_23 DM_INLINE_NETWORK_23 no-proxy-arp route-lookup

nat (new_lan,wan_2) source static obj-192.168.150.0 obj-192.168.150.0 destination static anyconnect_pool1 anyconnect_pool1 no-proxy-arp route-lookup

nat (inside,wan_1) source static DM_INLINE_NETWORK_25 DM_INLINE_NETWORK_25 destination static DM_INLINE_NETWORK_22 DM_INLINE_NETWORK_22 no-proxy-arp route-lookup
nat (wan_3,wan_1) source static DM_INLINE_NETWORK_25 DM_INLINE_NETWORK_25 destination static DM_INLINE_NETWORK_22 DM_INLINE_NETWORK_22 no-proxy-arp route-lookup
!

object network obj-192.168.150.0
nat (new_lan,wan_3) dynamic interface

access-group new_lan_access_in in interface new_lan


route-map NEW_LAN_PBR permit 5
match ip address PBR_NEW_LAN_ACL
set ip next-hop verify-availability 6.x.55.2 1 track 10

route wan_3 x.x.0.0 255.255.0.0 6.x.55.2 1
route wan_3 x.x.8.0 255.255.254.0 6.x.55.2 1
route wan_3 x.x.10.0 255.255.254.0 6.x.55.2 1
route wan_3 x.x.128.0 255.255.255.0 6.x.55.2 1


track 1 rtr 1 reachability
!
track 10 rtr 10 reachability
!
track 11 rtr 11 reachability
!
track 12 rtr 12 reachability

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to it

‎05-20-2020 03:38 AM

Hello,

 

you posted a partial configuration with invisible IP addresses, so I cannot tell what, if anything, is missing.

 

Check the NAT statement below:

 

nat (new_lan,wan_2) source static obj-192.168.150.0 obj-192.168.150.0 destination static anyconnect_pool1 anyconnect_pool1 no-proxy-arp route-lookup

 

Where is the object 'anyconnect_pool1' ? Is that in your configuration ? To speed up the process of resolving this, post the full running config including all IP addresses...

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-20-2020 04:52 AM - edited ‎05-25-2020 12:38 AM

hello, I have omitted some IPs and changed some names.

LAN3 is the one that have the problem. We can reach the servers though the site to site vpn (not anyconnect) but we do not have internet access. This happens sometimes only. After a day or two it fixes on its own!!

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to it

‎05-20-2020 09:54 AM

Hello,

 

sla monitor 10
type echo protocol ipIcmpEcho 195.x.x.2 interface wan_3
frequency 15

 

what is IP address 195.x.x.2 ?

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-20-2020 11:16 PM

Its a public wan IP of the fw (wan_2). but interface GigabitEthernet1/6 with LAN3, the one with the internet issue, is using wan_3 for internet access.

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-20-2020 11:39 PM

Hello, write "wrong" on the preview answer.

the thing is, I do not know what this IP is.

the IP is 195.170.0.2

0 Helpful

Georg Pauwen
VIP
VIP
In response to it

‎05-20-2020 11:48 PM

Hello,

 

you could try and change:

 

sla monitor 10
type echo protocol ipIcmpEcho 195.x.x.2 interface wan_3
frequency 15

 

to

 

sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface wan_3
frequency 15

 

Since you don't know what (and where) that IP address is, using an IP address that is always up (the Google DNS IP address in this case) might remedy the problem...

0 Helpful

Georg Pauwen
VIP
VIP
In response to it

‎05-20-2020 11:53 PM

Hello,

 

the IP address resolves to ns1.otenet.gr, which is OTE's name server in Greece. I do not get a PING response, so that might be the problem. Use the Google DNS IP address (8.8.8.8) as suggested...

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-21-2020 12:21 AM

Hello,

 

I deleted and recreated the config with no success (config below). As an indication, through this wan interface there is also another LAN which is using it with no problem.

LAN3 & LAN4 are both using WAN wan_3

 

sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface wan_3
frequency 15
sla monitor schedule 10 life forever start-time now

0 Helpful

Georg Pauwen
VIP
VIP
In response to it

‎05-21-2020 12:38 AM

Hello,

 

no success means that Internet access is still intermittent ?

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-21-2020 12:50 AM

Yes, I do not have internet access.

This is logs when I ping 8.8.8.8 from computer 192.168.15.61 (from down to up)

 

6May 21 202010:45:37302020192.168.15.6118.8.8.80Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
6May 21 202010:45:37302020192.168.15.6118.8.8.80Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
6May 21 202010:45:343020218.8.8.80192.168.15.611Teardown ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
6May 21 202010:45:32302020192.168.15.6118.8.8.80Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
6May 21 202010:45:293020218.8.8.80192.168.15.611Teardown ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
6May 21 202010:45:27302020192.168.15.6118.8.8.80Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
6May 21 202010:45:243020218.8.8.80192.168.15.611Teardown ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
6May 21 202010:45:22302020192.168.15.6118.8.8.80Built outbound ICMP connection for faddr 8.8.8.8/0 gaddr 192.168.15.61/1 laddr 192.168.15.61/1
0 Helpful

it
Level 1
Level 1
In response to it

‎05-21-2020 12:55 AM

ping to 8.8.8.8 isn't completed (request timed out), but I can ping the DNS (and servers) of the site to site vpn (on the other side LAN)

0 Helpful

it
Level 1
Level 1
In response to it

‎05-21-2020 01:20 AM

hello, when I use packet tracer from 192.168.15.61 (my pc )to 8.8.8.8 it shows that it is completed with output interface wan_2 which is wrong as this should be wan_3

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card