cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1491
Views
0
Helpful
21
Replies

ASA LAN no internet access (sometimes) but Site to Site VPN works

it
Level 1
Level 1

Hello,

 

I have an ASA 5516 with many LANs working and having internet access.

I have created a new LAN successfully which also has a site to site VPN with on of our customers (this is the second interface with StS vpn that we have on the same FW).

 

The problem I am facing is that sporadically this interface loses its internet access but the StoS VPN works with no problem.

 

On most cases this fixes, with me doing nothing, after some days.

 

How can I troubleshoot this so I can find what may cause the problem?

 

Thank you,

21 Replies 21

Hello,

 

I am not sure I am missing something, but if you cannot ping 8.8.8.8 with wan_3 being the outgoing interface, then either wan_3 or something on the other side of wan_3 is not configured correctly. How far does a traceroute go ?

tracert, if this what you mean, doesn't work.

 

a conclusion is that on both LAN3 & LAN4 which are configured with wan_3, they are both redirected to wan_2

LAN4 works ok

LAN3 doesn't have internet, but its site to site vpn works

 

I am currently checking with our ISP for wan_3, in case there is a problem from their side.

 

Thank you,

I double checked LAN4 and found that it uses wan_2 instead of wan_3!

I just hit what is my ip address on chrome and saw the public IP.

 

so the the problem should be this. somehow traffic is redirected to wan_2 for both interfaces, but LAN4 works.

Hello,

 

How can I check traffic flow on this interface. Because by what I have found the problem is that all LANs traffic goes to one wan interface.

 

Thank you,

this is the output from packet tracer

Asa5516X# packet-tracer input lan3 icmp 192.168.15.61 1 15 8.8.8.8

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map LAN3_PBR permit 5
match ip address PBR_LAN3_ACL
set ip next-hop verify-availability 62.38.55.162 1 track 10
Additional Information:
Matched route-map LAN3_PBR, sequence 5, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 195.97.12.114 using egress ifc wan_2

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group lan3_access_in in interface lan3
access-list lan3_access_in extended permit ip any any log disable
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map SFR
class sfr
sfr fail-open
service-policy SFR interface wan_2
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912677, packet dispatched to next module

Result:
input-interface: lan3
input-status: up
input-line-status: up
output-interface: wan_2
output-status: up
output-line-status: up
Action: allow

 

this shouldn't be using 195.97.12.114 as a next hop but only 62.x.55.161

Hello


@it wrote:

The problem I am facing is that sporadically this interface loses its internet access but the StoS VPN works with no problem.


I don’t see how the overlay vpn is still active after you lose its transit path- do you mean the vpn shows active but you lose connectivity over it?

How does this interface lose connection, is the interface flapping, Do you receive any errors?

 

Check the cabling, speed/duplex settings,Errors on the interface.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

our site to site vpn works but we lost internet access (example www.google.com) this interface is up for about 2.5 years and this happened 5-6 times for about 1-2 days and then fixes on its own, know it is the 3rd day.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco