Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1988
Views
0
Helpful
21
Replies

ASA LAN no internet access (sometimes) but Site to Site VPN works

it
Level 1
Level 1

‎05-20-2020 12:10 AM

Hello,

 

I have an ASA 5516 with many LANs working and having internet access.

I have created a new LAN successfully which also has a site to site VPN with on of our customers (this is the second interface with StS vpn that we have on the same FW).

 

The problem I am facing is that sporadically this interface loses its internet access but the StoS VPN works with no problem.

 

On most cases this fixes, with me doing nothing, after some days.

 

How can I troubleshoot this so I can find what may cause the problem?

 

Thank you,

Labels:
0 Helpful
21 Replies 21

Georg Pauwen
VIP
VIP
In response to it

‎05-21-2020 03:15 AM

Hello,

 

I am not sure I am missing something, but if you cannot ping 8.8.8.8 with wan_3 being the outgoing interface, then either wan_3 or something on the other side of wan_3 is not configured correctly. How far does a traceroute go ?

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-21-2020 03:27 AM

tracert, if this what you mean, doesn't work.

 

a conclusion is that on both LAN3 & LAN4 which are configured with wan_3, they are both redirected to wan_2

LAN4 works ok

LAN3 doesn't have internet, but its site to site vpn works

 

I am currently checking with our ISP for wan_3, in case there is a problem from their side.

 

Thank you,

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-21-2020 01:45 AM

I double checked LAN4 and found that it uses wan_2 instead of wan_3!

I just hit what is my ip address on chrome and saw the public IP.

 

so the the problem should be this. somehow traffic is redirected to wan_2 for both interfaces, but LAN4 works.

0 Helpful

it
Level 1
Level 1
In response to Georg Pauwen

‎05-21-2020 03:05 AM

Hello,

 

How can I check traffic flow on this interface. Because by what I have found the problem is that all LANs traffic goes to one wan interface.

 

Thank you,

0 Helpful

it
Level 1
Level 1
In response to it

‎05-21-2020 04:08 AM

this is the output from packet tracer

Asa5516X# packet-tracer input lan3 icmp 192.168.15.61 1 15 8.8.8.8

Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map LAN3_PBR permit 5
match ip address PBR_LAN3_ACL
set ip next-hop verify-availability 62.38.55.162 1 track 10
Additional Information:
Matched route-map LAN3_PBR, sequence 5, permit

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 195.97.12.114 using egress ifc wan_2

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group lan3_access_in in interface lan3
access-list lan3_access_in extended permit ip any any log disable
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map SFR
class sfr
sfr fail-open
service-policy SFR interface wan_2
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912677, packet dispatched to next module

Result:
input-interface: lan3
input-status: up
input-line-status: up
output-interface: wan_2
output-status: up
output-line-status: up
Action: allow

 

this shouldn't be using 195.97.12.114 as a next hop but only 62.x.55.161

0 Helpful

paul driver
VIP
VIP

‎05-20-2020 03:47 AM - edited ‎05-20-2020 04:37 AM

Hello

@it wrote:

The problem I am facing is that sporadically this interface loses its internet access but the StoS VPN works with no problem.

I don’t see how the overlay vpn is still active after you lose its transit path- do you mean the vpn shows active but you lose connectivity over it?

How does this interface lose connection, is the interface flapping, Do you receive any errors?

 

Check the cabling, speed/duplex settings,Errors on the interface.

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

it
Level 1
Level 1
In response to paul driver

‎05-20-2020 11:21 PM

our site to site vpn works but we lost internet access (example www.google.com) this interface is up for about 2.5 years and this happened 5-6 times for about 1-2 days and then fixes on its own, know it is the 3rd day.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card