Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
8
Helpful
6
Replies

Public ip losts ping after 20 - 30 minutes after doing ISP migration

Sihanu N
Level 1
Level 1

‎02-26-2012 01:56 AM - edited ‎03-04-2019 03:26 PM

Hi Experts,

We had an ASA in our environment and tried to migrate to new ISP. But after the migration of the ISP, internet well as vpn disconnects in 20 - 30 minutes.

Following are the noticable things after the internet disconnets

1) Ping to the ASA's outside interface lost

2) Ping to the ISP gateway is still there

3) A shut/no shut to the outside interface doesn't restore the internet connection

4) Only removal of outside ip using "no" command and assigning the same ip restores the internet connection

5) But again the internet losts in 20 - 30 mins (only after doing the above steps restores the connection again)

My Queries

1) Is this an ISP issue or any other mis-configuration in ASA

Kindly provide everyone valuable suggessions and advice to this problem.

Thanks and Regards,

Sihanu N

Labels:
0 Helpful
6 Replies 6

Josh Sprang
Level 1
Level 1

‎02-26-2012 10:37 AM

seems like there might be an issue with the default route or the netmask of the outside interface. If the netmask is correct I would look at a show route when the issue is happening and see if you have a default route in the routing table.. Can the asa ping past it's default gateway when the issue is happening?

Sent from Cisco Technical Support iPad App

Sihanu N
Level 1
Level 1
In response to Josh Sprang

‎02-26-2012 01:54 PM

Hi Josh,

Thanks for the reply,

As we the ISP migration is not a success and forced to swith back to old isp, we cant perform the basic troubleshooting steps. But before the internet losts every thing seems fine and even the site-to-site vpn was also established. After an exact time frame of 30 minutes, every internet service went down. Any way we will be performing a ISP test again in future days and check the ping from asa to default gateway (but ping from remote locations to gateway we are getting even if the ping to outside ASA interface ip losts).

But it seems to be very strange when after the internet losts, an ip address re-assignment at outside interface restores the internet for the next 30 minutes( even a shut/no shut of interface didnt restore the internet).

1) Is there any blocking property of the ASA as the DNS forwarder in one of Server inside the network is still used older ISP during ISP migration?(noticed from the syslogs output during the output shown many failed request from Server ip to resolve the DNS)

Kindly advice some basic troubleshooting steps(before and after the loss of internet) during the next ISP migration test

Thanks and Regards,

Sihanu N

0 Helpful

Josh Sprang
Level 1
Level 1
In response to Josh Sprang

‎02-28-2012 07:18 AM

I would involve the ISP in your next maintenance window.  Also I would update the forwarder to the new ISP, you may have DNS issues going on. Can you post your config? 

I would cut over the circuit then review a show log and see if there is mechanisms causing the ASA to stop traffic.  Feel free to post the syslog messages during the outage.  I would also do a "show route" and ping the next hop.  Since the ASA is all ethernet you can look to see if maybe you have a port speed and duplex problem.  Maybe the ISP triggers something in their monitoring that err-disables thier port.  Is there any modules in use on the ASA such as a CSC or something?

Have the ISP look at thier router logs to see if they see any error causing the circuit to go down.

Sihanu N
Level 1
Level 1
In response to Josh Sprang

‎02-28-2012 09:14 PM

Hi Josh,

Many Thanks for your support

We have performed the ISP test again with the presence of ISP officials and the same thing happens. Any way they will check their circuit and will inform us what was happened.

Will update here the result once the report from ISP received

Thanks and Regards

Sihanu

0 Helpful

jigardavenm
Level 1
Level 1
In response to Sihanu N

‎02-28-2012 10:03 PM

I would say if you first post your old config(which is working currently in your environment) and config of ASA (which has not worked for you). also if you have show log messages when you have performed ASA troubleshooting, that would be helpful to understand the problem further.

apart to that my first doubt would go on any lifetime you have set on your ASA device if you are using isakmp policy?

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Sihanu N
Level 1
Level 1
In response to jigardavenm

‎03-06-2012 11:35 AM

Hi Josh,

The issue has been resolved by the ISP itself as it is due to some circuit issue at their end.

Many Many thanks for your valuable support.

Thanks and Regards

Sihanu N

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card