01-12-2010 01:18 PM - edited 03-06-2019 09:15 AM
At random times in the day our Internet will go down in the office. So far the workaround has been to just reboot our ASA and then when it comes back up everything is fine for a little while.
When it is down, both the inside and outside interfaces are still showing as up but only internal traffic is still passing.
I have tried to replace it with a new ASA I had sitting in a box and it is still happening.
Around the time that it happend our ISP upgraded our bandwidth, but since rebooting our equipment fixes the issue they say it is our problem.
This configuration running on both of the routers has been good and working for a few years now with no major changes in the past 6 months.
Anybody have familiar with this issue or have had to deal with anything similar?
Thanks.
01-12-2010 01:21 PM
Compeat01 wrote:
At random times in the day our Internet will go down in the office. So far the workaround has been to just reboot our ASA and then when it comes back up everything is fine for a little while.
When it is down, both the inside and outside interfaces are still showing as up but only internal traffic is still passing.
I have tried to replace it with a new ASA I had sitting in a box and it is still happening.
Around the time that it happend our ISP upgraded our bandwidth, but since rebooting our equipment fixes the issue they say it is our problem.
This configuration running on both of the routers has been good and working for a few years now with no major changes in the past 6 months.
Anybody have familiar with this issue or have had to deal with anything similar?
Thanks.
Harry
What do you mean by "only internal traffic is still passing" ?
When the firewall is running normally can you ping the next-hop ISP address ?
When the firewall is not responding can you ping the next-hop ISP address ?
Jon
01-12-2010 01:26 PM
Hi Jon,
Thanks for your reply.
When it goes down I still hit resources on the internal network: file server, internal virtual servers etc. Only trying to get out to the internet or trying to hit our external hosted servers is where the traffic stops.
When the firewall is running I can ping the ISP address. Haven't had a chance to do this when it is down. I will try this and let you know.
Thanks again.
01-12-2010 01:31 PM
Compeat01 wrote:
Hi Jon,
Thanks for your reply.
When it goes down I still hit resources on the internal network: file server, internal virtual servers etc. Only trying to get out to the internet or trying to hit our external hosted servers is where the traffic stops.
When the firewall is running I can ping the ISP address. Haven't had a chance to do this when it is down. I will try this and let you know.
Thanks again.
Harry
If you can't then it suggests there may be an issue with the ISP router. Also you may want to ping a device by IP address on the internet when the link is down if the ISP router responds.
It is a bit suspicious that this only started happening after a bandwidth upgrade.
Also have you checked resources in use on the ASA when it stops working ie. NAT entries, you aren't running out of NAT entries are you ?
Jon
01-12-2010 01:47 PM
Thanks Jon I will try that as well. Forgive my ignorance but when you say NAT entries are you referring to the Inside Host limit? If so it is licensed for unlimited users.
Thanks Again.
01-12-2010 01:50 PM
Compeat01 wrote:
Thanks Jon I will try that as well. Forgive my ignorance but when you say NAT entries are you referring to the Inside Host limit? If so it is licensed for unlimited users.
Thanks Again.
Harry
No, i mean each connection through the firewall uses a NAT entry. You can run out of NAT entries in which case the firewall can no longer pass traffic for new connections. You can view the NAT table with "sh xlate". I suspect though if all connections stop working this is not your issue.
Jon
01-12-2010 03:06 PM
Hi Jon,
Just went down again and have some more info for you.
I can ping the ISP IP from the firewall when the internet goes down.
I cannot ping an outside address when the firewall goes down.
I did a sh xlate but am not super familiar with what to be looking at as far as output. A sh xlate count gave: 378 in use, 964 most used.
I have a feeling I am probably going to have to end up getting back with the ISP when the connection goes down before I reboot the firewall so they can look at their equipment yet again.
Thanks for your help.
01-12-2010 03:11 PM
Compeat01 wrote:
Hi Jon,
Just went down again and have some more info for you.
I can ping the ISP IP from the firewall when the internet goes down.
I cannot ping an outside address when the firewall goes down.
I did a sh xlate but am not super familiar with what to be looking at as far as output. A sh xlate count gave: 378 in use, 964 most used.
I have a feeling I am probably going to have to end up getting back with the ISP when the connection goes down before I reboot the firewall so they can look at their equipment yet again.
Thanks for your help.
Harry
378 xlate in use kind of rules out NAT translations.
If you can ping the ISP router i'm guessing the ISP will say it's working fine. Could you do a traceroute instead of a ping to an IP address on the internet which should show how far the packets are going.
I'm assuming you tried to ping the IP on the internet from the firewall as well ?
Jon
01-12-2010 03:14 PM
Hi Jon,
Yes all of my pinging has been done from the firewall. I will try a tracert next time it comes down.
Thanks Again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide