Inside hosts loses connection to the Internet - ASA5505

Hi,

I have a network with 110 windows hosts. Not all computers is poweron all the time. From time to time one or two computers loses connection to the Internet, and I do not know whey. Normaly all the hosts are able to ping the firewall (gareway).

When a host loses connection to the Internet it cannot ping the firewall. If the computer user waits an hour the Internet is back.

I do not know whey this happens. I have an unlimeted client access, and an reload (the console command) does not help.

This is my ASA5505 license:

--------------------------------------------------------------------------- xxx-ASA# sh activ Serial Number: JMXxxxxxER Running Activation Key: 0xfxxxx69 0x1xxxx93 0x1xxxx5b0 0xbxxxx4c0 0x4cxxxx85

Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.

-----------------------------------------------------------------------------

have i done something wrong?

Best regards Martin

Reply to
Martin
Loading thread data ...

Martin,

You say that when these hosts lose Internet capabilities, you are not able to ping their default gateway? If that's so, it sounds more like a problem before you hit the ASA. Have you checked all cabling & switches that are in place before you hit the ASA? Next time it happens, start by checking the switches these machines are connected to..see if you have connectivity, errors...etc.

neteng

formatting link

Reply to
pcmccollum

Hi neteng,

On the computers that have lost the Internet, everything else works. Intranet, filesshares, printers, and so om. ONLY the Internet is lost. an arp -a shows the gareways MAC, but the GW's IP can not be ping'ed.

It does not help to reboot or place the computer anyware else in the network. if I wait en hour and reboot the computer, Internet is back.

I am a little lost :-(

best regards Martin

Reply to
Martin

You only have a 10 device license on the ASA. A show local-host will tell you how many are in use. If you hit 11, they cant go thru the ASA, licensing...

Reply to
Brian V

If I run that command the output is starting with this: Licensed host limit: Unlimited. Interface inside: 7 active, 39 maximum active, 0 denied

Why only 39 maximum active and not "unlimited"? What does it mean?

Do I have a problem with my timeouts:

----- timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute

------

best regards Martin

Reply to
Martin

"39 maximum active" is the number of hosts that the firewall has seen active at one time, you should never have more than 10 maximum active since that is what you are licensed for. In laymans terms, you cannot have more than 10 devices on your LAN that go to the internet. It is telling you right now you have 7 active hosts. You need to upgrade your license on the ASA since you obviously have more than 10. No, you dont have a problem with your timouts.

Reply to
Brian V

How do you see I only have a license for 10 devices?

If I run a: show activation-key I see this output:

----- Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.

------

inside hosts = unlimeted, does that not mean I can use unlimited devises?

best regards Martin

Reply to
Martin

I must have read your original post wrong! My appologies.. You most certainly do have an unlimited user license. Post your config ans we'll see if anything is wrong in there.

Reply to
Brian V

Hi

That's wrong, the hosts can be unlimited, there is only a limit for the maximum VPN tunnels, not the numbers of hosts in the LAN. Martin write, that the clients can also not access the internet after a reload, so that's not a license problem.

I think the problem is the arp proxy. Depends on the installed OS, try a "sysopt noproxyarp inside" and/or "arp timeout 60". But with these commands, sometimes i have problems with static's. But it can be a light to the solution.

cu ivo

Reply to
googlegroups

this is my comlete config:

Reply to
Martin

snipped-for-privacy@ruetsche.com skrev:

could it be a bug in the firmware. My asa5505 uses: ASA Version 7.2(2). maybe there are a newer version.

I try "sysopt noproxyarp inside" later to day...

best regards Martin

Reply to
Martin

Again, I appologize about the license! I got to stop replying to posts when I'm exhausted!

Your config looks just fine, not seeing anything shy of the default setting for the DNS MTU. Using 512 can cause DNS querries to fail I always set it to

4092. A "show service-policy" will let you know how many drops you have had. To change that setting: conf t policy-map type inspect dns preset_dns_map parameters message-length maximum 4092

Back to your original issue. XX host cannot go to the internet. When this host drops, can you ping the firewall? Do you have an internal router inside as well? If so, can the user ping that? Next time it happens upen up ASDM, go in to logging, use debug packets and filter to that specific host, see what the logs say.

About your other post. 7.2(2), while there is "newer" software, 7.2(2) is actually a very stable release, running in 100's of our customers. 7.2(3) is the latest in the 7X train, thats still too new for us to roll to our customers, we have a 90day policy unless they are experiencing issues that the release will fix.

Reply to
Brian V

This is not an MTU, and the minimal value should be 4096.

Reply to
Lutz Donnerhacke

4096 is the packet size. 4092 is the largest a DNS data segment should be.

What is it if not an MTU? It specifies the largest size a DNS inspect data segment should be.

Maximum Transmission Unit (MTU) refers to the size (in bytes) of the largest packet that a given layer of a communications protocol can pass onwards.

Am I wrong?

Reply to
Brian V

Hi Brian, thank you for your reply.

When the host loses Internet it can not ping the firewall. All the others can. Next time I will look at the log om the firewall - great idea.

I do not have any internal routers.

My network is build up with 6 c2960 cisco switches, but the hosts Internet is down no matter what switch I connect it to.

But when an hour is gone (and an host restart) the host's Internet is back.

Are there any thing I should check on the switches?

Best regards Martin

Reply to
Martin

The 2960 is a basic L2 switch, so there is probably not much there. Is it always one specific host, if so, you may want to look at his switch port. Is it always 1hr? When it happens again, in addition to looking at the logs on the firewall get a "show xlate" (just the counts, the first line) a "show conn" (again, first line) and a "show local-host" (first 3 lines)

Reply to
Brian V

thank you very much for your help Brian.

The problem has not occurred for some time now (one week).

I will return when it happens again... and now I have some ides to solve it :-)

best regards Martin

Reply to
Martin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.