[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1776
  • Last Modified:

Cisco, ASA, 5505 WAN Interface - can't connect

I'm attempting to set up a Cisco ASA 5505 as a VPN Concentrator for one of my clients. I'm running into a weird issue though... The ASA seems to work fine. Then when I leave it alone for an extended period of time (i.e. a few hours), I can't connect to it with the Cisco VPN Client anymore. I reboot the ASA and all seems normal again. Is there a timeout or sleep mode setting somewhere I'm missing?
0
victornegri
Asked:
victornegri
1 Solution
 
batry_boyCommented:
What version of OS are you running?  I've seen some similar to behavior on 7.2(2).
0
 
victornegriAuthor Commented:
Running 8.0(2)
0
 
victornegriAuthor Commented:
New piece of information: it just dropped me while I was connected via the Cisco VPN Client. Could it be that a log has filled up or something like that?
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
batry_boyCommented:
I've never seen that happen before as a result of that.  Do you have logging enabled in your VPN client when this happens?  If not, turn it on and set all categories to level 3 (high) and see if you get any useful info.
0
 
victornegriAuthor Commented:
Not much info. Seems like the outside interface is completely down. No log entries on the ASA device either:

Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      19:25:47.865  08/08/07  Sev=Info/4      CM/0x63100002
Begin connection process

2      19:25:47.865  08/08/07  Sev=Info/4      CM/0x63100004
Establish secure connection

3      19:25:47.865  08/08/07  Sev=Info/4      CM/0x63100024
Attempt connection with server "x.x.x.x"

4      19:25:47.880  08/08/07  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.

5      19:25:47.880  08/08/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x

6      19:25:48.208  08/08/07  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

7      19:25:48.208  08/08/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

8      19:25:53.208  08/08/07  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

9      19:25:53.208  08/08/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x

10     19:25:58.208  08/08/07  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

11     19:25:58.208  08/08/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x

12     19:26:03.208  08/08/07  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

13     19:26:03.208  08/08/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x

14     19:26:08.208  08/08/07  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=66E3F7B076627292 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

15     19:26:08.708  08/08/07  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=66E3F7B076627292 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     19:26:08.708  08/08/07  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"

17     19:26:08.708  08/08/07  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

18     19:26:08.708  08/08/07  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

19     19:26:08.708  08/08/07  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

20     19:26:08.708  08/08/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

21     19:26:08.708  08/08/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

22     19:26:08.708  08/08/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

23     19:26:08.708  08/08/07  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

0
 
batry_boyCommented:
So you cannot get back into a VPN session currently?  Do you have SSH access setup on the ASA from the outside so you can get into it and take a look?
0
 
victornegriAuthor Commented:
I'm using remote desktop to connect to the server on the LAN side of the ASA device then using the ASDM to monitor it.
0
 
batry_boyCommented:
So then the outside ASA interface isn't completely down.  You didn't say whether or not you could reestablish a remote access VPN session....can you, or do you have to bounce the ASA first before it will let you back in?
0
 
victornegriAuthor Commented:
I need to bounce the ASA in order to reestablish a remote access VPN session. Keeping it this way so I can troubleshoot it.

I'm actually going into the network through another router. The ASA is only going to be used for VPN access. So the Outside interface can be completely down. FYI, I can't ping an outside address (i.e. www.google.com) from SSH.
0
 
batry_boyCommented:
From the SSH CLI on the ASA, post the output of the "show int e0/0" command.
0
 
victornegriAuthor Commented:
Result of the command: "show int e0/0"

Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001b.531b.55f3, MTU not set
      IP address unassigned
      711 packets input, 101395 bytes, 0 no buffer
      Received 151 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      12 switch ingress policy drops
      156 packets output, 21568 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
0
 
victornegriAuthor Commented:
Hmmm... curious... that interface should have a static IP address assigned to it but it says it's unassigned.
0
 
batry_boyCommented:
That's because the IP address gets assigned to the VLAN interface on a 5505.
0
 
victornegriAuthor Commented:
nevermind my last comment. not thinking straight. IP is assigned to the VLAN.
0
 
victornegriAuthor Commented:
yeah. sorry.
0
 
batry_boyCommented:
Well, you can always try downgrading to 7.2 just to see if it's any more stable...I mean, 8.x is relatively new and I'm sure there are bugs in it...you may be running into one...

http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp219106
0
 
victornegriAuthor Commented:
When we purchased the ASA it had 7.2 on it and I couldn't get it to bring the outside interface up (even though it was configured correctly -- or so I think). I upgraded the ASA to 8.0 and it started working correctly. Maybe I got a lemon.
0
 
batry_boyCommented:
Yeah, that's pretty strange...not seen that one.  You must have Smartnet on it if you upgraded it to 8.0 after you got it.  I would open up a TAC case on it and see what they tell you as far as the interface potentially being defective.  Have you tried moving to another switch port for the outside interface?
0
 
victornegriAuthor Commented:
I'll try that when I get into the office tomorrow.

Thanks for your help. I'll keep you posted if I find a solution.
0
 
batry_boyCommented:
Good luck...
0
 
TechieDogCommented:
Did you find an answer to this one I have the same issue.
0
 
victornegriAuthor Commented:
Found out that the problem was because another router attached to the same DSL modem with a 1 to 1 NAT rule that included the WAN interface IP address of the Cisco ASA. So the DSL modem didn't know where to send the packets that were destined to the Cisco because it's ARP table was being updated from 2 different sources.
0
 
modus_operandiCommented:
Closed, 500 points refunded.
modus_operandi
Community Support Moderator
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now