Varying Connectivity Issues

I have a Cisco ASA 5510 with a CSC-SSM. The configuration I am using has inside, outside, security, and dmz. I am having a problem where computers behind the dmz loose connection. For instance one is a web server and attaches to another server for sql. With no distinguishable pattern, the connection is lost and then reconnects. Not disconneted enough where the network card shows as disconnected, but if I ping to another server in the dmz from a server in the dmz, sometimes the pings respond and sometimes they don't. In fact if you let the ping run you can see the connection go up and down with no distinct pattern. Below is my config. Also these servers are all windows 2003 and connected through a Catalyst switch. I have the same issue pinging to the asa as well. I have checked and replaced the cables and other obvious things, but this one is still stumping me. Also, when you are connected to to the ASA via ASDM, if you don;t make your changes quickly you will have to reconnect and make the changes again cause it seems to loose connection or timeout. (This is through any interface) Thanks in advance for your help.
asdm image disk0:/asdm512-k8.bin
asdm location SECWEB2_DMZ 255.255.255.255 DMZ
asdm location ADMINISTRATIVE_DMZ 255.255.255.255 DMZ
asdm location ADMINISTRATIVE_OUTSIDE 255.255.255.255 outside
asdm location SECWEB2_OUTSIDE 255.255.255.255 outside
asdm location EXCHANGE00_DMZ 255.255.255.255 DMZ
asdm location EXCHANGE00_OUTSIDE 255.255.255.255 outside
asdm location WEB2_DMZ 255.255.255.255 DMZ
asdm location WEB2_OUTSIDE 255.255.255.255 outside
asdm location NANO_OUTSIDE 255.255.255.255 outside
asdm location NANO_DMZ 255.255.255.255 DMZ
asdm location DEDICATED_FTP_OUTSIDE 255.255.255.255 outside
asdm location DEDICATED_FTP_DMZ 255.255.255.255 DMZ
asdm location DNS00_DMZ 255.255.255.255 DMZ
asdm location DNS00_OUTSIDE 255.255.255.255 outside
asdm location SECURITY_OUTSIDE 255.255.255.255 outside
asdm history enable
: Saved
:
ASA Version 7.1(2) 
!
hostname SEC-ASA-TOWN
domain-name domain.com
enable password xxxxxxxxxxxxxxxxx encrypted
names
name 192.168.6.196 SECWEB2_DMZ
name 192.168.6.254 ADMINISTRATIVE_DMZ
name xxx.xxx.16.254 ADMINISTRATIVE_OUTSIDE
name xxx.xxx.16.196 SECWEB2_OUTSIDE
name xxx.xxx.16.250 EXCHANGE00_OUTSIDE
name 192.168.6.250 EXCHANGE00_DMZ
name 192.168.6.190 WEB2_DMZ
name xxx.xxx.16.190 WEB2_OUTSIDE
name xxx.xxx.16.191 NANO_OUTSIDE
name 192.168.6.191 NANO_DMZ
name xxx.xxx.16.197 DEDICATED_FTP_OUTSIDE
name 192.168.6.197 DEDICATED_FTP_DMZ
name 192.168.6.252 DNS00_DMZ
name xxx.xxx.16.252 DNS00_OUTSIDE
name xxx.xxx.16.253 SECURITY_OUTSIDE
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.16.3 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/2
 description DMZ network segment
 nameif DMZ
 security-level 50
 ip address 192.168.6.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service EXCHANGE_SERVER tcp-udp
 port-object eq 110
 port-object eq 25
 port-object eq 443
 port-object eq www
 port-object eq 3389
 port-object eq 3101
 port-object eq 8080
 port-object eq 8443
object-group service WEB_SERVER tcp-udp
 port-object eq 3389
 port-object eq 21
 port-object eq www
 port-object eq 443
 port-object eq 1433
object-group service DNS_SERVER tcp-udp
 port-object eq 22
 port-object eq domain
 port-object eq 3389
object-group service COBALT_SERVER tcp-udp
 port-object eq 25
 port-object eq 143
 port-object eq domain
 port-object eq 81
 port-object eq www
 port-object eq 22
 port-object eq 21
 port-object eq 110
 port-object eq 3306
 port-object eq 444
 port-object eq 443
object-group service JUSTRDC tcp-udp
 port-object eq 3389
access-list csc-acl extended permit tcp any any eq www inactive 
access-list csc-acl extended permit tcp any any eq ftp 
access-list csc-acl extended permit tcp any any eq pop3 
access-list csc-acl extended permit tcp any any eq smtp 
access-list Inside_access_in remark IP>IN
access-list Inside_access_in extended permit ip any any 
access-list Inside_access_in remark IP>IN
access-list Inside_access_in remark IP>IN
access-list Outside_access_out remark TCP>Out
access-list Outside_access_out extended permit tcp any any 
access-list Outside_access_out extended permit udp any any 
access-list Outside_access_out extended permit ip any any 
access-list Outside_access_out extended permit icmp any any 
access-list Outside_access_out remark TCP>Out
access-list Outside_access_out remark TCP>Out
access-list Inside_access_out extended permit icmp any any 
access-list Inside_access_out extended permit ip any any 
access-list Inside_access_out extended permit udp any any 
access-list Inside_access_out extended permit tcp any any 
access-list outside_access_in extended permit tcp any host SECWEB2_OUTSIDE object-group WEB_SERVER 
access-list outside_access_in extended permit tcp any host WEB2_OUTSIDE object-group WEB_SERVER 
access-list outside_access_in extended permit tcp any host NANO_OUTSIDE eq www 
access-list outside_access_in extended permit tcp any host DEDICATED_FTP_OUTSIDE eq ftp 
access-list outside_access_in extended permit tcp any host DEDICATED_FTP_OUTSIDE eq www 
access-list outside_access_in extended permit tcp any host EXCHANGE00_OUTSIDE object-group EXCHANGE_SERVER 
access-list outside_access_in extended permit tcp any host DNS00_OUTSIDE object-group JUSTRDC 
access-list outside_access_in remark Security to CSC SSM
access-list outside_access_in extended permit tcp any host SECURITY_OUTSIDE eq 8443 
access-list outside_access_in extended permit tcp any host ADMINISTRATIVE_OUTSIDE object-group WEB_SERVER 
access-list outside_access_in remark Security to CSC SSM
access-list outside_access_in remark Security to CSC SSM
access-list inside_pnat_outbound extended permit tcp 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0 
access-list outside_access_in_V1 extended permit tcp any host EXCHANGE00_OUTSIDE object-group EXCHANGE_SERVER 
access-list outside_access_in_V1 extended permit tcp any host WEB2_OUTSIDE object-group WEB_SERVER 
access-list outside_access_in_V1 extended permit tcp any host NANO_OUTSIDE object-group WEB_SERVER 
access-list outside_access_in_V1 extended permit tcp any host SECWEB2_OUTSIDE object-group WEB_SERVER 
access-list outside_access_in_V1 extended permit tcp any host DEDICATED_FTP_OUTSIDE object-group WEB_SERVER 
access-list outside_access_in_V1 extended permit tcp any host ADMINISTRATIVE_OUTSIDE object-group WEB_SERVER 
!
ftp-map Default
!
pager lines 24
logging enable
logging list Default level warnings
logging asdm-buffer-size 512
logging buffered notifications
logging asdm notifications
logging mail Default
logging debug-trace
logging class auth buffered errors asdm emergencies 
logging class ip asdm emergencies 
logging class session asdm emergencies 
logging class email buffered errors 
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
no failover
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
monitor-interface management
asdm image disk0:/asdm512-k8.bin
asdm history enable
arp timeout 14400
global (outside) 33 interface
global (management) 100 172.16.0.10-172.16.0.20 netmask 255.255.255.0
nat (inside) 200 access-list inside_pnat_outbound
nat (inside) 33 192.168.3.0 255.255.255.0
nat (management) 33 172.16.0.0 255.255.255.0
static (DMZ,outside) ADMINISTRATIVE_OUTSIDE ADMINISTRATIVE_DMZ netmask 255.255.255.255 
static (outside,DMZ) ADMINISTRATIVE_DMZ ADMINISTRATIVE_OUTSIDE netmask 255.255.255.255 
static (DMZ,outside) SECWEB2_OUTSIDE SECWEB2_DMZ netmask 255.255.255.255 
static (outside,DMZ) SECWEB2_DMZ SECWEB2_OUTSIDE netmask 255.255.255.255 
static (DMZ,outside) NANO_OUTSIDE NANO_DMZ netmask 255.255.255.255 
static (DMZ,outside) WEB2_OUTSIDE WEB2_DMZ netmask 255.255.255.255 
static (outside,DMZ) WEB2_DMZ WEB2_OUTSIDE netmask 255.255.255.255 
static (outside,DMZ) NANO_DMZ NANO_OUTSIDE netmask 255.255.255.255 
static (DMZ,outside) DEDICATED_FTP_OUTSIDE DEDICATED_FTP_DMZ netmask 255.255.255.255 
static (outside,DMZ) DEDICATED_FTP_DMZ DEDICATED_FTP_OUTSIDE netmask 255.255.255.255 
static (DMZ,outside) EXCHANGE00_OUTSIDE EXCHANGE00_DMZ netmask 255.255.255.255 
static (outside,DMZ) EXCHANGE00_DMZ EXCHANGE00_OUTSIDE netmask 255.255.255.255 
static (DMZ,outside) DNS00_OUTSIDE DNS00_DMZ netmask 255.255.255.255 
static (outside,DMZ) DNS00_DMZ DNS00_OUTSIDE netmask 255.255.255.255 
static (management,outside) SECURITY_OUTSIDE 172.16.0.2 netmask 255.255.255.255 
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 dns 
access-group outside_access_in_V1 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.16.1 1
route DMZ EXCHANGE00_DMZ 255.255.255.255 192.168.6.1 1
route DMZ SECWEB2_DMZ 255.255.255.255 192.168.6.1 1
route DMZ WEB2_DMZ 255.255.255.255 192.168.6.1 1
route DMZ NANO_DMZ 255.255.255.255 192.168.6.1 1
route DMZ DEDICATED_FTP_DMZ 255.255.255.255 192.168.6.1 1
route DMZ ADMINISTRATIVE_DMZ 255.255.255.255 192.168.6.1 1
route DMZ DNS00_DMZ 255.255.255.255 192.168.6.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server domain protocol nt
aaa-server domain (DMZ) host EXCHANGE00_DMZ
 timeout 5
 nt-auth-domain-controller exchange00
group-policy Administrative internal
group-policy Administrative attributes
 dns-server value 192.168.6.252 192.168.6.199
 default-domain value domain.com
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.3.0 255.255.255.0 inside
http 192.168.6.0 255.255.255.0 DMZ
http 172.16.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
isakmp enable outside
telnet timeout 10
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd address 192.168.3.100-192.168.3.200 inside
dhcpd address 172.16.0.2-172.16.0.254 management
dhcpd dns DNS00_DMZ 
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain domain.com
dhcpd enable inside
dhcpd enable management
!
class-map global-class
 match default-inspection-traffic
class-map csc-traffic
 match access-list csc-acl
class-map class-www
!
!
policy-map global_policy
 class global-class
  inspect ftp 
 class class-default
  csc fail-open
policy-map tap-inside-policy
 class csc-traffic
  csc fail-close
!
service-policy global_policy global
smtp-server 192.168.6.250
: end

Open in new window

GTIFAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
>>Also, when you are connected to to the ASA via ASDM, if you don;t make your changes quickly you will have to reconnect and make the changes again cause it seems to loose connection or timeout. (This is through any interface)

I've seen this issue with other ASA's and I believe it may be an issue with the ASDM code.  I notice you're running 7.1(2) which is very buggy.  I would upgrade your code to 7.2(3) at your earliest opportunity.  You'll also have to upgrade the ASDM to version 5.2(3), which may help with the disconnects.

>>but if I ping to another server in the dmz from a server in the dmz, sometimes the pings respond and sometimes they don't.

If I understand this statement correctly, this traffic is not going through the ASA at all.  If this is true, then I would investigate your Catalyst switch as a possible culprit.  What version of code is on the Catalyst?  You may want to post the sanitized running configuration of your switch so we can see if there is anything suspect in it.

Now, if you are seeing this behavior on traffic that is going through the ASA, then I would try removing the CSC inspection commands from your global_policy and see if this helps...
0
GTIFAuthor Commented:
The upgrade to 7.2(3) seems to be working very well, thanks. The ASDM connection problem has now been fixed.  Still having that ping problem through. Please refer to the running config from my Catalyst below as requested:
Current configuration : 8338 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname sec-catalyst
!
enable secret 5 $1$hBzx$9.Lnenksp4NuYB8kynix31
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
system mtu routing 1500
ip subnet-zero
ip routing
!
ip igmp snooping vlan 3 mrouter interface Gi0/23
no ip igmp snooping
!
!
!
port-channel load-balance src-dst-mac
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode access
 mls qos trust dscp
 macro description cisco-router
 
auto qos voip trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
 switchport access vlan 5
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
 switchport access vlan 2
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/8
 switchport access vlan 5
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/9
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/10
 switchport access vlan 5
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/11
 switchport access vlan 2
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/12
 switchport access vlan 5
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/13
 switchport access vlan 6
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
 switchport access vlan 4
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/15
 switchport access vlan 6
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
 switchport access vlan 4
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
 switchport access vlan 3
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
 switchport access vlan 4
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/19
 switchport access vlan 3
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
 power inline never
 switchport access vlan 3
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
 switchport access vlan 3
 switchport mode access
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/22
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 3
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/23
 switchport access vlan 6
 switchport mode access
 switchport port-security violation protect
!
interface GigabitEthernet0/24
 description LAN Switch
 power inline never
 switchport access vlan 6
 switchport trunk allowed vlan 3
 switchport mode access
 switchport port-security maximum 25
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
 ip address 172.16.0.3 255.255.255.0
!
interface Vlan2
 no ip address
!
interface Vlan3
 no ip address
!
interface Vlan4
 no ip address
!
router rip
 passive-interface Vlan1
 network 172.16.0.0
!
ip classless
ip http server
!
snmp-server community public RO
snmp-server community SEC RW
!
control-plane
!
!
line con 0
line vty 0 4
 password XXXXXXXXXX
 login
 length 0
line vty 5 15
 password XXXXXXXXX
 login
 length 0
!
end

Open in new window

0
batry_boyCommented:
You have port security configured on most of the switch ports.  Have you confirmed that the MAC addresses of the machines you are trying to ping from/to don't violate your port security settings?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

GTIFAuthor Commented:
I will look into it and get back to you, thanks.
0
GTIFAuthor Commented:
I attempted to manually disable all of the security settings even though Cisco Network Assistant said that security was disabled. Here is my updated config, still having the same problems. It is wierd, most times it will allow one reply and then fails after that one reply. I also added the port descriptions so you can get a better idea of the connections. Thanks again.
Current configuration : 8663 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname sec-catalyst
!
enable secret xxxxxxxxxxx
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
system mtu routing 1500
ip subnet-zero
!
ip igmp snooping vlan 3 mrouter interface Gi0/23
no ip igmp snooping
!
!
!
port-channel load-balance src-dst-mac
no file verify auto
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description ASA-MANAGEMENT
 switchport trunk encapsulation dot1q
 switchport mode access
 switchport port-security violation protect
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
 description EXCHANGE00
 switchport access vlan 5
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/3
 description CSC
 switchport trunk encapsulation dot1q
 switchport mode access
 switchport port-security violation protect
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/4
 description ADMINISTRATIVE
 switchport access vlan 5
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 speed 100
 duplex full
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/5
 switchport trunk encapsulation dot1q
 switchport mode access
 switchport port-security violation protect
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/6
 description WEB2
 switchport access vlan 5
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 speed 100
 duplex full
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/7
 description ASA-OUTSIDE
 switchport access vlan 2
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/8
 description DNS00
 switchport access vlan 5
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 speed 100
 duplex full
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/9
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk
 switchport port-security violation protect
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/10
 description SECWEB2
 switchport access vlan 5
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 speed 100
 duplex full
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/11
 description NS-OUTSIDE
 switchport access vlan 2
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/12
 description ASA-DMZ
 switchport access vlan 5
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/13
 description ASA-INSIDE
 switchport access vlan 6
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
 description NS-DMZ
 switchport access vlan 4
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/15
 switchport access vlan 6
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
 description NS1
 switchport access vlan 4
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 speed 100
 duplex full
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
 switchport access vlan 3
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
 description COBALT
 switchport access vlan 4
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 speed 100
 duplex full
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/19
 switchport access vlan 3
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
 power inline never
 switchport access vlan 3
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
 switchport access vlan 3
 switchport mode access
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/22
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 3
 switchport mode trunk
 switchport port-security violation protect
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/23
 description WAP
 switchport access vlan 6
 switchport mode access
 switchport port-security violation protect
 speed 100
 duplex full
!
interface GigabitEthernet0/24
 description LAN Switch
 power inline never
 switchport access vlan 6
 switchport trunk allowed vlan 3
 switchport mode access
 switchport port-security maximum 25
 switchport port-security aging time 2
 switchport port-security violation protect
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/25
 spanning-tree portfast
!
interface GigabitEthernet0/26
 spanning-tree portfast
!
interface GigabitEthernet0/27
 spanning-tree portfast
!
interface GigabitEthernet0/28
 spanning-tree portfast
!
interface Vlan1
 ip address 172.16.0.3 255.255.255.0
 no ip route-cache
!
interface Vlan2
 no ip address
 no ip route-cache
!
interface Vlan3
 no ip address
 no ip route-cache
!
interface Vlan4
 no ip address
 no ip route-cache
!
ip classless
ip http server
!
snmp-server community public RO
snmp-server community GTI_Federal RW
!
control-plane
!
!
line con 0
line vty 0 4
 password xxxxxxxxxx
 login
 length 0
line vty 5 15
 password xxxxxxxxx
 login
 length 0
!
mac-address-table aging-time 0 vlan 3
mac-address-table aging-time 0 vlan 1
mac-address-table aging-time 0 vlan 5
mac-address-table aging-time 0 vlan 2
mac-address-table aging-time 0 vlan 4
mac-address-table aging-time 0 vlan 6
end

Open in new window

0
batry_boyCommented:
Focusing on your issue of seeing intermittent ping drops from one DMZ host to another DMZ host, your switch configuration shows that VLAN 5 is your DMZ.  Is this correct?  I gathered this from looking at the description of interface gigabit0/12.  If this is correct, I see 5 other ports assigned to VLAN 5:

interface GigabitEthernet0/2
 description EXCHANGE00
 switchport access vlan 5

interface GigabitEthernet0/4
 description ADMINISTRATIVE
 switchport access vlan 5

interface GigabitEthernet0/6
 description WEB2
 switchport access vlan 5

interface GigabitEthernet0/8
 description DNS00
 switchport access vlan 5

interface GigabitEthernet0/10
 description SECWEB2
 switchport access vlan 5

Which two of these hosts are the ones having ping problems between them?
0
GTIFAuthor Commented:
Correct, all of them, but it is intermittent. Sometimes X can reach all but all can't reach X, sometimes X can't reach any but all can reach X, sometimes x can reach some but not all and some can reach x but not all. It varies constantly.
0
batry_boyCommented:
I think you're at the point of trial and error troubleshooting with this one.  Try taking off all port security settings on just 2 of those ports and see if the problem goes away.  Is this a doable test?
0
GTIFAuthor Commented:
Sure thing, I will work on that after hours today, thanks again.
0
GTIFAuthor Commented:
OK, I took off all of the security, no such luck, any other suggestions?
0
batry_boyCommented:
I'm starting to think you have a bad switch.  Do you have another switch to try in place of the Catalyst?
0
GTIFAuthor Commented:
no...     :o(
0
GTIFAuthor Commented:
could it have anything to do with igmp, spanning tree, or rip?  Do you have a working config i can have a copy of that I can adapt to use?
0
batry_boyCommented:
What model of Catalyst switch is it?
0
GTIFAuthor Commented:
Catalyst 3560G
0
batry_boyCommented:
Post your current config and let's have another look since you took of the security settings.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.