Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


ASA 5505 Loosing internet connection weekly

Posted on 2009-02-11
Medium Priority
Last Modified: 2012-05-06
I installed an ASA 5505 at a client of mines' location about a year ago.  Ever since the install they have complained of random internet dropping.  They have been unplugging the switches, the ASA, and the cable modem up until a few weeks ago.  I had told them to only restart the ASA and let em know if the internet comes back up.  After they reset the ASA the internet comes back up but they are still experiencing this weekly.  I have enabled logging on the ASA but since the unit is being unplugged and restarted the logs have not been very benifical.  Is there some other way that I can try and troubleshoot this situation using the ASA or a 3rd pary software?  

I am unable to troubleshoot the situation when an outage occurs because there business is all done via Citrix sessions over the internet.  If the internet is down...so is there business.
They are on a dynamic IP address and a peer to peer network.  I will be implementing a server and domain shortly, but need to resolve this issue first.  Any help would be much appriciatied.  I will post the config file for the ASA.
Result of the command: "show config"

: Saved
: Written by enable_15 at 12:05:09.502 CST Fri Feb 6 2009
ASA Version 7.2(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.XXX.X
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
 ospf cost 10
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit udp any interface outside eq 65100
access-list vpnsplit_splitTunnelAcl standard permit
pager lines 24
logging enable
logging asdm informational
logging from-address XXXXXXXX@XXXXXXXXXXXX.com
logging recipient-address XXXXXXX@XXXXXXXXXX.com level errors
logging flash-bufferwrap
logging ftp-bufferwrap
mtu inside 1500
mtu outside 1500
ip local pool vpngroup mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface 65100 192.168.XX.XX XXXXXX netmask
static (inside,outside) udp interface 65100 192.168.X.XX XXXXXX netmask
static (inside,outside) tcp interface 3389 192.168.X.X XXXX netmask
static (outside,outside) tcp interface https 192.168.X.X https netmask
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnsplit internal
group-policy vpnsplit attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnsplit_splitTunnelAcl
group-policy VPNremote internal
group-policy VPNremote attributes
 dns-server value XX.XX.0.XXX XX.XX.X.XXX
 vpn-tunnel-protocol IPSec
username XXXXXXpassword XXXXXXXXXXX encrypted privilege 15
username XXXXXX attributes
 vpn-group-policy XXXXXX
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
tunnel-group VPNremote type ipsec-ra
tunnel-group VPNremote general-attributes
 address-pool vpngroup
 default-group-policy VPNremote
tunnel-group VPNremote ipsec-attributes
 pre-shared-key *
tunnel-group vpnsplit type ipsec-ra
tunnel-group vpnsplit general-attributes
 address-pool vpngroup
 default-group-policy vpnsplit
tunnel-group vpnsplit ipsec-attributes
 pre-shared-key *
telnet inside
telnet outside
telnet timeout 5
ssh inside
ssh inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

class-map global-class
 match default-inspection-traffic
class-map inspection_default
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect http
service-policy global-policy global
 enable outside
prompt hostname context
Question by:lahma35

Expert Comment

ID: 23614364
I don't see anything in your config that looks out of place. I would contact cisco and see what their tech support has to say - perhaps the unit is over heating or has a bad stick of RAM?


Accepted Solution

cat6509 earned 2000 total points
ID: 23618995
I would recommend using a syslog server for recording the logging message,  the kiwi syslog server (http://www.kiwisyslog.com/) is great if you are wanting to use it on a windows box.

I would suspect the internet connection itself also, the ASA looks to be configured fine.

Author Comment

ID: 23619024
I will give the kiwisyslog program a try.  Thanks for the heads up.  Also, I was going to check with the ISP to see if they could do some monitoring on there end.  It seems to be pretty consistant so they may be able to shed some light on the situation too.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 7 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question