We help IT Professionals succeed at work.

ASA 5505 Loosing internet connection weekly

Medium Priority
Last Modified: 2012-05-06
I installed an ASA 5505 at a client of mines' location about a year ago.  Ever since the install they have complained of random internet dropping.  They have been unplugging the switches, the ASA, and the cable modem up until a few weeks ago.  I had told them to only restart the ASA and let em know if the internet comes back up.  After they reset the ASA the internet comes back up but they are still experiencing this weekly.  I have enabled logging on the ASA but since the unit is being unplugged and restarted the logs have not been very benifical.  Is there some other way that I can try and troubleshoot this situation using the ASA or a 3rd pary software?  

I am unable to troubleshoot the situation when an outage occurs because there business is all done via Citrix sessions over the internet.  If the internet is down...so is there business.
They are on a dynamic IP address and a peer to peer network.  I will be implementing a server and domain shortly, but need to resolve this issue first.  Any help would be much appriciatied.  I will post the config file for the ASA.
Result of the command: "show config"

: Saved
: Written by enable_15 at 12:05:09.502 CST Fri Feb 6 2009
ASA Version 7.2(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.XXX.X
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
 ospf cost 10
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list outside_access_in extended permit udp any interface outside eq 65100
access-list vpnsplit_splitTunnelAcl standard permit
pager lines 24
logging enable
logging asdm informational
logging from-address XXXXXXXX@XXXXXXXXXXXX.com
logging recipient-address XXXXXXX@XXXXXXXXXX.com level errors
logging flash-bufferwrap
logging ftp-bufferwrap
mtu inside 1500
mtu outside 1500
ip local pool vpngroup mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface 65100 192.168.XX.XX XXXXXX netmask
static (inside,outside) udp interface 65100 192.168.X.XX XXXXXX netmask
static (inside,outside) tcp interface 3389 192.168.X.X XXXX netmask
static (outside,outside) tcp interface https 192.168.X.X https netmask
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnsplit internal
group-policy vpnsplit attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnsplit_splitTunnelAcl
group-policy VPNremote internal
group-policy VPNremote attributes
 dns-server value XX.XX.0.XXX XX.XX.X.XXX
 vpn-tunnel-protocol IPSec
username XXXXXXpassword XXXXXXXXXXX encrypted privilege 15
username XXXXXX attributes
 vpn-group-policy XXXXXX
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
tunnel-group VPNremote type ipsec-ra
tunnel-group VPNremote general-attributes
 address-pool vpngroup
 default-group-policy VPNremote
tunnel-group VPNremote ipsec-attributes
 pre-shared-key *
tunnel-group vpnsplit type ipsec-ra
tunnel-group vpnsplit general-attributes
 address-pool vpngroup
 default-group-policy vpnsplit
tunnel-group vpnsplit ipsec-attributes
 pre-shared-key *
telnet inside
telnet outside
telnet timeout 5
ssh inside
ssh inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

class-map global-class
 match default-inspection-traffic
class-map inspection_default
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect http
service-policy global-policy global
 enable outside
prompt hostname context
Watch Question

I don't see anything in your config that looks out of place. I would contact cisco and see what their tech support has to say - perhaps the unit is over heating or has a bad stick of RAM?

I would recommend using a syslog server for recording the logging message,  the kiwi syslog server (http://www.kiwisyslog.com/) is great if you are wanting to use it on a windows box.

I would suspect the internet connection itself also, the ASA looks to be configured fine.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


I will give the kiwisyslog program a try.  Thanks for the heads up.  Also, I was going to check with the ISP to see if they could do some monitoring on there end.  It seems to be pretty consistant so they may be able to shed some light on the situation too.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.