Cisco ASA 5505

2 ASA's both with DHCP on the outside interface keep resetting their DHCP address and not reconnecting the VPN tunnel. Both units are running 8.2(2) software until I can do a memory upgrade to take them to 8.3(1).
One ASA is on a DSL line and the vpn had been working fine until a reload of the firewall and now cannot reconnect to the VPN tunnel
The other ASA is on a cable line and it is exhibiting the same problem however when I attempt to enable the VPN client I get a repeating "INFO Global x.x.x.x will be port address translated" but no VPN connection.
Both units had been working fine in the past, but there seems to be a bug associated with Dynamic IP's on the outside interfaces.
I have 3 other ASA's on static IP's and they have no problem.
farmsm7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mediavisiondsCommented:
Can you post the scrubbed configurations?
0
farmsm7Author Commented:
Here is the config for one of the units. This one is on a DSL line and is renewing its DHCP on the outside just fine and the unit is attempting to complete the tunnel but can't:


: Saved
: Written by enable_15 at 11:39:51.329 EDT Tue Apr 6 2010
!
ASA Version 8.2(2)
!
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address x.x.x.x x.x.x.x
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxx.xxx
object-group network obj_any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any information-reply
access-list outside_access_in extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 32000
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.x outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=xxxxxxx
 crl configure
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh x.x.x.x x.x.x.x inside
ssh x.x.x.x x.x.x.x inside
ssh x.x.x.x x.x.x.x outside
ssh x.x.x.x x.x.x.x outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxx.xxx
vpdn group pppoex ppp authentication pap
vpdn username xxx@xxx.xxx password xxx
dhcp-client client-id interface outside
dhcpd dns x.x.x.x x.x.x.x
dhcpd wins x.x.x.x x.x.x.x
dhcpd domain xxx.xxx
dhcpd auto_config outside
dhcpd option 46 hex 08
!
dhcpd address 192.168.3.2-192.168.3.33 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd wins x.x.x.x x.x.x.x interface inside
dhcpd domain xxx.xxx interface inside
dhcpd option 46 hex 08 interface inside
dhcpd enable inside
!
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup xxxx password ********
vpnclient username xxxx password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x source inside
webvpn
username xxx password xxxxxxx encrypted privilege 15
username xxx password xxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ab67dd403a6b42a9cf3a3725efe66d51
0
ptchubaCommented:
where is the ASA (the one on the DSL line) connecting to?

Peter C.
0
farmsm7Author Commented:
We found that updating the software to 8.3 had scrambled the passwords on the head end. We downgraded back to 8.2(2) and reset the passwords to fix the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.