• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 615
  • Last Modified:

Cisco ASA 5505

2 ASA's both with DHCP on the outside interface keep resetting their DHCP address and not reconnecting the VPN tunnel. Both units are running 8.2(2) software until I can do a memory upgrade to take them to 8.3(1).
One ASA is on a DSL line and the vpn had been working fine until a reload of the firewall and now cannot reconnect to the VPN tunnel
The other ASA is on a cable line and it is exhibiting the same problem however when I attempt to enable the VPN client I get a repeating "INFO Global x.x.x.x will be port address translated" but no VPN connection.
Both units had been working fine in the past, but there seems to be a bug associated with Dynamic IP's on the outside interfaces.
I have 3 other ASA's on static IP's and they have no problem.
1 Solution
Can you post the scrubbed configurations?
farmsm7Author Commented:
Here is the config for one of the units. This one is on a DSL line and is renewing its DHCP on the outside just fine and the unit is attempting to complete the tunnel but can't:

: Saved
: Written by enable_15 at 11:39:51.329 EDT Tue Apr 6 2010
ASA Version 8.2(2)
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address x.x.x.x x.x.x.x
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxx.xxx
object-group network obj_any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any information-reply
access-list outside_access_in extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 32000
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
icmp permit host x.x.x.x outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
asdm image disk0:/asdm-631.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=xxxxxxx
 crl configure
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh x.x.x.x x.x.x.x inside
ssh x.x.x.x x.x.x.x inside
ssh x.x.x.x x.x.x.x outside
ssh x.x.x.x x.x.x.x outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxx.xxx
vpdn group pppoex ppp authentication pap
vpdn username xxx@xxx.xxx password xxx
dhcp-client client-id interface outside
dhcpd dns x.x.x.x x.x.x.x
dhcpd wins x.x.x.x x.x.x.x
dhcpd domain xxx.xxx
dhcpd auto_config outside
dhcpd option 46 hex 08
dhcpd address inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd wins x.x.x.x x.x.x.x interface inside
dhcpd domain xxx.xxx interface inside
dhcpd option 46 hex 08 interface inside
dhcpd enable inside
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup xxxx password ********
vpnclient username xxxx password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x source inside
username xxx password xxxxxxx encrypted privilege 15
username xxx password xxxxxxx encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
where is the ASA (the one on the DSL line) connecting to?

Peter C.
farmsm7Author Commented:
We found that updating the software to 8.3 had scrambled the passwords on the head end. We downgraded back to 8.2(2) and reset the passwords to fix the problem.
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now