Solved

Cisco ASA - Windows 7 computers drop the network

Posted on 2010-08-30
13
701 Views
Last Modified: 2012-05-10
One of my clients recently got a new Cisco ASA 5510. All was working ok until two days later when I implemented a few Windows 7 machines on their AD domain. Randomly (more times than not) the Win7 PCs lose internet and access to the domain controller…I am unable to ping yahoo.com or even the internal SBS2003 server. I can however ping the firewall consistently.

The PCs are plugged into the same switch as the SBS server…statically assigning an IP doesn’t make a difference. Any suggestions? I’m not sure if the ASA is my suspect or not…but all the issues started as soon as I implemented it. All windows XP machines work perfect with no issues.
0
Comment
Question by:PTSMN
  • 9
  • 4
13 Comments
 
LVL 1

Author Comment

by:PTSMN
ID: 33563152
More info: DHCP is coming from the SBS server so it works momentarily...DNS ips from DHCP are pointing to the SBS server.

0
 
LVL 3

Expert Comment

by:robdcoy
ID: 33569084
How many users is the ASA licensed for and how many clients do you have?
0
 
LVL 1

Author Comment

by:PTSMN
ID: 33569802
I initially thought that was the issue as well so I power cycled the ASA with no change.

Even if that were the case it shouldnt be filtering my internal LAN traffic should it?

0
 
LVL 3

Expert Comment

by:robdcoy
ID: 33570283
No, after thinking about it, it shouldn't.  I will keep looking for a solution for you.

In the time being, do you have any GPO that is controlling your firewall settings for the Windows Clients?  There might be something going on there?

Also, what is the IP address of the PC when you encounter the problem.   0.0.0.0?  169 address?  I understand it does this with a static, but when it is on DHCP, does a "ipconfig /release" and "ipconfig /renew" fix the issue?

Could be a driver issue?  Are these new PC's with the OEM install?

0
 
LVL 1

Author Comment

by:PTSMN
ID: 33570488
DHCP gives me the next address available in the DHCP pool...192.168.1.152

No firewall settings from GPO that would interfere...besides sometimes it decides to work...but then 5 mins later I'm back to not being able to do anything.

If I release my ip and renew I get the same address and same issues

Also I have already tried updating drivers and even swapping nic cards on these Brand new IBM desktops. (Volume licensed win 7 reloads...non oem)

Somone mentioned something about a no fixup policy?? not sure what that is or exactly what it does.

0
 
LVL 1

Author Comment

by:PTSMN
ID: 33570708
I have even pulled out a 3rd win 7 pc new out of box with no domain membership and tried getting online with it...same issues.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 3

Expert Comment

by:robdcoy
ID: 33570756
This is a good thing......The problem has to be with your ASA.  Do you mind posting a sanitized version of your ASA config?  I can't promise anything, but hopefully something will jump out at me.

If you would rather, you can send the config to rob_at_thecompugeek.com.
0
 
LVL 1

Author Comment

by:PTSMN
ID: 33570860
email sent
0
 
LVL 3

Accepted Solution

by:
robdcoy earned 500 total points
ID: 33571462
Okie Dokie.  I don't see anything strange with the config.  Here is all I can offer to you for help.

Consider updating the firmware to 8.3(1).  There were some issues with 8.2(1), but I tried to skip this version and never really experianced problems.  I don't recall if there were any problems with Windows 7 clients and 8.2(1).  I don't think it would hurt at all.  You can allways fallback to a previous version.  Just remember to backup, backup, backup.  I've been bitten far too many times to just jump at the update.  ;-)

I have seen some stuff on the web about people going back to the PIX 501 because the 5505 was causing issues with their Vista and 7 users.  I haven't seen anything about the 5510 yet.

Disable ipv6 on the 7 clients.  This could cause some issues?  I don't have much experiance with ipv6, nor do I want to.  For me, I have never needed more clients than ipv4 could provide.

Again, I will do my best to help out, but everything looks good.  I highly suspect that 5510 and the firmware.
0
 
LVL 1

Author Comment

by:PTSMN
ID: 33578935
I will try the firmware update then. I did disable ipV6 already with no change so I'll keep you posted.
0
 
LVL 1

Author Comment

by:PTSMN
ID: 33619134
Well this client is running a tempermental VPN to one of their vendors so at this point updating the firmware wont be an option until the end of the month and the VPN is no longer required...is there a way to setup logging to try and dig deeper as to why my Win7 pcs lose their connection? The syslogs arent showing me anything being blocked for this particular LAN IP thats having the issues. Just "severity 6" events.

0
 
LVL 1

Author Comment

by:PTSMN
ID: 33620854
Disabling the Proxy ARP on the ASA’s LAN interface finally solved the issue.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_25081430.html

0
 
LVL 1

Author Closing Comment

by:PTSMN
ID: 33620939
Thanks for the help Rob!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA5508-X vs Barracuda X200 2 56
Outgoing Call restriction in Cisco UC560 2 71
OSPF metric and destination 2 37
syslog id vs. msg 2 21
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now