• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 719
  • Last Modified:

Cisco ASA - Windows 7 computers drop the network

One of my clients recently got a new Cisco ASA 5510. All was working ok until two days later when I implemented a few Windows 7 machines on their AD domain. Randomly (more times than not) the Win7 PCs lose internet and access to the domain controller…I am unable to ping yahoo.com or even the internal SBS2003 server. I can however ping the firewall consistently.

The PCs are plugged into the same switch as the SBS server…statically assigning an IP doesn’t make a difference. Any suggestions? I’m not sure if the ASA is my suspect or not…but all the issues started as soon as I implemented it. All windows XP machines work perfect with no issues.
0
PTSMN
Asked:
PTSMN
  • 9
  • 4
1 Solution
 
PTSMNAuthor Commented:
More info: DHCP is coming from the SBS server so it works momentarily...DNS ips from DHCP are pointing to the SBS server.

0
 
robdcoyCommented:
How many users is the ASA licensed for and how many clients do you have?
0
 
PTSMNAuthor Commented:
I initially thought that was the issue as well so I power cycled the ASA with no change.

Even if that were the case it shouldnt be filtering my internal LAN traffic should it?

0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
robdcoyCommented:
No, after thinking about it, it shouldn't.  I will keep looking for a solution for you.

In the time being, do you have any GPO that is controlling your firewall settings for the Windows Clients?  There might be something going on there?

Also, what is the IP address of the PC when you encounter the problem.   0.0.0.0?  169 address?  I understand it does this with a static, but when it is on DHCP, does a "ipconfig /release" and "ipconfig /renew" fix the issue?

Could be a driver issue?  Are these new PC's with the OEM install?

0
 
PTSMNAuthor Commented:
DHCP gives me the next address available in the DHCP pool...192.168.1.152

No firewall settings from GPO that would interfere...besides sometimes it decides to work...but then 5 mins later I'm back to not being able to do anything.

If I release my ip and renew I get the same address and same issues

Also I have already tried updating drivers and even swapping nic cards on these Brand new IBM desktops. (Volume licensed win 7 reloads...non oem)

Somone mentioned something about a no fixup policy?? not sure what that is or exactly what it does.

0
 
PTSMNAuthor Commented:
I have even pulled out a 3rd win 7 pc new out of box with no domain membership and tried getting online with it...same issues.
0
 
robdcoyCommented:
This is a good thing......The problem has to be with your ASA.  Do you mind posting a sanitized version of your ASA config?  I can't promise anything, but hopefully something will jump out at me.

If you would rather, you can send the config to rob_at_thecompugeek.com.
0
 
PTSMNAuthor Commented:
email sent
0
 
robdcoyCommented:
Okie Dokie.  I don't see anything strange with the config.  Here is all I can offer to you for help.

Consider updating the firmware to 8.3(1).  There were some issues with 8.2(1), but I tried to skip this version and never really experianced problems.  I don't recall if there were any problems with Windows 7 clients and 8.2(1).  I don't think it would hurt at all.  You can allways fallback to a previous version.  Just remember to backup, backup, backup.  I've been bitten far too many times to just jump at the update.  ;-)

I have seen some stuff on the web about people going back to the PIX 501 because the 5505 was causing issues with their Vista and 7 users.  I haven't seen anything about the 5510 yet.

Disable ipv6 on the 7 clients.  This could cause some issues?  I don't have much experiance with ipv6, nor do I want to.  For me, I have never needed more clients than ipv4 could provide.

Again, I will do my best to help out, but everything looks good.  I highly suspect that 5510 and the firmware.
0
 
PTSMNAuthor Commented:
I will try the firmware update then. I did disable ipV6 already with no change so I'll keep you posted.
0
 
PTSMNAuthor Commented:
Well this client is running a tempermental VPN to one of their vendors so at this point updating the firmware wont be an option until the end of the month and the VPN is no longer required...is there a way to setup logging to try and dig deeper as to why my Win7 pcs lose their connection? The syslogs arent showing me anything being blocked for this particular LAN IP thats having the issues. Just "severity 6" events.

0
 
PTSMNAuthor Commented:
Disabling the Proxy ARP on the ASA’s LAN interface finally solved the issue.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_25081430.html

0
 
PTSMNAuthor Commented:
Thanks for the help Rob!
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 9
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now