[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Some clients cannot reach Internet after introduction of ASA 5505

Posted on 2011-04-19
Medium Priority
Last Modified: 2012-06-27
I have a small office network of 10 laptops.  They get their IP info from a Windows server that provides DHCP services including the gateway and DNS options.  I introduced an ASA 5505 yesterday and everything ran fine for hours.  At some point a few of the clients lost Internet connectivity.  They could still see all resources on the LAN side of the firewall.  The IP settings are correct in ipconfig.  I cleared the arp caches which did not help.  I changed the stations to static IP addresses and that seemed to work for awhile but then they failed again.  I switched them all back to DHCP clients.

Today all the laptops were able to maintain Internet connectivity until about an hour ago when 2 of them lost Internet access.  They retain access to all devices on the LAN.  The rest of the stations are still working fine.  The IP settings on these 2 stations are all correct.

I cannot ping yahoo.com from these 2 stations although the name does get resolved.  I cannot tracert anywhere off the network "Request timed out".  I can tracert anywhere on the LAN.  I can ping the gateway.  There is only one DHCP server on the network.  

The ASA configuration is very basic.  I removed most of it with a clear config and only built the two VLAN interfaces, a static for the webserver which includes an access-group and service-group, and the outside NAT 1, etc..  It seems like it is running out of addresses or licenses.   When it reaches a certain limit of time, clients, heat, I don't know, it stops allowing connections.  Sometimes it drops the currently connected ones and other times it doesn't.

Any help would be appreciated.

Question by:terry_cole
LVL 17

Accepted Solution

Jimmy Larsson, CISSP, CEH earned 1000 total points
ID: 35427477
Can it be a license limitation? Please post output from "show version" and "show local-host" here.

LVL 25

Assisted Solution

by:Ken Boone
Ken Boone earned 1000 total points
ID: 35427482
So the ASA has different licensing options - One of which is a 10 user license.  Basically the ASA counts the number of internal IPs as it goes through the firewall.  Once you hit 10 you are done.  So if you have 10 laptops, 1 server and a printer or 2, that could cause what you see.  Issue a show version command to show the license info.

Also, when you are hitting the limit you will get a log message.  Enter a show log command to see the log when this occurs.  The log gets overwritten very quickly so you may or may not see this.

It sounds like thisis your problem to me.  You can upgrade your license though.

Author Closing Comment

ID: 35427831
Thanks, I believe it is a licensing issue.  I wasn't aware of the IP limit.  Testing by having one user log off permits another to log on.  I believe an upgraded license is called for....

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question