• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 335
  • Last Modified:

Port 4 dropping on Cisco ASA 5505


We're losing connection on Port 4 (MegaPath). The connection to the Megapath link will stay up for 4 or 5 hours, and then it drops.

When we reboot the firewall, it will connect again, but then it drops again within a few hours.

We've been to the mat with the ISP. They insist that their router is configured correctly. We've parked a computer on their router with the public IP assigned and it has stayed up for 24 hours.

So at this point we're looking at a firewall misconfiguration. The "outside" connection is working fine and has been good for a year. The failover is working properly.



: Saved
:
ASA Version 8.0(3)
!
hostname
enable password
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address y.y.y.y 255.255.255.248
!
interface Vlan3
 nameif MegaPath
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
interface Vlan12
 nameif telco
 security-level 75
 ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 description Megapath
 switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.254.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
access-list telco_access_in extended permit ip any any
access-list telco-no-nat extended permit ip 192.168.254.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list telco extended permit ip any any
access-list MegaPath_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu MegaPath 1500
mtu telco 1500
ip local pool VPNpool 192.168.50.100-192.168.50.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MegaPath
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (MegaPath) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telco) 0 access-list telco-no-nat
nat (telco) 1 0.0.0.0 0.0.0.0
static (inside,telco) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (telco,inside) 192.168.254.0 192.168.254.0 netmask 255.255.255.0
access-group inside_access_in in interface inside control-plane
access-group MegaPath_access_in in interface MegaPath
access-group telco_access_in in interface telco
route MegaPath 0.0.0.0 0.0.0.0 207.239.109.65 1 track 1
route outside 0.0.0.0 0.0.0.0 64.206.96.169 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho [gateway IP] interface MegaPath
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map MegaPath_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MegaPath_map interface MegaPath
crypto isakmp enable outside
crypto isakmp enable MegaPath
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
!
track 1 rtr 123 reachability
no vpn-addr-assign aaa
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 MegaPath
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
!
dhcpd address 192.168.20.60-192.168.20.110 inside
dhcpd dns 192.168.20.25 66.155.216.122 interface inside
dhcpd enable inside
!
dhcpd dns 64.7.11.2 66.80.131.5 interface MegaPath
!
dhcpd address 192.168.254.100-192.168.254.120 telco
dhcpd dns  interface telco
dhcpd enable telco
!

threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) VPNpool
 address-pool (MegaPath) VPNpool
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key
!
!
prompt hostname context
Cryptochecksum:7acb669b21bce7b28899b5bcbdd702dd
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
0
d4nnyo
Asked:
d4nnyo
  • 2
1 Solution
 
frajicoCommented:
Could you try to force speed and duplex mode on ASA and ask ISP to do the same?

Have you check the cables between ASA interface and router interface? Did the ISP tech check on the router interface stats for any error?
0
 
d4nnyoAuthor Commented:

We have swapped patch cables.

ISP insists there is no error.

I'll try to force speed and duplex -- that's a good idea. We've played around with the settings on our end but matching them with the ISP is a great thought.
0
 
ArneLoviusCommented:
what does

show interface Ethernet0/4

Open in new window


show when the connection is "down" ?
0
 
d4nnyoAuthor Commented:
Speed and duplex fixed at full/100. Had to request this from the ISP.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now