Port 4 dropping on Cisco ASA 5505

We're losing connection on Port 4 (MegaPath). The connection to the Megapath link will stay up for 4 or 5 hours, and then it drops.

When we reboot the firewall, it will connect again, but then it drops again within a few hours.

We've been to the mat with the ISP. They insist that their router is configured correctly. We've parked a computer on their router with the public IP assigned and it has stayed up for 24 hours.

So at this point we're looking at a firewall misconfiguration. The "outside" connection is working fine and has been good for a year. The failover is working properly.

: Saved
ASA Version 8.0(3)
enable password
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address y.y.y.y
interface Vlan3
 nameif MegaPath
 security-level 0
 ip address x.x.x.x
interface Vlan12
 nameif telco
 security-level 75
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
 switchport access vlan 12
interface Ethernet0/4
 description Megapath
 switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
access-list no-nat extended permit ip
access-list split-tunnel extended permit ip
access-list split-tunnel extended permit ip
access-list inside_access_in extended permit ip any
access-list telco_access_in extended permit ip any any
access-list telco-no-nat extended permit ip
access-list telco extended permit ip any any
access-list MegaPath_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu MegaPath 1500
mtu telco 1500
ip local pool VPNpool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MegaPath
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (MegaPath) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1
nat (telco) 0 access-list telco-no-nat
nat (telco) 1
static (inside,telco) netmask
static (telco,inside) netmask
access-group inside_access_in in interface inside control-plane
access-group MegaPath_access_in in interface MegaPath
access-group telco_access_in in interface telco
route MegaPath 1 track 1
route outside 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho [gateway IP] interface MegaPath
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map MegaPath_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MegaPath_map interface MegaPath
crypto isakmp enable outside
crypto isakmp enable MegaPath
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
track 1 rtr 123 reachability
no vpn-addr-assign aaa
telnet inside
telnet timeout 5
ssh MegaPath
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside
dhcpd dns interface MegaPath
dhcpd address telco
dhcpd dns  interface telco
dhcpd enable telco

threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) VPNpool
 address-pool (MegaPath) VPNpool
tunnel-group DefaultRAGroup ipsec-attributes
prompt hostname context
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Could you try to force speed and duplex mode on ASA and ask ISP to do the same?

Have you check the cables between ASA interface and router interface? Did the ISP tech check on the router interface stats for any error?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
d4nnyoAuthor Commented:

We have swapped patch cables.

ISP insists there is no error.

I'll try to force speed and duplex -- that's a good idea. We've played around with the settings on our end but matching them with the ISP is a great thought.
what does

show interface Ethernet0/4

Open in new window

show when the connection is "down" ?
d4nnyoAuthor Commented:
Speed and duplex fixed at full/100. Had to request this from the ISP.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.