Port 4 dropping on Cisco ASA 5505

Posted on 2011-10-05
Last Modified: 2012-05-12

We're losing connection on Port 4 (MegaPath). The connection to the Megapath link will stay up for 4 or 5 hours, and then it drops.

When we reboot the firewall, it will connect again, but then it drops again within a few hours.

We've been to the mat with the ISP. They insist that their router is configured correctly. We've parked a computer on their router with the public IP assigned and it has stayed up for 24 hours.

So at this point we're looking at a firewall misconfiguration. The "outside" connection is working fine and has been good for a year. The failover is working properly.

: Saved
ASA Version 8.0(3)
enable password
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address y.y.y.y
interface Vlan3
 nameif MegaPath
 security-level 0
 ip address x.x.x.x
interface Vlan12
 nameif telco
 security-level 75
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
 switchport access vlan 12
interface Ethernet0/4
 description Megapath
 switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
access-list no-nat extended permit ip
access-list split-tunnel extended permit ip
access-list split-tunnel extended permit ip
access-list inside_access_in extended permit ip any
access-list telco_access_in extended permit ip any any
access-list telco-no-nat extended permit ip
access-list telco extended permit ip any any
access-list MegaPath_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu MegaPath 1500
mtu telco 1500
ip local pool VPNpool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MegaPath
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (MegaPath) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1
nat (telco) 0 access-list telco-no-nat
nat (telco) 1
static (inside,telco) netmask
static (telco,inside) netmask
access-group inside_access_in in interface inside control-plane
access-group MegaPath_access_in in interface MegaPath
access-group telco_access_in in interface telco
route MegaPath 1 track 1
route outside 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho [gateway IP] interface MegaPath
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map MegaPath_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MegaPath_map interface MegaPath
crypto isakmp enable outside
crypto isakmp enable MegaPath
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
track 1 rtr 123 reachability
no vpn-addr-assign aaa
telnet inside
telnet timeout 5
ssh MegaPath
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside
dhcpd dns interface MegaPath
dhcpd address telco
dhcpd dns  interface telco
dhcpd enable telco

threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) VPNpool
 address-pool (MegaPath) VPNpool
tunnel-group DefaultRAGroup ipsec-attributes
prompt hostname context
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
Question by:d4nnyo
    LVL 7

    Accepted Solution

    Could you try to force speed and duplex mode on ASA and ask ISP to do the same?

    Have you check the cables between ASA interface and router interface? Did the ISP tech check on the router interface stats for any error?
    LVL 1

    Author Comment


    We have swapped patch cables.

    ISP insists there is no error.

    I'll try to force speed and duplex -- that's a good idea. We've played around with the settings on our end but matching them with the ISP is a great thought.
    LVL 36

    Expert Comment

    what does

    show interface Ethernet0/4

    Open in new window

    show when the connection is "down" ?
    LVL 1

    Author Closing Comment

    Speed and duplex fixed at full/100. Had to request this from the ISP.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video discusses moving either the default database or any database to a new volume.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now