Port 4 dropping on Cisco ASA 5505


We're losing connection on Port 4 (MegaPath). The connection to the Megapath link will stay up for 4 or 5 hours, and then it drops.

When we reboot the firewall, it will connect again, but then it drops again within a few hours.

We've been to the mat with the ISP. They insist that their router is configured correctly. We've parked a computer on their router with the public IP assigned and it has stayed up for 24 hours.

So at this point we're looking at a firewall misconfiguration. The "outside" connection is working fine and has been good for a year. The failover is working properly.



: Saved
:
ASA Version 8.0(3)
!
hostname
enable password
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address y.y.y.y 255.255.255.248
!
interface Vlan3
 nameif MegaPath
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
interface Vlan12
 nameif telco
 security-level 75
 ip address 192.168.254.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 description Megapath
 switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.254.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any
access-list telco_access_in extended permit ip any any
access-list telco-no-nat extended permit ip 192.168.254.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list telco extended permit ip any any
access-list MegaPath_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu MegaPath 1500
mtu telco 1500
ip local pool VPNpool 192.168.50.100-192.168.50.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MegaPath
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (MegaPath) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telco) 0 access-list telco-no-nat
nat (telco) 1 0.0.0.0 0.0.0.0
static (inside,telco) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (telco,inside) 192.168.254.0 192.168.254.0 netmask 255.255.255.0
access-group inside_access_in in interface inside control-plane
access-group MegaPath_access_in in interface MegaPath
access-group telco_access_in in interface telco
route MegaPath 0.0.0.0 0.0.0.0 207.239.109.65 1 track 1
route outside 0.0.0.0 0.0.0.0 64.206.96.169 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho [gateway IP] interface MegaPath
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map MegaPath_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MegaPath_map interface MegaPath
crypto isakmp enable outside
crypto isakmp enable MegaPath
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
!
track 1 rtr 123 reachability
no vpn-addr-assign aaa
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 MegaPath
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns
dhcpd auto_config outside
!
dhcpd address 192.168.20.60-192.168.20.110 inside
dhcpd dns 192.168.20.25 66.155.216.122 interface inside
dhcpd enable inside
!
dhcpd dns 64.7.11.2 66.80.131.5 interface MegaPath
!
dhcpd address 192.168.254.100-192.168.254.120 telco
dhcpd dns  interface telco
dhcpd enable telco
!

threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) VPNpool
 address-pool (MegaPath) VPNpool
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key
!
!
prompt hostname context
Cryptochecksum:7acb669b21bce7b28899b5bcbdd702dd
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
LVL 1
d4nnyoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

frajicoCommented:
Could you try to force speed and duplex mode on ASA and ask ISP to do the same?

Have you check the cables between ASA interface and router interface? Did the ISP tech check on the router interface stats for any error?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
d4nnyoAuthor Commented:

We have swapped patch cables.

ISP insists there is no error.

I'll try to force speed and duplex -- that's a good idea. We've played around with the settings on our end but matching them with the ISP is a great thought.
ArneLoviusCommented:
what does

show interface Ethernet0/4

Open in new window


show when the connection is "down" ?
d4nnyoAuthor Commented:
Speed and duplex fixed at full/100. Had to request this from the ISP.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.