• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 789
  • Last Modified:

Clients Intermittent Connectivity to Internet

So I've got 3 clients out of 8 that randomly are losing their connectivity outside of our network.  A little architecture:
All PC's run back to a Linksys 24-port managed switch
DHCP handled through Cisco ASA
DNS is configured with the SBS 2011 as the primary and as the secondary right now
Problem is occurring with static or DHCP addresses
Clients will connect for a time, and then suddenly only show local connectivity.
The switch ports are good, connections are intact, PC's in the same office are running just fine on static or DHCP with same configurations, all outbound internet traffic at F/W is permitted.

Anyone?  I'm at a loss.
1 Solution
Firemedic41Author Commented:
Sometimes resetting the adapter helps, but really the only commonality that I can see at all is that the SBS is new.  We haven't had this issue previously.
JohnBusiness Consultant (Owner)Commented:
Also, consider letting your SBS server handle DHCP since it apparently is handing DNS. I use this method and DHCP on all computers. Whenever a person moves a laptop out of the office, there is no difficulty with outside connectivity.

.... Thinkpads_User
What model ASA, and what is your licensing? If it's a 5505, the licensing could be for 10, 50, or unlimited users. If you have the 10 or 50 user license, you might be hitting that limit. It will seem intermittent because as one gets on the internet, another user is essentially blocked.

On the ASA, run the command "show ver" and "show local-host"

example of a 50 user ASA with the host limit and host count pointed out

ASA# show ver

Cisco Adaptive Security Appliance Software Version 8.4(4)1 
Device Manager Version 6.4(9)

Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"

ASA up 66 days 2 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00 
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is hhhh.hhhh.hhhh, irq 11
 1: Ext: Ethernet0/0         : address is hhhh.hhhh.hhhh, irq 255
 2: Ext: Ethernet0/1         : address is hhhh.hhhh.hhhh, irq 255
 3: Ext: Ethernet0/2         : address is hhhh.hhhh.hhhh, irq 255
 4: Ext: Ethernet0/3         : address is hhhh.hhhh.hhhh, irq 255
 5: Ext: Ethernet0/4         : address is hhhh.hhhh.hhhh, irq 255
 6: Ext: Ethernet0/5         : address is hhhh.hhhh.hhhh, irq 255
 7: Ext: Ethernet0/6         : address is hhhh.hhhh.hhhh, irq 255
 8: Ext: Ethernet0/7         : address is hhhh.hhhh.hhhh, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Serial Number: xxxxxxxxxxxx
Configuration register is 0x1

ASA# show local-host 
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 12, towards licensed host limit of: 50

Interface outside: 419 active, 1163 maximum active, 0 denied
local host: <>,
    TCP flow count/limit = 1/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited

    TCP outside inside x.x.x.5:443, idle 0:14:15, bytes 1150, flags UIOB
local host: <x.x.1.2>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 2/unlimited

    UDP outside x.x.1.2:161 inside x.x.x.110:50770, idle 0:00:07, bytes 4654583, flags -
    UDP outside x.x.1.2:161 inside x.x.x.105:62004, idle 0:00:01, bytes 4914799, flags -
local host: <>,
    TCP flow count/limit = 1/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited

    TCP outside inside x.x.x.112:51442, idle 0:01:43, bytes 0, flags U
local host: <x.x.x.x>,
    TCP flow count/limit = 5/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited
---output cut---

Open in new window

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Firemedic41Author Commented:
Unfortunately, we're running two different networks and the F/W needs to handle the DHCP.  Microsoft assisted with the initial setup so this hasn't been an issue until recently with no changes.  If I static the IP's of the machines outside of the SBS and FW (to a separate 10/Net for our phone system), then the machine gets out fine.  It's only when connecting through the domain.

It can ping itself, it can ping by IP and name the SBS and the F/W, gateway.
Olaf De CeusterCommented:
Since you have a managed switch:Use two vlans and let SBS do DHCP and DNS!
If SBS detects a DHCP online it shuts down it's ownDHCP and you getsome strange behaviour (Also none of the wizards will work the way they should)
Hope that helps,
gsmartinManager of ITCommented:
Check the logs, show ARP commands on your managed switch, and/or use WireShark to check for duplicate addresses.

Also, depending if your two networks are able to interVLAN route between eachother.  If so, then your SBS can be configured as the DHCP server and your L3 interVLAN routing device (either L3 switch, ASA Firewall, or other router) can be configured with DHCP relay settings i.e. IP helper-address on the LAN interfaces to point to the SBS to relay DHCP and other domain traffic.

You indicated 'switch ports are good' so just to confirm here are some other considerations. The switch network interfaces experiencing high rate of errors due to bad cables, bad switch ports/NICs, speed and/or duplex mismatch, interface resets, etc...  You should be able to look at your switch port statistics and/or other switch management options.  Note most switches these days have a built-in error disable feature that automatically disables ports when it has reached a certain threshold of errors.   Note speed and duplex mismatches are a common problem and can be identified by FCS, CRC, Giants, Runts, and other common errors as well as collisions.

FYI... Although your network topology sounds kind of simple. Spanning-tree, if enabled, could put an interface in a blocking state; as a result it eutt
gsmartinManager of ITCommented:
As a result of a switching loop.
Firemedic41Author Commented:
Thanks for all of the inputs.  This seems like it could be the most reasonable problem.  Our ASA appears to be licensed for 10 users.  With all of the smartphones and tablets now being configured and accessing our wireless access point, they're getting internal addresses which would count against that license number.  What might also support this is that I can set the PC's to an IP outside of the domain (the IP Phone network) and they access the internet just fine (albeit without domain resources).  <br /><br />I'll followup with Cisco on this.  Seems like a promising place to start.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Tackle projects and never again get stuck behind a technical roadblock.
Join Now