Solved

Clients Intermittent Connectivity to Internet

Posted on 2013-01-04
8
769 Views
Last Modified: 2013-01-07
So I've got 3 clients out of 8 that randomly are losing their connectivity outside of our network.  A little architecture:
All PC's run back to a Linksys 24-port managed switch
DHCP handled through Cisco ASA
DNS is configured with the SBS 2011 as the primary and 4.2.2.2 as the secondary right now
Problem is occurring with static or DHCP addresses
Clients will connect for a time, and then suddenly only show local connectivity.
The switch ports are good, connections are intact, PC's in the same office are running just fine on static or DHCP with same configurations, all outbound internet traffic at F/W is permitted.

Anyone?  I'm at a loss.
0
Comment
Question by:Firemedic41
8 Comments
 

Author Comment

by:Firemedic41
Comment Utility
Sometimes resetting the adapter helps, but really the only commonality that I can see at all is that the SBS is new.  We haven't had this issue previously.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Also, consider letting your SBS server handle DHCP since it apparently is handing DNS. I use this method and DHCP on all computers. Whenever a person moves a laptop out of the office, there is no difficulty with outside connectivity.

.... Thinkpads_User
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
What model ASA, and what is your licensing? If it's a 5505, the licensing could be for 10, 50, or unlimited users. If you have the 10 or 50 user license, you might be hitting that limit. It will seem intermittent because as one gets on the internet, another user is essentially blocked.

On the ASA, run the command "show ver" and "show local-host"

example of a 50 user ASA with the host limit and host count pointed out

ASA# show ver

Cisco Adaptive Security Appliance Software Version 8.4(4)1 
Device Manager Version 6.4(9)

Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"

ASA up 66 days 2 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00 
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is hhhh.hhhh.hhhh, irq 11
 1: Ext: Ethernet0/0         : address is hhhh.hhhh.hhhh, irq 255
 2: Ext: Ethernet0/1         : address is hhhh.hhhh.hhhh, irq 255
 3: Ext: Ethernet0/2         : address is hhhh.hhhh.hhhh, irq 255
 4: Ext: Ethernet0/3         : address is hhhh.hhhh.hhhh, irq 255
 5: Ext: Ethernet0/4         : address is hhhh.hhhh.hhhh, irq 255
 6: Ext: Ethernet0/5         : address is hhhh.hhhh.hhhh, irq 255
 7: Ext: Ethernet0/6         : address is hhhh.hhhh.hhhh, irq 255
 8: Ext: Ethernet0/7         : address is hhhh.hhhh.hhhh, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
!
!
Inside Hosts                      : 50             perpetual
!
!
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Serial Number: xxxxxxxxxxxx
Configuration register is 0x1
ASA# 


ASA# show local-host 
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

!
!
Current host count: 12, towards licensed host limit of: 50
!
!

Interface outside: 419 active, 1163 maximum active, 0 denied
local host: <166.182.80.75>,
    TCP flow count/limit = 1/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited

  Conn:
    TCP outside 166.182.80.75:38608 inside x.x.x.5:443, idle 0:14:15, bytes 1150, flags UIOB
local host: <x.x.1.2>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 2/unlimited

  Conn:
    UDP outside x.x.1.2:161 inside x.x.x.110:50770, idle 0:00:07, bytes 4654583, flags -
    UDP outside x.x.1.2:161 inside x.x.x.105:62004, idle 0:00:01, bytes 4914799, flags -
local host: <208.85.44.22>,
    TCP flow count/limit = 1/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited

  Conn:
    TCP outside 208.85.44.22:80 inside x.x.x.112:51442, idle 0:01:43, bytes 0, flags U
local host: <x.x.x.x>,
    TCP flow count/limit = 5/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 0/unlimited
---output cut---

Open in new window

0
 

Author Comment

by:Firemedic41
Comment Utility
Unfortunately, we're running two different networks and the F/W needs to handle the DHCP.  Microsoft assisted with the initial setup so this hasn't been an issue until recently with no changes.  If I static the IP's of the machines outside of the SBS and FW (to a separate 10/Net for our phone system), then the machine gets out fine.  It's only when connecting through the domain.

It can ping itself, it can ping by IP and name the SBS and the F/W, gateway.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 22

Expert Comment

by:Olaf De Ceuster
Comment Utility
Since you have a managed switch:Use two vlans and let SBS do DHCP and DNS!
If SBS detects a DHCP online it shuts down it's ownDHCP and you getsome strange behaviour (Also none of the wizards will work the way they should)
Hope that helps,
Olaf
0
 
LVL 8

Expert Comment

by:gsmartin
Comment Utility
Check the logs, show ARP commands on your managed switch, and/or use WireShark to check for duplicate addresses.

Also, depending if your two networks are able to interVLAN route between eachother.  If so, then your SBS can be configured as the DHCP server and your L3 interVLAN routing device (either L3 switch, ASA Firewall, or other router) can be configured with DHCP relay settings i.e. IP helper-address on the LAN interfaces to point to the SBS to relay DHCP and other domain traffic.

You indicated 'switch ports are good' so just to confirm here are some other considerations. The switch network interfaces experiencing high rate of errors due to bad cables, bad switch ports/NICs, speed and/or duplex mismatch, interface resets, etc...  You should be able to look at your switch port statistics and/or other switch management options.  Note most switches these days have a built-in error disable feature that automatically disables ports when it has reached a certain threshold of errors.   Note speed and duplex mismatches are a common problem and can be identified by FCS, CRC, Giants, Runts, and other common errors as well as collisions.

FYI... Although your network topology sounds kind of simple. Spanning-tree, if enabled, could put an interface in a blocking state; as a result it eutt
0
 
LVL 8

Expert Comment

by:gsmartin
Comment Utility
As a result of a switching loop.
0
 

Author Closing Comment

by:Firemedic41
Comment Utility
Thanks for all of the inputs.  This seems like it could be the most reasonable problem.  Our ASA appears to be licensed for 10 users.  With all of the smartphones and tablets now being configured and accessing our wireless access point, they're getting internal addresses which would count against that license number.  What might also support this is that I can set the PC's to an IP outside of the domain (the IP Phone network) and they access the internet just fine (albeit without domain resources).  <br /><br />I'll followup with Cisco on this.  Seems like a promising place to start.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now