Solved

Windows 7 machines have internet but not Windows XP machines

Posted on 2013-11-11
16
279 Views
Last Modified: 2013-11-26
I have a Cisco ASA 5505 that connects an office of 10 phones and 10 PC's to the main office via VPN. The phones work fine but only one PC has internet and that is the Windows 7 machine. None of the Windows XP machines can ping outside of the local default gateway.
I remoted into the W7 machine and took off IPv6 and it lost internet. When I added IPv6 back, it could get on the net. I added IPv6 to a Windows XP machine but still no internet.

LAN:
Network- 192.168.31.0/24
DG- 192.168.31.1
DNS-  resolves to ISP

Please let me know if you need anything else.
0
Comment
Question by:Paul Wagner
  • 6
  • 5
  • 5
16 Comments
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639191
Are your windows xp machines setup for DHCP or for static ip addresses? Two is your ASA running your dhcp and is it enabled/configured? Depending on your setup you may have to set your access point to bridge mode if you're using NAT setup.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39639201
@MHMAdmins

Windows XP machines are set up for DHCP, and so is the Windows 7 machine.

ASA is running DHCP and it is working/enabled/configured.
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639210
Are your machines getting a valid ip address if you run ipconfig? test the loop back address by pinging 127.0.0.1 to make sure it's not the NIC. On the windows machines you may have to specify the gateway/DNS in the TCP/IP v4 settings.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39639220
Yes. All machines are getting a DHCP address from the ASA.
Can I specify those settings in the ASA?
Some of these machines get taken home at the end of the day by the user.


Note: Windows 7 machine gets IPv6 addresses for DNS server.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639221
How many user licenses do you have?  If for example you have 10 licenses, the 11th PC to connect would be allowed LAN and VPN access, but not Internet.  Sometimes licenses get used up by guest devices such as laptops and phones.  Rebooting the router will reset the counter.

As I recall the default configuration of the 5505 blocks out going pings.  Try a web site by IP to verify it's not a DNS issue, such as google  http://74.125.226.144

>>"Some of these machines get taken home at the end of the day by the user."
Try rebooting the machine.  XP doesn't always release the DHCP IP configuration from another network when disconnected,
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639239
You may have to run ipconfig /flushdns on those endpoints if they are taken home, they may still be using dns cache from the other accesspoints.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39639265
@ RobWill

..... -___-

You're telling me that the 10 license limitation is for individual devices to get internet access? I was told it was a VPN access limitation.

The machines have been rebooted and have had ipconfig /renew done on them.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39639267
ipconfig /flushdns already done.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639273
Can you turn IPv6 off on the ASA and only have it send out IPV4 addresses? On the xp machines if you can ping and get address but no internet, go into IE properties, then connections tab, LAN settings and make sure automatically detect settings is selected and not using proxy. Then try to browse the internet.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639293
>>"You're telling me that the 10 license limitation is for individual devices to get internet access? I was told it was a VPN access limitation"
Yes.

User (Internet access) licenses are available in 10, 50, and unlimited, and priced accordingly.
There are also VPN licenses which are completely independent.
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639303
internet licenses shouldn't have anything to do with it if you are using a NAT setup. This is why NAT was invented as the world is running out of IPV4 addresses to dole out.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 39639363
Sorry, many NAT routers have license limitations for Internet access. Cisco ASA 5505 is one, as do Watchguard, Juniper, and more.  As mentioned the Cisco is available with:

Model ASA5505-BUN-K9 10 users
Model ASA5505-50-BUN-K9  50 users
Model  asa5505-ul-bun-k9  unlimited users

VPN licenses are independent and have different limits.  One site to site VPN license allows unlimited users to connect to the remote site but I believe all are limited to 10 tunnels.
Detailed specs:  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8048dba8.html

As each device connects it records the MAC address, registers it, and when the limit is reached no other device can connect to the Internet.  Licensing is not concurrent users so shutting down one device does not allow another.  To reset the counter you need to reboot the router.

This is a common issue, however odd that it would be broken into XP and win 7 unless a coincidence.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39639390
@RobWill

I think you might be right. I've requested a larger license and hope to get that soon. I'll let you know.

What about the VPN license? I have a single site to site vpn set up. Will I be ok there?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639461
Yes VPN access should be fine.  Even the basic unit comes with 10 VPN licenses that can be used for any combination of site-to-site tunnels and mobile software VPN users.  As mentioned any number of people can use one site-to-site tunnel.  So long as you don't have more than 9 simultaneous mobile VPN users, you should have no problem.   I suspect if you do have any mobile VPN clients they would be connecting to the main site not the site we are discussing, and have no impact.

>>"I've requested a larger license and hope to get that soon. "
You could test by disconnecting many or all users, reboot the router, and try one XP machine.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39639483
I noticed that the DHCP scope on the ASA only lets me go from a .2 address to a .32.

ex: 192.168.1.2-192.168.1.32

Is that due to the license restrictions as well?
I've purchased the 10-50 user license and am waiting for it. I imagine I should be able to increase the scope at that time.  ...?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639492
Correct.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now