Solved

Internet Disconnection

Posted on 2014-01-16
32
375 Views
Last Modified: 2014-01-28
I have a LAN were I have the ASA 5510 v8.2(1) connected with a switch. This switch cisco sf300 has multiple devices connected to it, such as IP phones, IPPBX gateway, Access Point. then I have 3 wired PCs, one of them is connected and has internet, the other connects to the internet gets a local IP but keeps disconnecting and connecting. I thought I had something wrong with the dhcp but they do it even when I give them static IPs. When I connect these two computers with the access point, they have internet and normal browsing. Any ideas what could be the problem?
0
Comment
Question by:bixkli
  • 19
  • 13
32 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39790385
did you update the software of the sf300 switch?

can you post the sanitized config of the asa/sf300 switch?
0
 

Author Comment

by:bixkli
ID: 39802769
No the cisco sf300 switch was not updated, the simple configuration I did on the switch is that I have assigned it a static IP. The following is the configuration on the router cisco asa 5510. Internet keeps disconnecting and connecting on 3 computers but these computers does work wired with an access point which is plugged in the switch.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address 213.165.177.76 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.205 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
 name-server 212.56.128.132
 name-server 212.56.128.196
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213.165.177.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.56.128.132 212.56.128.196
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:23c4cb290febe100c85c7579edd11461
: end
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39804357
So when you connect your computer to the switch, you say that Internet disconnects. When you go to network connections (I assume they are Windows OS) do you see that the network card disconnects (red cross) or how do you experience the disconnect?
0
 

Author Comment

by:bixkli
ID: 39804407
Yes they are windows os, I have one which is connected with the switch and has no problem the other computers which are also connected with the switch shows connected it just switches between internet access and no internet access.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39804451
when you open a command window and enter this command:

ping 8.8.8.8 -t

does the ping continue to run or will it loose connection in a while..?
0
 

Author Comment

by:bixkli
ID: 39804465
It will loose connection for a while but if I ping the switch which is 192.168.0.205, all pings are successful.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39804492
and when you ping the ASA with -t?
0
 

Author Comment

by:bixkli
ID: 39804516
Sorry but I am currently not at the office I will give you a sure answer tommorow but if I could remember well, no I cant ping the ASA.
0
 

Author Comment

by:bixkli
ID: 39804530
Does it make a difference that the only computer that works fine is windows8? And the others which are disconnecting are windows 7?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39804546
When you switch cables between the Windows 7 and Windows 8 computer, does it make any difference?
0
 

Author Comment

by:bixkli
ID: 39804560
Yes with the same cable from one which is windows 8 to another which is windows 7, they still disconnects
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39804586
when you log in at the ASDM and open logging, can you identify any problems which may cause the loss of internet?
0
 

Author Comment

by:bixkli
ID: 39804597
I am out of office I will give you the answer for this question later.
0
 

Author Comment

by:bixkli
ID: 39805844
I can't ping the ASA from those computers which are disconnecting but from that I am connected I can ping the ASA, In the log of the ASA it says:

 6      Jan 24 2014      06:14:03            173.194.70.xxx      443      192.168.0.23      49593      Teardown TCP connection 179177 for outside:173.194.70.xxx/443 to inside:192.168.0.23/49593 duration 0:10:12 bytes 0 FIN Timeout

192.168.0.23 is one of the PCs which is disconnecting. (.xxx were done to keep privacy)
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39805991
can set a fixed IP on one of the computers and then try to ping the ASA. does that work?
0
 

Author Comment

by:bixkli
ID: 39806087
I have set a fixed IP on the computers but they cant ping the ASA.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39806094
can you ping something else in the network? like the switch or a printer.
0
 

Author Comment

by:bixkli
ID: 39806104
Yes I can ping the switch and other users on the network even that computer which is connected with the internet. but I can't ping the ASA.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39806112
that is strange.

when you run arp -a on a computer which works and a computer which does not work, is the same MAC address displayed for the ASA?
0
 

Author Comment

by:bixkli
ID: 39806132
In both there is no ASA displayed in the ARP -a
0
 

Author Comment

by:bixkli
ID: 39806133
I have just checked again and it is showing me that even on the computer which is connected I can't ping the ASA.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39806137
can you ping the ASA and then post the output of ARP-A of both computers?

and of route print command please.
0
 

Author Comment

by:bixkli
ID: 39806143
I can only ping the asa when it is directly connected with the computer through the management port.
0
 

Author Comment

by:bixkli
ID: 39811309
This might help I have the ethernet port on the PCs which are disconnecting and connecting showing one Orange and the other one green.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39811314
can you try another switch for the moment?
0
 

Author Comment

by:bixkli
ID: 39811342
Sorry before I try another switch I wish to clarify whether I did this wrong or not. I have set the interface IP 192.168.0.205 on the ASA and the switch connected to this interface with a static IP 192.168.0.205. Is that right?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39813472
no that is not right. you should give each device another IP address. also please use the subnet mask /24 (255.255.255.0) inside your network.
0
 

Author Comment

by:bixkli
ID: 39814272
If I change the ip address either of the interface or of the switch the network won't work. I need the subnet mask to be 255.255.0.0 as I will make a number of VPNs with the different site each site will be given an octet, like site A 192.168.20.xx site B 192.168.30.xx etc.
0
 

Author Comment

by:bixkli
ID: 39814297
Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address 213.165.xx.xx 255.255.255.224
!
interface Ethernet0/1
 speed 100
 nameif inside
 security-level 100
 ip address 192.168.0.205 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
 name-server 212.xx.128.xx
 name-server 212.xx.128.xx
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list allow_inside_in extended permit udp 192.168.0.0 255.255.0.0 any eq domain
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq 3389
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group allow_inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.165.xx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.xx.128.xx 212.xx.128.xx
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:edd93d2a41a483abe51da0d38fc11d48
: end
0
 

Author Comment

by:bixkli
ID: 39814634
I've requested that this question be closed as follows:

Accepted answer: 0 points for bixkli's comment #a39814272

for the following reason:

The ip of the interface had to be different from that of the device.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39814635
this is the answer right?

no that is not right. you should give each device another IP address. also please use the subnet mask /24 (255.255.255.0) inside your network.
0
 

Author Closing Comment

by:bixkli
ID: 39814694
Yes that solved a good part of it.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now