Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

Internet Disconnection

I have a LAN were I have the ASA 5510 v8.2(1) connected with a switch. This switch cisco sf300 has multiple devices connected to it, such as IP phones, IPPBX gateway, Access Point. then I have 3 wired PCs, one of them is connected and has internet, the other connects to the internet gets a local IP but keeps disconnecting and connecting. I thought I had something wrong with the dhcp but they do it even when I give them static IPs. When I connect these two computers with the access point, they have internet and normal browsing. Any ideas what could be the problem?
0
bixkli
Asked:
bixkli
  • 19
  • 13
1 Solution
 
Henk van AchterbergCommented:
did you update the software of the sf300 switch?

can you post the sanitized config of the asa/sf300 switch?
0
 
bixkliAuthor Commented:
No the cisco sf300 switch was not updated, the simple configuration I did on the switch is that I have assigned it a static IP. The following is the configuration on the router cisco asa 5510. Internet keeps disconnecting and connecting on 3 computers but these computers does work wired with an access point which is plugged in the switch.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address 213.165.177.76 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.205 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
 name-server 212.56.128.132
 name-server 212.56.128.196
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213.165.177.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.56.128.132 212.56.128.196
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:23c4cb290febe100c85c7579edd11461
: end
0
 
Henk van AchterbergCommented:
So when you connect your computer to the switch, you say that Internet disconnects. When you go to network connections (I assume they are Windows OS) do you see that the network card disconnects (red cross) or how do you experience the disconnect?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
bixkliAuthor Commented:
Yes they are windows os, I have one which is connected with the switch and has no problem the other computers which are also connected with the switch shows connected it just switches between internet access and no internet access.
0
 
Henk van AchterbergCommented:
when you open a command window and enter this command:

ping 8.8.8.8 -t

does the ping continue to run or will it loose connection in a while..?
0
 
bixkliAuthor Commented:
It will loose connection for a while but if I ping the switch which is 192.168.0.205, all pings are successful.
0
 
Henk van AchterbergCommented:
and when you ping the ASA with -t?
0
 
bixkliAuthor Commented:
Sorry but I am currently not at the office I will give you a sure answer tommorow but if I could remember well, no I cant ping the ASA.
0
 
bixkliAuthor Commented:
Does it make a difference that the only computer that works fine is windows8? And the others which are disconnecting are windows 7?
0
 
Henk van AchterbergCommented:
When you switch cables between the Windows 7 and Windows 8 computer, does it make any difference?
0
 
bixkliAuthor Commented:
Yes with the same cable from one which is windows 8 to another which is windows 7, they still disconnects
0
 
Henk van AchterbergCommented:
when you log in at the ASDM and open logging, can you identify any problems which may cause the loss of internet?
0
 
bixkliAuthor Commented:
I am out of office I will give you the answer for this question later.
0
 
bixkliAuthor Commented:
I can't ping the ASA from those computers which are disconnecting but from that I am connected I can ping the ASA, In the log of the ASA it says:

 6      Jan 24 2014      06:14:03            173.194.70.xxx      443      192.168.0.23      49593      Teardown TCP connection 179177 for outside:173.194.70.xxx/443 to inside:192.168.0.23/49593 duration 0:10:12 bytes 0 FIN Timeout

192.168.0.23 is one of the PCs which is disconnecting. (.xxx were done to keep privacy)
0
 
Henk van AchterbergCommented:
can set a fixed IP on one of the computers and then try to ping the ASA. does that work?
0
 
bixkliAuthor Commented:
I have set a fixed IP on the computers but they cant ping the ASA.
0
 
Henk van AchterbergCommented:
can you ping something else in the network? like the switch or a printer.
0
 
bixkliAuthor Commented:
Yes I can ping the switch and other users on the network even that computer which is connected with the internet. but I can't ping the ASA.
0
 
Henk van AchterbergCommented:
that is strange.

when you run arp -a on a computer which works and a computer which does not work, is the same MAC address displayed for the ASA?
0
 
bixkliAuthor Commented:
In both there is no ASA displayed in the ARP -a
0
 
bixkliAuthor Commented:
I have just checked again and it is showing me that even on the computer which is connected I can't ping the ASA.
0
 
Henk van AchterbergCommented:
can you ping the ASA and then post the output of ARP-A of both computers?

and of route print command please.
0
 
bixkliAuthor Commented:
I can only ping the asa when it is directly connected with the computer through the management port.
0
 
bixkliAuthor Commented:
This might help I have the ethernet port on the PCs which are disconnecting and connecting showing one Orange and the other one green.
0
 
Henk van AchterbergCommented:
can you try another switch for the moment?
0
 
bixkliAuthor Commented:
Sorry before I try another switch I wish to clarify whether I did this wrong or not. I have set the interface IP 192.168.0.205 on the ASA and the switch connected to this interface with a static IP 192.168.0.205. Is that right?
0
 
Henk van AchterbergCommented:
no that is not right. you should give each device another IP address. also please use the subnet mask /24 (255.255.255.0) inside your network.
0
 
bixkliAuthor Commented:
If I change the ip address either of the interface or of the switch the network won't work. I need the subnet mask to be 255.255.0.0 as I will make a number of VPNs with the different site each site will be given an octet, like site A 192.168.20.xx site B 192.168.30.xx etc.
0
 
bixkliAuthor Commented:
Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address 213.165.xx.xx 255.255.255.224
!
interface Ethernet0/1
 speed 100
 nameif inside
 security-level 100
 ip address 192.168.0.205 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
 name-server 212.xx.128.xx
 name-server 212.xx.128.xx
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list allow_inside_in extended permit udp 192.168.0.0 255.255.0.0 any eq domain
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq 3389
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group allow_inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.165.xx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.xx.128.xx 212.xx.128.xx
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map icmp_policy
 class icmp-class
  inspect icmp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:edd93d2a41a483abe51da0d38fc11d48
: end
0
 
bixkliAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for bixkli's comment #a39814272

for the following reason:

The ip of the interface had to be different from that of the device.
0
 
Henk van AchterbergCommented:
this is the answer right?

no that is not right. you should give each device another IP address. also please use the subnet mask /24 (255.255.255.0) inside your network.
0
 
bixkliAuthor Commented:
Yes that solved a good part of it.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

  • 19
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now