Internet Disconnection
I have a LAN were I have the ASA 5510 v8.2(1) connected with a switch. This switch cisco sf300 has multiple devices connected to it, such as IP phones, IPPBX gateway, Access Point. then I have 3 wired PCs, one of them is connected and has internet, the other connects to the internet gets a local IP but keeps disconnecting and connecting. I thought I had something wrong with the dhcp but they do it even when I give them static IPs. When I connect these two computers with the access point, they have internet and normal browsing. Any ideas what could be the problem?
ASKER
No the cisco sf300 switch was not updated, the simple configuration I did on the switch is that I have assigned it a static IP. The following is the configuration on the router cisco asa 5510. Internet keeps disconnecting and connecting on 3 computers but these computers does work wired with an access point which is plugged in the switch.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address 213.165.177.76 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.205 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
name-server 212.56.128.132
name-server 212.56.128.196
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213.165.177.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.56.128.132 212.56.128.196
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:23c4cb290fe
: end
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address 213.165.177.76 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.205 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
name-server 212.56.128.132
name-server 212.56.128.196
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213.165.177.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.56.128.132 212.56.128.196
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:23c4cb290fe
: end
So when you connect your computer to the switch, you say that Internet disconnects. When you go to network connections (I assume they are Windows OS) do you see that the network card disconnects (red cross) or how do you experience the disconnect?
ASKER
Yes they are windows os, I have one which is connected with the switch and has no problem the other computers which are also connected with the switch shows connected it just switches between internet access and no internet access.
when you open a command window and enter this command:
ping 8.8.8.8 -t
does the ping continue to run or will it loose connection in a while..?
ping 8.8.8.8 -t
does the ping continue to run or will it loose connection in a while..?
ASKER
It will loose connection for a while but if I ping the switch which is 192.168.0.205, all pings are successful.
and when you ping the ASA with -t?
ASKER
Sorry but I am currently not at the office I will give you a sure answer tommorow but if I could remember well, no I cant ping the ASA.
ASKER
Does it make a difference that the only computer that works fine is windows8? And the others which are disconnecting are windows 7?
When you switch cables between the Windows 7 and Windows 8 computer, does it make any difference?
ASKER
Yes with the same cable from one which is windows 8 to another which is windows 7, they still disconnects
when you log in at the ASDM and open logging, can you identify any problems which may cause the loss of internet?
ASKER
I am out of office I will give you the answer for this question later.
ASKER
I can't ping the ASA from those computers which are disconnecting but from that I am connected I can ping the ASA, In the log of the ASA it says:
6 Jan 24 2014 06:14:03 173.194.70.xxx 443 192.168.0.23 49593 Teardown TCP connection 179177 for outside:173.194.70.xxx/443
192.168.0.23 is one of the PCs which is disconnecting. (.xxx were done to keep privacy)
6 Jan 24 2014 06:14:03 173.194.70.xxx 443 192.168.0.23 49593 Teardown TCP connection 179177 for outside:173.194.70.xxx/443
192.168.0.23 is one of the PCs which is disconnecting. (.xxx were done to keep privacy)
can set a fixed IP on one of the computers and then try to ping the ASA. does that work?
ASKER
I have set a fixed IP on the computers but they cant ping the ASA.
can you ping something else in the network? like the switch or a printer.
ASKER
Yes I can ping the switch and other users on the network even that computer which is connected with the internet. but I can't ping the ASA.
that is strange.
when you run arp -a on a computer which works and a computer which does not work, is the same MAC address displayed for the ASA?
when you run arp -a on a computer which works and a computer which does not work, is the same MAC address displayed for the ASA?
ASKER
In both there is no ASA displayed in the ARP -a
ASKER
I have just checked again and it is showing me that even on the computer which is connected I can't ping the ASA.
can you ping the ASA and then post the output of ARP-A of both computers?
and of route print command please.
and of route print command please.
ASKER
I can only ping the asa when it is directly connected with the computer through the management port.
ASKER
This might help I have the ethernet port on the PCs which are disconnecting and connecting showing one Orange and the other one green.
can you try another switch for the moment?
ASKER
Sorry before I try another switch I wish to clarify whether I did this wrong or not. I have set the interface IP 192.168.0.205 on the ASA and the switch connected to this interface with a static IP 192.168.0.205. Is that right?
no that is not right. you should give each device another IP address. also please use the subnet mask /24 (255.255.255.0) inside your network.
ASKER
If I change the ip address either of the interface or of the switch the network won't work. I need the subnet mask to be 255.255.0.0 as I will make a number of VPNs with the different site each site will be given an octet, like site A 192.168.20.xx site B 192.168.30.xx etc.
ASKER
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address 213.165.xx.xx 255.255.255.224
!
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 192.168.0.205 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
name-server 212.xx.128.xx
name-server 212.xx.128.xx
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list allow_inside_in extended permit udp 192.168.0.0 255.255.0.0 any eq domain
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq 3389
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group allow_inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.165.xx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.xx.128.xx 212.xx.128.xx
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:edd93d2a41a
: end
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address 213.165.xx.xx 255.255.255.224
!
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 192.168.0.205 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
name-server 212.xx.128.xx
name-server 212.xx.128.xx
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list allow_inside_in extended permit udp 192.168.0.0 255.255.0.0 any eq domain
access-list allow_inside_in extended permit tcp 192.168.0.0 255.255.0.0 any eq 3389
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group allow_inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.165.xx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.xx.128.xx 212.xx.128.xx
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 192.168.0.10-192.168.0.200
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
service-policy icmp_policy interface outside
prompt hostname context
Cryptochecksum:edd93d2a41a
: end
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for bixkli's comment #a39814272
for the following reason:
The ip of the interface had to be different from that of the device.
Accepted answer: 0 points for bixkli's comment #a39814272
for the following reason:
The ip of the interface had to be different from that of the device.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes that solved a good part of it.
can you post the sanitized config of the asa/sf300 switch?