CISCO ASA 5505 - strange behavior (Inside Interface down)

Posted on 2016-09-09
Last Modified: 2016-09-27
Hi there.
I got a used CISCO ASA 5505 and trying to set it up.
I did following:  

1. Update images to:
   - ASA Version: 9.2(2)  
   - ASDM Version: 7.2(2)
2. Factory reset
3. Configure Firewall using the wizard with external Static external IP and internal
4. Setup AnyConnect VPN with SSL using vizard
5. Allow ping from inside to the Internet (It didn't work by default)
6. setup RDP to one Windows machine inside
7. Fix AnyConnect by some configuration change (it didn't allow either Internet access or access to any object inside)
8. Allow ASDM remote connection.

My test environments:
Just one Windows PC directly connected to ASA Eth-1 with static IP address:    

Everything works for a while. From inside I can access Internet, from outside I can RDP and Anyconnect. But after a while (1 hour or so)  ASA strangely changing the IP address of the PC to and I can not access Internet from inside anymore. If I restart the ASA the PC IP get back to and everything starts working again.

From Internet I can still access the ASA remotely using ASDM and I can see following Logs:
%ASA-4-411002: Line protocol on Interface Ethernet0/1, changed state to down
%ASA-4-411001: Line protocol on Interface Ethernet0/1, changed state to up

I already change the connection of PC to ASA to Eth-5, still same problem(Just the error log change to Ethernet0/5.

What do you think could be the problem? How even the ASA can effect the Static IP address of the PC?  
I included the ASA configuration file also the PC IPConfig when it works and when it doesn't (Bad) .

Thank you in advanced
Question by:exsasan
  • 2

Expert Comment

by:Feroz Ahmed
ID: 41792270

I think you have 2 Lan Cards installed on your PC One is connected to ASA and assigned Static IP and another one is Lan card is assigned IP address IP address.Could you plz disable the Lan card which is not being used to overcome this issue and check.If not plz send me log file of (Debug ICMP Trace) on ASA firewall from Inside PC try to ping outside network or Internet and check for trace file and send me the log file.

Author Comment

ID: 41793171
Thanks Feroz for comment.
For test I disconnected the PC and added two laptop to inside network, both just have one Lan and any other network adapter including  the wifi is disabled, after about an hour the first one Ip address changed and stopped working and other one stopped after about 2 hours.

Based on my finding so far, something on ASA tell the PC that it has a duplicate IP address and the windows Autoconfiguration give it a 169. range Ip address to avoid the duplicate (Please have a look at the  ipconfig-bad.txt ) , lots of people have this issue and fixed it by disabling the Windows Autoconfiguration but in my case I have to know why/what on ASA trigger this behavior otherwise I can not us this ASA in production.
I don't have access to network right now I try to generate the logs that you asked on Monday.

Accepted Solution

Muhannad Abushamma earned 500 total points
ID: 41803108
Dear exasasn,

Try to disable the proxy arp in the inside interface of the ASA and test again.


Author Closing Comment

ID: 41818945
It seems it is a common issue on Windows that if the Autoconfiguration is on (That is on by default) and the computer has an static IP address (Like mine) and windows feel that IP is duplicated (Although its not) it automatically generate an IP address.
Lots of people fix this by turning off Windows Autoconfiguration.
In my case the reason for windows to feel like that was proxy-arp on ASA and by turning that off the problem solved.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NAT Public IP through a VPN 17 70
Cisco 5508 WLC software upgrade 2 75
Home firewall recommendations 11 58
ACL not working 11 18
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question