?
Solved

CISCO ASA 5505 - strange behavior (Inside Interface down)

Posted on 2016-09-09
4
Medium Priority
?
110 Views
Last Modified: 2016-09-27
Hi there.
I got a used CISCO ASA 5505 and trying to set it up.
I did following:  

1. Update images to:
   - ASA Version: 9.2(2)  
   - ASDM Version: 7.2(2)
2. Factory reset
3. Configure Firewall using the wizard with external Static external IP and internal 172.22.0.0
4. Setup AnyConnect VPN with SSL using vizard
5. Allow ping from inside to the Internet (It didn't work by default)
6. setup RDP to one Windows machine inside
7. Fix AnyConnect by some configuration change (it didn't allow either Internet access or access to any object inside)
8. Allow ASDM remote connection.

My test environments:
Just one Windows PC directly connected to ASA Eth-1 with static IP address: 172.22.0.2    

Test:
Everything works for a while. From inside I can access Internet, from outside I can RDP and Anyconnect. But after a while (1 hour or so)  ASA strangely changing the IP address of the PC to 169.254.38.100 and I can not access Internet from inside anymore. If I restart the ASA the PC IP get back to 172.22.0.2 and everything starts working again.

From Internet I can still access the ASA remotely using ASDM and I can see following Logs:
%ASA-4-411002: Line protocol on Interface Ethernet0/1, changed state to down
%ASA-4-411001: Line protocol on Interface Ethernet0/1, changed state to up

I already change the connection of PC to ASA to Eth-5, still same problem(Just the error log change to Ethernet0/5.

What do you think could be the problem? How even the ASA can effect the Static IP address of the PC?  
I included the ASA configuration file also the PC IPConfig when it works and when it doesn't (Bad) .

Thank you in advanced
Current-Config---Clean.txt
ipconfig-works.txt
ipconfig-bad.txt
0
Comment
Question by:exsasan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 41792270
Hi,

I think you have 2 Lan Cards installed on your PC One is connected to ASA and assigned Static IP and another one is Lan card is assigned IP address 169.254.38.100 IP address.Could you plz disable the Lan card which is not being used to overcome this issue and check.If not plz send me log file of (Debug ICMP Trace) on ASA firewall from Inside PC try to ping outside network or Internet and check for trace file and send me the log file.
0
 

Author Comment

by:exsasan
ID: 41793171
Thanks Feroz for comment.
For test I disconnected the PC and added two laptop to inside network, both just have one Lan and any other network adapter including  the wifi is disabled, after about an hour the first one Ip address changed and stopped working and other one stopped after about 2 hours.

Based on my finding so far, something on ASA tell the PC that it has a duplicate IP address and the windows Autoconfiguration give it a 169. range Ip address to avoid the duplicate (Please have a look at the  ipconfig-bad.txt ) , lots of people have this issue and fixed it by disabling the Windows Autoconfiguration but in my case I have to know why/what on ASA trigger this behavior otherwise I can not us this ASA in production.
I don't have access to network right now I try to generate the logs that you asked on Monday.
Thanks
0
 
LVL 1

Accepted Solution

by:
Muhannad Abushamma earned 2000 total points
ID: 41803108
Dear exasasn,

Try to disable the proxy arp in the inside interface of the ASA and test again.

Regards,
Muhannad
1
 

Author Closing Comment

by:exsasan
ID: 41818945
It seems it is a common issue on Windows that if the Autoconfiguration is on (That is on by default) and the computer has an static IP address (Like mine) and windows feel that IP is duplicated (Although its not) it automatically generate an IP address.
Lots of people fix this by turning off Windows Autoconfiguration.
In my case the reason for windows to feel like that was proxy-arp on ASA and by turning that off the problem solved.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 12 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question