[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


CISCO ASA 5505 - strange behavior (Inside Interface down)

Posted on 2016-09-09
Medium Priority
Last Modified: 2016-09-27
Hi there.
I got a used CISCO ASA 5505 and trying to set it up.
I did following:  

1. Update images to:
   - ASA Version: 9.2(2)  
   - ASDM Version: 7.2(2)
2. Factory reset
3. Configure Firewall using the wizard with external Static external IP and internal
4. Setup AnyConnect VPN with SSL using vizard
5. Allow ping from inside to the Internet (It didn't work by default)
6. setup RDP to one Windows machine inside
7. Fix AnyConnect by some configuration change (it didn't allow either Internet access or access to any object inside)
8. Allow ASDM remote connection.

My test environments:
Just one Windows PC directly connected to ASA Eth-1 with static IP address:    

Everything works for a while. From inside I can access Internet, from outside I can RDP and Anyconnect. But after a while (1 hour or so)  ASA strangely changing the IP address of the PC to and I can not access Internet from inside anymore. If I restart the ASA the PC IP get back to and everything starts working again.

From Internet I can still access the ASA remotely using ASDM and I can see following Logs:
%ASA-4-411002: Line protocol on Interface Ethernet0/1, changed state to down
%ASA-4-411001: Line protocol on Interface Ethernet0/1, changed state to up

I already change the connection of PC to ASA to Eth-5, still same problem(Just the error log change to Ethernet0/5.

What do you think could be the problem? How even the ASA can effect the Static IP address of the PC?  
I included the ASA configuration file also the PC IPConfig when it works and when it doesn't (Bad) .

Thank you in advanced
Question by:exsasan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

by:Feroz Ahmed
ID: 41792270

I think you have 2 Lan Cards installed on your PC One is connected to ASA and assigned Static IP and another one is Lan card is assigned IP address IP address.Could you plz disable the Lan card which is not being used to overcome this issue and check.If not plz send me log file of (Debug ICMP Trace) on ASA firewall from Inside PC try to ping outside network or Internet and check for trace file and send me the log file.

Author Comment

ID: 41793171
Thanks Feroz for comment.
For test I disconnected the PC and added two laptop to inside network, both just have one Lan and any other network adapter including  the wifi is disabled, after about an hour the first one Ip address changed and stopped working and other one stopped after about 2 hours.

Based on my finding so far, something on ASA tell the PC that it has a duplicate IP address and the windows Autoconfiguration give it a 169. range Ip address to avoid the duplicate (Please have a look at the  ipconfig-bad.txt ) , lots of people have this issue and fixed it by disabling the Windows Autoconfiguration but in my case I have to know why/what on ASA trigger this behavior otherwise I can not us this ASA in production.
I don't have access to network right now I try to generate the logs that you asked on Monday.

Accepted Solution

Muhannad Abushamma earned 2000 total points
ID: 41803108
Dear exasasn,

Try to disable the proxy arp in the inside interface of the ASA and test again.


Author Closing Comment

ID: 41818945
It seems it is a common issue on Windows that if the Autoconfiguration is on (That is on by default) and the computer has an static IP address (Like mine) and windows feel that IP is duplicated (Although its not) it automatically generate an IP address.
Lots of people fix this by turning off Windows Autoconfiguration.
In my case the reason for windows to feel like that was proxy-arp on ASA and by turning that off the problem solved.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question