Solved

Cisco ASA -- weird connection issue

Posted on 2016-10-24
6
48 Views
Last Modified: 2016-11-07
Hi There,

i've never seen this issue before so i'm running it through the experts while i'm waiting on cisco support to get back to me.

I recently configured a cisco asa 5516 with fire power. All security settings are disabled so the unit is simple working as a router\dhcp for the time being. We have cable modem as our ISP with a block of 5 ip.

We've been experiencing packets drops out to the web on and off throughout the day. To prove my point that it was ISP isues i setup a computer connecting directly to the modem, i ran continous pings to an internt host the connection showed to be spotty. The ISP came over, ran their tests, etc. When they disconnect the firewall from the modem everything worked, meaning the computer with the public IP did not drop any packets or had issues, as soon as the firewall was connected back to the modem the compuer with the public IP started having issues. Since it didn't make any sense to me i changed cables, used the same ports of the  modem we used for successful tests, i had them change the modem just in case, i hard coded the interface speed on the FW end to no avail.

Honestly i don't even know what to make of it but if any one has seen anything like this before and wants to share some thoughts i'm open to suggestions.

thanks.
0
Comment
Question by:jorge diaz
  • 2
  • 2
  • 2
6 Comments
 
LVL 4

Expert Comment

by:El Fierro
ID: 41857740
what ios version are you at?
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 41858190
Hi
You need To be sure that there is no Nat on ISP router.
Also you need to be sure that the public and private firewall ip are not used into your environment.
It sounds trivial but i bet that the problem may be there.
Hope this helps
Max
0
 
LVL 6

Author Comment

by:jorge diaz
ID: 41859331
this is very odd. it seems as if something chokes the connection at times, I"m running ASA ver. 9.5(1).  No nat on ISP device, it just a modem. the issue is on and off. Had cisco run a few test and they point to ISP, had ISP run a few test and they point to Cisco. The truth is that if cisco is out of the loop the circuit seems to work just fine. I"m setting up a spare sonicwall tonight and route through it, that'll be the ultimate test. i'll you keep you posted.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 15

Assisted Solution

by:max_the_king
max_the_king earned 250 total points
ID: 41859385
i'd try and change Asa public IP.
And then i'd give a check on Nat.
problem is around there anyway
max
0
 
LVL 4

Accepted Solution

by:
El Fierro earned 250 total points
ID: 41859409
been there with the finger pointing by the isp and hardware vendor.
have you checked the inspection policy?
as far as the asa i would upgrade to 9.6,  i recently deployed a 5512x running 9.5 although we didnt have drops for some odd reason it would perform sluggish at times when natting a couple of ips.after the updgrade to 9.6 the performance issue was fixed...it's worth a shot since i was stumped for a moment. good luck
0
 
LVL 6

Author Closing Comment

by:jorge diaz
ID: 41877722
thanks for your help. i upgraded to 9.6 and it all seems to be working now. that was weird, never seen anything like that on the asa.

thanks.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now