- Posts: 5
- Thank you received: 0
Cisco ASA5505 drops Internet connection once a month.
16 years 9 months ago #24122
by viper75
Cisco ASA5505 drops Internet connection once a month. was created by viper75
Hey guys,
I need some help here. I have an ASA5505 box that works great, but once every month it seems to drop the connection to the Internet. The internal network works fine, but just can't get out to the Internet. Once I reboot the ASA all comes back to normal. I have tried upgrading the IOS and wiping the configuration clean, and start from scratch with the same issue every month. :x The IOS Ver. is 7.2(3) and ASDM 5.2(3).
I have looked all over the place for a resolution to this issue, but can't find one. The logs do not give any errors with regards to the ASA. I do get this error when a host tries to get out to the Internet in the ASDM Syslog once the connection drops, "Failed to locate egress Intereface for UDP from inside (hostname)" This error comes up when a user tries to hit a site on the Internet. Here's my configuration. Any help would be great!!!
CiscoASA# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname CiscoASA
domain-name ATHENA.com
enable password X encrypted
names
name 192.168.X.X OCL
name 192.168.X.X ATHENA
name 192.168.X.X HERMES-FS01
name 10.0.0.1 VPN
!
interface Vlan1
description Connection to *****Internal_LAN*****
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
!
interface Vlan2
description Connection to *****INTERNET*****
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
description Connection to *****INTERNET*****
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
description Connection to OCL
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
description ***** PoE Port *****
!
interface Ethernet0/7
description ***** PoE Port *****
!
boot system disk0:/asdm-523.bin
boot system disk0:/asa723-k8.bin
boot config disk0:/startup-config
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ATHENA.com
object-group network Zeus
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list acl_out remark Network
access-list acl_out extended permit ip 172.X.X.0 255.255.255.0 any inactive
access-list acl_out remark VLAN10 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN20 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN30 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN40 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN130 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark Deny ICMP from the VPN Network
access-list acl_out extended deny icmp object-group VPN 255.255.255.252 log emergencies
access-list acl_out remark VLAN200 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any log
access-list acl_out remark VLAN200 SUBNET
access-list acl_out extended permit tcp 192.168.X.X 255.255.255.0 any log inactive
access-list inbound_dc remark ATHENA
access-list inbound_dc extended permit tcp any any eq 9999 log critical inactive
access-list inbound_dc remark ATHENA
access-list inbound_dc extended permit udp any any eq 9999 log critical inactive
access-list inbound_dc remark Deny ICMP from Inside to Outside.
access-list inbound_dc extended deny icmp any any log
access-list inside_outbound_nat0_acl extended permit ip 192.168.200.0 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip 192.168.X.X 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip 192.168.X.X 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip 192.168.X.X 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip any VPN 255.255.255.252
access-list outside_cryptomap_dyn_20 remark New Subnet
access-list outside_cryptomap_dyn_20 extended permit ip any VPN 255.255.255.252
access-list http-list extended permit tcp any any inactive
pager lines 24
logging enable
logging timestamp
logging list SyslogsASA5505 level critical
logging console critical
logging monitor notifications
logging trap informational
logging history alerts
logging asdm informational
logging mail alerts
logging facility 23
logging device-id hostname
logging host inside ATHENA
logging permit-hostdown
logging class auth trap informational
logging class config trap informational
logging class vpn trap informational
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.0.0.1-10.0.0.2 mask 255.255.255.252
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit host OCL inside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9999 ATHENA 9999 netmask 255.255.255.255
static (inside,outside) udp interface 9999 ATHENA 9999 netmask 255.255.255.255
access-group acl_out in interface inside
access-group inbound_dc in interface outside
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 192.168.X.0 255.255.255.0 192.168.X.1 1
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 172.16.20.0 255.255.255.0 172.16.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http ATHENA 255.255.255.255 inside
http VPN 255.255.255.252 inside
http OCL 255.255.255.255 inside
http HERMES-FS01 255.255.255.255 inside
http VPN 255.255.255.0 inside
snmp-server host inside ATHENA community teamnet
snmp-server location X
snmp-server contact X
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server listen-port 162
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh VPN 255.255.255.252 inside
ssh OCL 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.X.X-192.168.X.X inside
dhcpd dns X.X.X.X X.X.X.X interface inside
dhcpd domain ATHEN.com interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside OCL /
group-policy Zeus internal
group-policy Zeus attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Zeus_splitTunnelAcl
default-domain value Zeus
split-dns value Zeus.com
username X password X encrypted privilege 15
tunnel-group Zeus type ipsec-ra
tunnel-group Zeus general-attributes
address-pool VPN
default-group-policy ASA
tunnel-group Zeus ipsec-attributes
pre-shared-key XXXXXX
smtp-server X
prompt hostname context
compression svc
Cryptochecksum:X
: end
I need some help here. I have an ASA5505 box that works great, but once every month it seems to drop the connection to the Internet. The internal network works fine, but just can't get out to the Internet. Once I reboot the ASA all comes back to normal. I have tried upgrading the IOS and wiping the configuration clean, and start from scratch with the same issue every month. :x The IOS Ver. is 7.2(3) and ASDM 5.2(3).
I have looked all over the place for a resolution to this issue, but can't find one. The logs do not give any errors with regards to the ASA. I do get this error when a host tries to get out to the Internet in the ASDM Syslog once the connection drops, "Failed to locate egress Intereface for UDP from inside (hostname)" This error comes up when a user tries to hit a site on the Internet. Here's my configuration. Any help would be great!!!
CiscoASA# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname CiscoASA
domain-name ATHENA.com
enable password X encrypted
names
name 192.168.X.X OCL
name 192.168.X.X ATHENA
name 192.168.X.X HERMES-FS01
name 10.0.0.1 VPN
!
interface Vlan1
description Connection to *****Internal_LAN*****
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
!
interface Vlan2
description Connection to *****INTERNET*****
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
description Connection to *****INTERNET*****
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
description Connection to OCL
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
description ***** PoE Port *****
!
interface Ethernet0/7
description ***** PoE Port *****
!
boot system disk0:/asdm-523.bin
boot system disk0:/asa723-k8.bin
boot config disk0:/startup-config
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ATHENA.com
object-group network Zeus
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
network-object 192.168.X.X 255.255.255.0
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list Zeus_splitTunnelAcl extended permit ip 192.168.X.X 255.255.255.0 any
access-list acl_out remark Network
access-list acl_out extended permit ip 172.X.X.0 255.255.255.0 any inactive
access-list acl_out remark VLAN10 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN20 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN30 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN40 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark VLAN130 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any inactive
access-list acl_out remark Deny ICMP from the VPN Network
access-list acl_out extended deny icmp object-group VPN 255.255.255.252 log emergencies
access-list acl_out remark VLAN200 SUBNET
access-list acl_out extended permit ip 192.168.X.X 255.255.255.0 any log
access-list acl_out remark VLAN200 SUBNET
access-list acl_out extended permit tcp 192.168.X.X 255.255.255.0 any log inactive
access-list inbound_dc remark ATHENA
access-list inbound_dc extended permit tcp any any eq 9999 log critical inactive
access-list inbound_dc remark ATHENA
access-list inbound_dc extended permit udp any any eq 9999 log critical inactive
access-list inbound_dc remark Deny ICMP from Inside to Outside.
access-list inbound_dc extended deny icmp any any log
access-list inside_outbound_nat0_acl extended permit ip 192.168.200.0 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip 192.168.X.X 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip 192.168.X.X 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip 192.168.X.X 255.255.255.0 VPN 255.255.255.252
access-list inside_outbound_nat0_acl extended permit ip any VPN 255.255.255.252
access-list outside_cryptomap_dyn_20 remark New Subnet
access-list outside_cryptomap_dyn_20 extended permit ip any VPN 255.255.255.252
access-list http-list extended permit tcp any any inactive
pager lines 24
logging enable
logging timestamp
logging list SyslogsASA5505 level critical
logging console critical
logging monitor notifications
logging trap informational
logging history alerts
logging asdm informational
logging mail alerts
logging facility 23
logging device-id hostname
logging host inside ATHENA
logging permit-hostdown
logging class auth trap informational
logging class config trap informational
logging class vpn trap informational
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.0.0.1-10.0.0.2 mask 255.255.255.252
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit host OCL inside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9999 ATHENA 9999 netmask 255.255.255.255
static (inside,outside) udp interface 9999 ATHENA 9999 netmask 255.255.255.255
access-group acl_out in interface inside
access-group inbound_dc in interface outside
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 192.168.X.0 255.255.255.0 192.168.X.1 1
route inside 192.168.X.0 255.255.255.0 192.168.200.2 1
route inside 172.16.20.0 255.255.255.0 172.16.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http ATHENA 255.255.255.255 inside
http VPN 255.255.255.252 inside
http OCL 255.255.255.255 inside
http HERMES-FS01 255.255.255.255 inside
http VPN 255.255.255.0 inside
snmp-server host inside ATHENA community teamnet
snmp-server location X
snmp-server contact X
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server listen-port 162
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh VPN 255.255.255.252 inside
ssh OCL 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.X.X-192.168.X.X inside
dhcpd dns X.X.X.X X.X.X.X interface inside
dhcpd domain ATHEN.com interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside OCL /
group-policy Zeus internal
group-policy Zeus attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Zeus_splitTunnelAcl
default-domain value Zeus
split-dns value Zeus.com
username X password X encrypted privilege 15
tunnel-group Zeus type ipsec-ra
tunnel-group Zeus general-attributes
address-pool VPN
default-group-policy ASA
tunnel-group Zeus ipsec-attributes
pre-shared-key XXXXXX
smtp-server X
prompt hostname context
compression svc
Cryptochecksum:X
: end
Time to create page: 0.140 seconds