«

Hi,

I have a network with 110 windows hosts. Not all computers is poweron
all the time. From time to time one or two computers loses connection to
the Internet, and I do not know whey. Normaly all the hosts are able to
ping the firewall (gareway).

When a host loses connection to the Internet it cannot ping the
firewall. If the computer user waits an hour the Internet is back.

I do not know whey this happens.
I have an unlimeted client access, and an reload (the console command)
does not help.

This is my ASA5505 license:
---------------------------------------------------------------------------
xxx-ASA# sh activ
Serial Number: JMXxxxxxER
Running Activation Key: 0xfxxxx69 0x1xxxx93 0x1xxxx5b0 0xbxxxx4c0 0x4cxxxx85

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.
-----------------------------------------------------------------------------

have i done something wrong?

Best regards
Martin

On Dec 13, 4:27 am, Martin <ikke...@email.local> wrote:
> Hi,
>
> I have a network with 110 windows hosts. Not all computers is poweron
> all the time. From time to time one or two computers loses connection to
> the Internet, and I do not know whey. Normaly all the hosts are able to
> ping the firewall (gareway).
>
> When a host loses connection to the Internet it cannot ping the
> firewall. If the computer user waits an hour the Internet is back.
>
> I do not know whey this happens.
> I have an unlimeted client access, and an reload (the console command)
> does not help.
>
> This is my ASA5505 license:
> ---------------------------------------------------------------------------
> xxx-ASA# sh activ
> Serial Number: JMXxxxxxER
> Running Activation Key: 0xfxxxx69 0x1xxxx93 0x1xxxx5b0 0xbxxxx4c0 0x4cxxxx85
>
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs : 3, DMZ Restricted
> Inside Hosts : Unlimited
> Failover : Disabled
> VPN-DES : Enabled
> VPN-3DES-AES : Enabled
> VPN Peers : 10
> WebVPN Peers : 2
> Dual ISPs : Disabled
> VLAN Trunk Ports : 0
>
> This platform has a Base license.
>
> The flash activation key is the SAME as the running key.
> -----------------------------------------------------------------------------
>
> have i done something wrong?
>
> Best regards
> Martin

Martin,

You say that when these hosts lose Internet capabilities, you are not
able to ping their default gateway? If that's so, it sounds more like
a problem before you hit the ASA. Have you checked all cabling &
switches that are in place before you hit the ASA? Next time it
happens, start by checking the switches these machines are connected
to..see if you have connectivity, errors...etc.

neteng
http://blog.humanmodem.com

> Martin,
>
> You say that when these hosts lose Internet capabilities, you are not
> able to ping their default gateway? If that's so, it sounds more like
> a problem before you hit the ASA. Have you checked all cabling &
> switches that are in place before you hit the ASA? Next time it
> happens, start by checking the switches these machines are connected
> to..see if you have connectivity, errors...etc.
>
> neteng
> http://blog.humanmodem.com


Hi neteng,

On the computers that have lost the Internet, everything else works.
Intranet, filesshares, printers, and so om. ONLY the Internet is lost.
an arp -a shows the gareways MAC, but the GW's IP can not be ping'ed.

It does not help to reboot or place the computer anyware else in the
network. if I wait en hour and reboot the computer, Internet is back.

I am a little lost


best regards
Martin

"Martin" <> wrote in message
news:47616f2d$0$90265$...
>
>> Martin,
>>
>> You say that when these hosts lose Internet capabilities, you are not
>> able to ping their default gateway? If that's so, it sounds more like
>> a problem before you hit the ASA. Have you checked all cabling &
>> switches that are in place before you hit the ASA? Next time it
>> happens, start by checking the switches these machines are connected
>> to..see if you have connectivity, errors...etc.
>>
>> neteng
>> http://blog.humanmodem.com
>
>
> Hi neteng,
>
> On the computers that have lost the Internet, everything else works.
> Intranet, filesshares, printers, and so om. ONLY the Internet is lost.
> an arp -a shows the gareways MAC, but the GW's IP can not be ping'ed.
>
> It does not help to reboot or place the computer anyware else in the
> network. if I wait en hour and reboot the computer, Internet is back.
>
> I am a little lost
>
>
> best regards
> Martin

You only have a 10 device license on the ASA. A show local-host will tell
you how many are in use. If you hit 11, they cant go thru the ASA,
licensing...

>
> You only have a 10 device license on the ASA. A show local-host will
> tell you how many are in use. If you hit 11, they cant go thru the ASA,
> licensing...


If I run that command the output is starting with this:
Licensed host limit: Unlimited.
Interface inside: 7 active, 39 maximum active, 0 denied

Why only 39 maximum active and not "unlimited"?
What does it mean?

Do I have a problem with my timeouts:
-----
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
------

best regards
Martin

"Martin" <> wrote in message
news:4761946b$0$90274$...
>
>>
>> You only have a 10 device license on the ASA. A show local-host will tell
>> you how many are in use. If you hit 11, they cant go thru the ASA,
>> licensing...
>
>
> If I run that command the output is starting with this:
> Licensed host limit: Unlimited.
> Interface inside: 7 active, 39 maximum active, 0 denied
>
> Why only 39 maximum active and not "unlimited"?
> What does it mean?
>
> Do I have a problem with my timeouts:
> -----
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> ------
>
> best regards
> Martin

"39 maximum active" is the number of hosts that the firewall has seen active
at one time, you should never have more than 10 maximum active since that is
what you are licensed for. In laymans terms, you cannot have more than 10
devices on your LAN that go to the internet. It is telling you right now you
have 7 active hosts. You need to upgrade your license on the ASA since you
obviously have more than 10. No, you dont have a problem with your timouts.

>
> "39 maximum active" is the number of hosts that the firewall has seen
> active at one time, you should never have more than 10 maximum active
> since that is what you are licensed for. In laymans terms, you cannot
> have more than 10 devices on your LAN that go to the internet. It is
> telling you right now you have 7 active hosts. You need to upgrade your
> license on the ASA since you obviously have more than 10. No, you dont
> have a problem with your timouts.

How do you see I only have a license for 10 devices?

If I run a: show activation-key
I see this output:
-----
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.
------

inside hosts = unlimeted, does that not mean I can use unlimited devises?

best regards
Martin

"Martin" <> wrote in message
news:4761a0ce$1$90267$...
>>
>> "39 maximum active" is the number of hosts that the firewall has seen
>> active at one time, you should never have more than 10 maximum active
>> since that is what you are licensed for. In laymans terms, you cannot
>> have more than 10 devices on your LAN that go to the internet. It is
>> telling you right now you have 7 active hosts. You need to upgrade your
>> license on the ASA since you obviously have more than 10. No, you dont
>> have a problem with your timouts.
>
> How do you see I only have a license for 10 devices?
>
> If I run a: show activation-key
> I see this output:
> -----
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs : 3, DMZ Restricted
> Inside Hosts : Unlimited
> Failover : Disabled
> VPN-DES : Enabled
> VPN-3DES-AES : Enabled
> VPN Peers : 10
> WebVPN Peers : 2
> Dual ISPs : Disabled
> VLAN Trunk Ports : 0
>
> This platform has a Base license.
>
> The flash activation key is the SAME as the running key.
> ------
>
> inside hosts = unlimeted, does that not mean I can use unlimited devises?
>
> best regards
> Martin
>
>

I must have read your original post wrong! My appologies.. You most
certainly do have an unlimited user license. Post your config ans we'll see
if anything is wrong in there.

Hi

That's wrong, the hosts can be unlimited, there is only a limit for
the maximum VPN tunnels, not the numbers of hosts in the LAN. Martin
write, that the clients can also not access the internet after a
reload, so that's not a license problem.

I think the problem is the arp proxy. Depends on the installed OS, try
a "sysopt noproxyarp inside" and/or "arp timeout 60". But with these
commands, sometimes i have problems with static's. But it can be a
light to the solution.

cu ivo





On Dec 13, 10:14 pm, Martin <ikke...@email.local> wrote:
> > "39 maximum active" is the number of hosts that the firewall has seen
> > active at one time, you should never have more than 10 maximum active
> > since that is what you are licensed for. In laymans terms, you cannot
> > have more than 10 devices on your LAN that go to the internet. It is
> > telling you right now you have 7 active hosts. You need to upgrade your
> > license on the ASA since you obviously have more than 10. No, you dont
> > have a problem with your timouts.
>
> How do you see I only have a license for 10 devices?
>
> If I run a: show activation-key
> I see this output:
> -----
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs : 3, DMZ Restricted
> Inside Hosts : Unlimited
> Failover : Disabled
> VPN-DES : Enabled
> VPN-3DES-AES : Enabled
> VPN Peers : 10
> WebVPN Peers : 2
> Dual ISPs : Disabled
> VLAN Trunk Ports : 0
>
> This platform has a Base license.
>
> The flash activation key is the SAME as the running key.
> ------
>
> inside hosts = unlimeted, does that not mean I can use unlimited devises?
>
> best regards
> Martin

>>
>
> I must have read your original post wrong! My appologies.. You most
> certainly do have an unlimited user license. Post your config ans we'll
> see if anything is wrong in there.

this is my comlete config:
----
ASA Version 7.2(2)
!
hostname xxxx-ASA
domain-name xxxx.xxx.local
enable password w20F3xxxxR7bAzEw encrypted
names
!
interface Vlan2
nameif outside
security-level 0
ip address 213.xx.xx.2 255.255.255.192
!
interface Vlan4
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 4
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
switchport access vlan 4
!
interface Ethernet0/6
switchport access vlan 4
!
interface Ethernet0/7
switchport access vlan 4
!
passwd w20F3xxxxR7bAzEw encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name xxxx.xxxx.local
access-list outside remark *** GENERAL ICMP FILTER ***
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any time-exceeded
access-list outside extended permit icmp any any unreachable
access-list outside remark ***
access-list outside remark *** VIRUS112 ACCESS TO INSIDE MAILSERVER ***
access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host
213.xxx.xxx.3 eq smtp
access-list outside extended permit tcp 194.xxx.xxx.0 255.255.255.0 host
213.xxx.xxx.3 eq smtp
access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host
213.xxx.xxx.3 eq smtp
access-list outside remark *** Webmail/OMA ACCESS TO INSIDE MAILSERVER ***
access-list outside extended permit tcp any host 213.xxx.xxx.3 eq www
access-list outside extended permit tcp any host 213.xxx.xxx.3 eq https
access-list outside remark ***
access-list outside remark *** OUTSIDE ACCESS TO INSIDE CITRIX ***
access-list outside extended permit tcp any host 213.xxx.xxx.4 eq www
access-list outside extended permit tcp any host 213.xxx.xxx.4 eq https
access-list outside extended permit tcp any host 213.xxx.xxx.4 eq citrix-ica
access-list outside remark ***
access-list outside remark *** MACONOMY ACCESS TO INSIDE MACONOMY ***
access-list outside extended permit tcp host 193.xxx.xxx.5 host
213.xxx.xxx.5 eq www
access-list outside extended permit tcp host 193.xxx.xxx.5 host
213.xxx.xxx.5 eq 8080
access-list outside extended permit tcp host 193.xxx.xxx.5 host
213.xxx.xxx.5 eq 3389
access-list outside extended permit tcp host 193.xxx.xxx.5 host
213.xxx.xxx.5 eq 4444
access-list outside extended permit tcp host 193.xxx.xxx.225 host
213.xxx.xxx.5 eq www
access-list outside extended permit tcp host 193.xxx.xxx.225 host
213.xxx.xxx.5 eq 8080
access-list outside extended permit tcp host 193.xxx.xxx.225 host
213.xxx.xxx.5 eq 3389
access-list outside extended permit tcp host 193.xxx.xxx.225 host
213.xxx.xxx.5 eq 4444
access-list outside extended permit tcp host 83.xxx.xxx.237 host
213.xxx.xxx.5 eq www
access-list outside extended permit tcp host 83.xxx.xxx.237 host
213.xxx.xxx.5 eq 8080
access-list outside extended permit tcp host 83.xxx.xxx.237 host
213.xxx.xxx.5 eq 3389
access-list outside extended permit tcp host 83.xxx.xxx.237 host
213.xxx.xxx.5 eq 4444
access-list outside remark ***
access-list outside extended permit tcp host 83.xxx.xxx.42 host
213.xxx.xxx.5 eq 3389
pager lines 24
logging enable
logging trap notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask
255.255.255.255
static (inside,outside) 213.xxx.xxx.3 192.168.0.8 netmask 255.255.255.255
static (inside,outside) 213.xxx.xxx.4 192.168.0.240 netmask 255.255.255.255
static (inside,outside) 213.xxx.xxx.5 192.168.0.243 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 87.xxx.xxx.42 255.255.255.255 outside
http 87.xxx.xxx.154 255.255.255.255 outside
http 213.xxx.xxx.2 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 213.xxx.xxx.2 255.255.255.255 outside
ssh 87.xxx.xxx.154 255.255.255.255 outside
ssh 87.xxx.xxx.42 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 60

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ea68dxxxx3ac3dc6139e8484aa644ef1
: end