«

I have an odd problem with a couple of my users. I have been working
with one that works from an office in our County Courthouse and
chalked up the problems to getting off their network. But last night
my boss started having the same problems and I haven't made any
changes to the ASA for a long while.

The issue is that they will get connected and randomly lose connection
for no apparent reason. I need to try and help the remote user
yesterday and connected through VNC to her laptop and was surprised
that after roughly 10-15 minutes I was still connected. So I got the
bright idea to just start a constant ping from my workstation to her
VPN IP.

She stayed connected for 30 minutes. I stopped it and within minutes
she was DC'd. My boss tried this last night as he started having
issues. This after being connected for over 6+ hours throughout the
day while I was sitting here.

I did realize that the client we are using (which is what came with
the ASA 5505 when we bought it) is/was version 5.0.02.0290. I logged
into Cisco and see that they have version 5.0.05.0290 now which
appears to have been released last month (March 09). I have went
through all the readme.txt files for the other 2 versions that appear
to have been released since ours and don't see any glaring issues that
either are known problems or fixed issues.

The closest appear to be CSCsi26001 where disconnects can happen on
reauth on rekey with a saved password. We do have the save password
option currently on, but the reauth on rekey is disabled as per the
default policy. So I don't think that is our issue.

Any one seen this type of behavior? I know that at the courthouse the
router that is being used is a older its a linksys I believe. I have
updated it to the most current bios but it is still several years old.
I have to check today what my boss has at home.

I don't have this issue at home, but I have a Netgear Wireless router
that I just bought to replace a failing one that I had.

Only about 4 of us right now. Don't think its resources. I have one
site to site that appears to be stable. Here is the output.


Result of the command: "sh ver"

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"

MOPS-ASA-5505 up 21 days 3 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator
(revision 0x0)
Boot microcode : CNlite-MC-Boot-
Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-
Admin-3.03
IPSec microcode :
CNlite-MC-IPSECm-
MAIN-2.05
0: Int: Internal-Data0/0 : address is 0024.14d9.c460, irq 11
1: Ext: Ethernet0/0 : address is 0024.14d9.c458, irq 255
2: Ext: Ethernet0/1 : address is 0024.14d9.c459, irq 255
3: Ext: Ethernet0/2 : address is 0024.14d9.c45a, irq 255
4: Ext: Ethernet0/3 : address is 0024.14d9.c45b, irq 255
5: Ext: Ethernet0/4 : address is 0024.14d9.c45c, irq 255
6: Ext: Ethernet0/5 : address is 0024.14d9.c45d, irq 255
7: Ext: Ethernet0/6 : address is 0024.14d9.c45e, irq 255
8: Ext: Ethernet0/7 : address is 0024.14d9.c45f, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8

This platform has an ASA 5505 Security Plus license.

Serial Number: REMOVED
Running Activation Key: REMOVED
Configuration register is 0x1
Configuration last modified by timparker at 09:05:26.038 EDT Fri Apr 3
2009

On Apr 3, 9:44*am, Artie Lange <spam...@jamiebaillie.net> wrote:
> TimParker wrote:
> > I have an odd problem with a couple of my users. I have been working
> > with one that works from an office in our County Courthouse and
> > chalked up the problems to getting off their network. But last night
> > my boss started having the same problems and I haven't made any
> > changes to the ASA for a long while.
>
> > The issue is that they will get connected and randomly lose connection
> > for no apparent reason. I need to try and help the remote user
> > yesterday and connected through VNC to her laptop and was surprised
> > that after roughly 10-15 minutes I was still connected. So I got the
> > bright idea to just start a constant ping from my workstation to her
> > VPN IP.
>
> How many users hitting the VPN? I would suggest doing a sh tech when a
> disconnect happens and seeing what is happening with the firewall,
> perhaps out of memory? VPN license could be exhausted? can you post a sh
> ver ?

Something else I forgot to add, I am leaning away from the routers
being the problem (at the remote user locations) as I took the one at
the Courthouse completely out of the picture and hardcoded the address
that they gave to us to use for that office to the laptop and the
laptop still DC'd like clockwork......


On Apr 3, 9:51*am, TimParker <tim...@gmail.com> wrote:
> Only about 4 of us right now. Don't think its resources. I have one
> site to site that appears to be stable. Here is the output.
>
> Result of the command: "sh ver"
>
> Cisco Adaptive Security Appliance Software Version 7.2(4)
> Device Manager Version 5.2(4)
>
> Compiled on Sun 06-Apr-08 13:39 by builders
> System image file is "disk0:/asa724-k8.bin"
> Config file at boot was "startup-config"
>
> MOPS-ASA-5505 up 21 days 3 hours
>
> Hardware: * ASA5505, 256 MB RAM, CPU Geode 500 MHz
> Internal ATA Compact Flash, 128MB
> BIOS Flash M50FW080 @ 0xffe00000, 1024KB
>
> Encryption hardware device : Cisco ASA-5505 on-board accelerator
> (revision 0x0)
> * * * * * * * * * * * * * * *Boot microcode * : *CNlite-MC-Boot-
> Cisco-1.2
> * * * * * * * * * * * * * * *SSL/IKE microcode: *CNlite-MC-IPSEC-
> Admin-3.03
> * * * * * * * * * * * * * * *IPSec microcode *: *CNlite-MC-IPSECm-
> MAIN-2.05
> *0: Int: Internal-Data0/0 * *: address is 0024.14d9.c460, irq 11
> *1: Ext: Ethernet0/0 * * * * : address is 0024.14d9.c458, irq 255
> *2: Ext: Ethernet0/1 * * * * : address is 0024.14d9.c459, irq 255
> *3: Ext: Ethernet0/2 * * * * : address is 0024.14d9.c45a, irq 255
> *4: Ext: Ethernet0/3 * * * * : address is 0024.14d9.c45b, irq 255
> *5: Ext: Ethernet0/4 * * * * : address is 0024.14d9.c45c, irq 255
> *6: Ext: Ethernet0/5 * * * * : address is 0024.14d9.c45d, irq 255
> *7: Ext: Ethernet0/6 * * * * : address is 0024.14d9.c45e, irq 255
> *8: Ext: Ethernet0/7 * * * * : address is 0024.14d9.c45f, irq 255
> *9: Int: Internal-Data0/1 * *: address is 0000.0003.0002, irq 255
> 10: Int: Not used * * * * * *: irq 255
> 11: Int: Not used * * * * * *: irq 255
>
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs * * * * * * * * * * * : 20, DMZ Unrestricted
> Inside Hosts * * * * * * * *: Unlimited
> Failover * * * * * * * * * *: Active/Standby
> VPN-DES * * * * * * * * * * : Enabled
> VPN-3DES-AES * * * * * * * *: Enabled
> VPN Peers * * * * * * * * * : 25
> WebVPN Peers * * * * * * * *: 2
> Dual ISPs * * * * * * * * * : Enabled
> VLAN Trunk Ports * * * * * *: 8
>
> This platform has an ASA 5505 Security Plus license.
>
> Serial Number: REMOVED
> Running Activation Key: REMOVED
> Configuration register is 0x1
> Configuration last modified by timparker at 09:05:26.038 EDT Fri Apr 3
> 2009
>
> On Apr 3, 9:44*am, Artie Lange <spam...@jamiebaillie.net> wrote:
>
>
>
> > TimParker wrote:
> > > I have an odd problem with a couple of my users. I have been working
> > > with one that works from an office in our County Courthouse and
> > > chalked up the problems to getting off their network. But last night
> > > my boss started having the same problems and I haven't made any
> > > changes to the ASA for a long while.
>
> > > The issue is that they will get connected and randomly lose connection
> > > for no apparent reason. I need to try and help the remote user
> > > yesterday and connected through VNC to her laptop and was surprised
> > > that after roughly 10-15 minutes I was still connected. So I got the
> > > bright idea to just start a constant ping from my workstation to her
> > > VPN IP.
>
> > How many users hitting the VPN? I would suggest doing a sh tech when a
> > disconnect happens and seeing what is happening with the firewall,
> > perhaps out of memory? VPN license could be exhausted? can you post a sh
> > ver ?- Hide quoted text -
>
> - Show quoted text -

They are all currently Wired. My boss was wireless and he has
currently changed. Good call on the 7.x code. I was currently focusing
on the client side. Guess it confused me since I am not having any
issues.....


On Apr 3, 9:57*am, Artie Lange <spam...@jamiebaillie.net> wrote:
> TimParker wrote:
> > Something else I forgot to add, I am leaning away from the routers
> > being the problem (at the remote user locations) as I took the one at
> > the Courthouse completely out of the picture and hardcoded the address
> > that they gave to us to use for that office to the laptop and the
> > laptop still DC'd like clockwork......
>
> I would also look at release notes for fixes in versions later than 7.X
> code. Also are the remote clients wireless or cabled?

Most definately. I think the newest one that I see is 8.0(4)

Interesting to hear your problem. I have most everything all patched
up. But I am pretty sure that the two machines in question don't have
XP SP3 yet. I just went through a big push to get that out there to
all my machines. So I guess it should be the other way, but who
knows.

Now to find the readme for 8.0(4)



On Apr 3, 10:06*am, Artie Lange <spam...@jamiebaillie.net> wrote:
> TimParker wrote:
> > They are all currently Wired. My boss was wireless and he has
> > currently changed. Good call on the 7.x code. I was currently focusing
> > on the client side. Guess it confused me since I am not having any
> > issues.....
>
> The only reason I said look at the code on the FW is that I had an issue
> * similar, I was running 7.X code on my side and there was some windows
> update that broke the client, upgrading to the 8.X code fixed the issue.
>
> I was running like 7.1(x) at the time, but worth a look?

Guess I actually need to read all the notes since my running version.
Nothing exciting was in the 8.0(4) version......

On Apr 3, 10:12*am, TimParker <tim...@gmail.com> wrote:
> Most definately. I think the newest one that I see is 8.0(4)
>
> Interesting to hear your problem. I have most everything all patched
> up. But I am pretty sure that the two machines in question don't have
> XP SP3 yet. I just went through a big push to get that out there to
> all my machines. So I guess it should be the other way, but who
> knows.
>
> Now to find the readme for 8.0(4)
>
> On Apr 3, 10:06*am, Artie Lange <spam...@jamiebaillie.net> wrote:
>
>
>
> > TimParker wrote:
> > > They are all currently Wired. My boss was wireless and he has
> > > currently changed. Good call on the 7.x code. I was currently focusing
> > > on the client side. Guess it confused me since I am not having any
> > > issues.....
>
> > The only reason I said look at the code on the FW is that I had an issue
> > * similar, I was running 7.X code on my side and there was some windows
> > update that broke the client, upgrading to the 8.X code fixed the issue..
>
> > I was running like 7.1(x) at the time, but worth a look?- Hide quoted text -
>
> - Show quoted text -