Inside hosts loses connection to the Internet - ASA5505

Discussion in 'Cisco' started by Martin, Dec 13, 2007.

  1. Martin

    Martin Guest

    Hi,

    I have a network with 110 windows hosts. Not all computers is poweron
    all the time. From time to time one or two computers loses connection to
    the Internet, and I do not know whey. Normaly all the hosts are able to
    ping the firewall (gareway).

    When a host loses connection to the Internet it cannot ping the
    firewall. If the computer user waits an hour the Internet is back.

    I do not know whey this happens.
    I have an unlimeted client access, and an reload (the console command)
    does not help.

    This is my ASA5505 license:
    ---------------------------------------------------------------------------
    xxx-ASA# sh activ
    Serial Number: JMXxxxxxER
    Running Activation Key: 0xfxxxx69 0x1xxxx93 0x1xxxx5b0 0xbxxxx4c0 0x4cxxxx85

    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 3, DMZ Restricted
    Inside Hosts : Unlimited
    Failover : Disabled
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    VPN Peers : 10
    WebVPN Peers : 2
    Dual ISPs : Disabled
    VLAN Trunk Ports : 0

    This platform has a Base license.

    The flash activation key is the SAME as the running key.
    -----------------------------------------------------------------------------

    have i done something wrong?

    Best regards
    Martin
     
    Martin, Dec 13, 2007
    #1
    1. Advertising

  2. Martin

    Guest

    On Dec 13, 4:27 am, Martin <> wrote:
    > Hi,
    >
    > I have a network with 110 windows hosts. Not all computers is poweron
    > all the time. From time to time one or two computers loses connection to
    > the Internet, and I do not know whey. Normaly all the hosts are able to
    > ping the firewall (gareway).
    >
    > When a host loses connection to the Internet it cannot ping the
    > firewall. If the computer user waits an hour the Internet is back.
    >
    > I do not know whey this happens.
    > I have an unlimeted client access, and an reload (the console command)
    > does not help.
    >
    > This is my ASA5505 license:
    > ---------------------------------------------------------------------------
    > xxx-ASA# sh activ
    > Serial Number: JMXxxxxxER
    > Running Activation Key: 0xfxxxx69 0x1xxxx93 0x1xxxx5b0 0xbxxxx4c0 0x4cxxxx85
    >
    > Licensed features for this platform:
    > Maximum Physical Interfaces : 8
    > VLANs : 3, DMZ Restricted
    > Inside Hosts : Unlimited
    > Failover : Disabled
    > VPN-DES : Enabled
    > VPN-3DES-AES : Enabled
    > VPN Peers : 10
    > WebVPN Peers : 2
    > Dual ISPs : Disabled
    > VLAN Trunk Ports : 0
    >
    > This platform has a Base license.
    >
    > The flash activation key is the SAME as the running key.
    > -----------------------------------------------------------------------------
    >
    > have i done something wrong?
    >
    > Best regards
    > Martin


    Martin,

    You say that when these hosts lose Internet capabilities, you are not
    able to ping their default gateway? If that's so, it sounds more like
    a problem before you hit the ASA. Have you checked all cabling &
    switches that are in place before you hit the ASA? Next time it
    happens, start by checking the switches these machines are connected
    to..see if you have connectivity, errors...etc.

    neteng
    http://blog.humanmodem.com
     
    , Dec 13, 2007
    #2
    1. Advertising

  3. Martin

    Martin Guest


    > Martin,
    >
    > You say that when these hosts lose Internet capabilities, you are not
    > able to ping their default gateway? If that's so, it sounds more like
    > a problem before you hit the ASA. Have you checked all cabling &
    > switches that are in place before you hit the ASA? Next time it
    > happens, start by checking the switches these machines are connected
    > to..see if you have connectivity, errors...etc.
    >
    > neteng
    > http://blog.humanmodem.com



    Hi neteng,

    On the computers that have lost the Internet, everything else works.
    Intranet, filesshares, printers, and so om. ONLY the Internet is lost.
    an arp -a shows the gareways MAC, but the GW's IP can not be ping'ed.

    It does not help to reboot or place the computer anyware else in the
    network. if I wait en hour and reboot the computer, Internet is back.

    I am a little lost :-(


    best regards
    Martin
     
    Martin, Dec 13, 2007
    #3
  4. Martin

    Brian V Guest

    "Martin" <> wrote in message
    news:47616f2d$0$90265$...
    >
    >> Martin,
    >>
    >> You say that when these hosts lose Internet capabilities, you are not
    >> able to ping their default gateway? If that's so, it sounds more like
    >> a problem before you hit the ASA. Have you checked all cabling &
    >> switches that are in place before you hit the ASA? Next time it
    >> happens, start by checking the switches these machines are connected
    >> to..see if you have connectivity, errors...etc.
    >>
    >> neteng
    >> http://blog.humanmodem.com

    >
    >
    > Hi neteng,
    >
    > On the computers that have lost the Internet, everything else works.
    > Intranet, filesshares, printers, and so om. ONLY the Internet is lost.
    > an arp -a shows the gareways MAC, but the GW's IP can not be ping'ed.
    >
    > It does not help to reboot or place the computer anyware else in the
    > network. if I wait en hour and reboot the computer, Internet is back.
    >
    > I am a little lost :-(
    >
    >
    > best regards
    > Martin


    You only have a 10 device license on the ASA. A show local-host will tell
    you how many are in use. If you hit 11, they cant go thru the ASA,
    licensing...
     
    Brian V, Dec 13, 2007
    #4
  5. Martin

    Martin Guest


    >
    > You only have a 10 device license on the ASA. A show local-host will
    > tell you how many are in use. If you hit 11, they cant go thru the ASA,
    > licensing...



    If I run that command the output is starting with this:
    Licensed host limit: Unlimited.
    Interface inside: 7 active, 39 maximum active, 0 denied

    Why only 39 maximum active and not "unlimited"?
    What does it mean?

    Do I have a problem with my timeouts:
    -----
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    ------

    best regards
    Martin
     
    Martin, Dec 13, 2007
    #5
  6. Martin

    Brian V Guest

    "Martin" <> wrote in message
    news:4761946b$0$90274$...
    >
    >>
    >> You only have a 10 device license on the ASA. A show local-host will tell
    >> you how many are in use. If you hit 11, they cant go thru the ASA,
    >> licensing...

    >
    >
    > If I run that command the output is starting with this:
    > Licensed host limit: Unlimited.
    > Interface inside: 7 active, 39 maximum active, 0 denied
    >
    > Why only 39 maximum active and not "unlimited"?
    > What does it mean?
    >
    > Do I have a problem with my timeouts:
    > -----
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > ------
    >
    > best regards
    > Martin


    "39 maximum active" is the number of hosts that the firewall has seen active
    at one time, you should never have more than 10 maximum active since that is
    what you are licensed for. In laymans terms, you cannot have more than 10
    devices on your LAN that go to the internet. It is telling you right now you
    have 7 active hosts. You need to upgrade your license on the ASA since you
    obviously have more than 10. No, you dont have a problem with your timouts.
     
    Brian V, Dec 13, 2007
    #6
  7. Martin

    Martin Guest

    >
    > "39 maximum active" is the number of hosts that the firewall has seen
    > active at one time, you should never have more than 10 maximum active
    > since that is what you are licensed for. In laymans terms, you cannot
    > have more than 10 devices on your LAN that go to the internet. It is
    > telling you right now you have 7 active hosts. You need to upgrade your
    > license on the ASA since you obviously have more than 10. No, you dont
    > have a problem with your timouts.


    How do you see I only have a license for 10 devices?

    If I run a: show activation-key
    I see this output:
    -----
    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 3, DMZ Restricted
    Inside Hosts : Unlimited
    Failover : Disabled
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    VPN Peers : 10
    WebVPN Peers : 2
    Dual ISPs : Disabled
    VLAN Trunk Ports : 0

    This platform has a Base license.

    The flash activation key is the SAME as the running key.
    ------

    inside hosts = unlimeted, does that not mean I can use unlimited devises?

    best regards
    Martin
     
    Martin, Dec 13, 2007
    #7
  8. Martin

    Brian V Guest

    "Martin" <> wrote in message
    news:4761a0ce$1$90267$...
    >>
    >> "39 maximum active" is the number of hosts that the firewall has seen
    >> active at one time, you should never have more than 10 maximum active
    >> since that is what you are licensed for. In laymans terms, you cannot
    >> have more than 10 devices on your LAN that go to the internet. It is
    >> telling you right now you have 7 active hosts. You need to upgrade your
    >> license on the ASA since you obviously have more than 10. No, you dont
    >> have a problem with your timouts.

    >
    > How do you see I only have a license for 10 devices?
    >
    > If I run a: show activation-key
    > I see this output:
    > -----
    > Licensed features for this platform:
    > Maximum Physical Interfaces : 8
    > VLANs : 3, DMZ Restricted
    > Inside Hosts : Unlimited
    > Failover : Disabled
    > VPN-DES : Enabled
    > VPN-3DES-AES : Enabled
    > VPN Peers : 10
    > WebVPN Peers : 2
    > Dual ISPs : Disabled
    > VLAN Trunk Ports : 0
    >
    > This platform has a Base license.
    >
    > The flash activation key is the SAME as the running key.
    > ------
    >
    > inside hosts = unlimeted, does that not mean I can use unlimited devises?
    >
    > best regards
    > Martin
    >
    >


    I must have read your original post wrong! My appologies.. You most
    certainly do have an unlimited user license. Post your config ans we'll see
    if anything is wrong in there.
     
    Brian V, Dec 13, 2007
    #8
  9. Martin

    Guest

    Hi

    That's wrong, the hosts can be unlimited, there is only a limit for
    the maximum VPN tunnels, not the numbers of hosts in the LAN. Martin
    write, that the clients can also not access the internet after a
    reload, so that's not a license problem.

    I think the problem is the arp proxy. Depends on the installed OS, try
    a "sysopt noproxyarp inside" and/or "arp timeout 60". But with these
    commands, sometimes i have problems with static's. But it can be a
    light to the solution.

    cu ivo





    On Dec 13, 10:14 pm, Martin <> wrote:
    > > "39 maximum active" is the number of hosts that the firewall has seen
    > > active at one time, you should never have more than 10 maximum active
    > > since that is what you are licensed for. In laymans terms, you cannot
    > > have more than 10 devices on your LAN that go to the internet. It is
    > > telling you right now you have 7 active hosts. You need to upgrade your
    > > license on the ASA since you obviously have more than 10. No, you dont
    > > have a problem with your timouts.

    >
    > How do you see I only have a license for 10 devices?
    >
    > If I run a: show activation-key
    > I see this output:
    > -----
    > Licensed features for this platform:
    > Maximum Physical Interfaces : 8
    > VLANs : 3, DMZ Restricted
    > Inside Hosts : Unlimited
    > Failover : Disabled
    > VPN-DES : Enabled
    > VPN-3DES-AES : Enabled
    > VPN Peers : 10
    > WebVPN Peers : 2
    > Dual ISPs : Disabled
    > VLAN Trunk Ports : 0
    >
    > This platform has a Base license.
    >
    > The flash activation key is the SAME as the running key.
    > ------
    >
    > inside hosts = unlimeted, does that not mean I can use unlimited devises?
    >
    > best regards
    > Martin
     
    , Dec 13, 2007
    #9
  10. Martin

    Martin Guest


    >>

    >
    > I must have read your original post wrong! My appologies.. You most
    > certainly do have an unlimited user license. Post your config ans we'll
    > see if anything is wrong in there.


    this is my comlete config:
    ----
    ASA Version 7.2(2)
    !
    hostname xxxx-ASA
    domain-name xxxx.xxx.local
    enable password w20F3xxxxR7bAzEw encrypted
    names
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 213.xx.xx.2 255.255.255.192
    !
    interface Vlan4
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 4
    !
    interface Ethernet0/2
    switchport access vlan 4
    !
    interface Ethernet0/3
    switchport access vlan 4
    !
    interface Ethernet0/4
    switchport access vlan 4
    !
    interface Ethernet0/5
    switchport access vlan 4
    !
    interface Ethernet0/6
    switchport access vlan 4
    !
    interface Ethernet0/7
    switchport access vlan 4
    !
    passwd w20F3xxxxR7bAzEw encrypted
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name xxxx.xxxx.local
    access-list outside remark *** GENERAL ICMP FILTER ***
    access-list outside extended permit icmp any any echo-reply
    access-list outside extended permit icmp any any time-exceeded
    access-list outside extended permit icmp any any unreachable
    access-list outside remark ***
    access-list outside remark *** VIRUS112 ACCESS TO INSIDE MAILSERVER ***
    access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host
    213.xxx.xxx.3 eq smtp
    access-list outside extended permit tcp 194.xxx.xxx.0 255.255.255.0 host
    213.xxx.xxx.3 eq smtp
    access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host
    213.xxx.xxx.3 eq smtp
    access-list outside remark *** Webmail/OMA ACCESS TO INSIDE MAILSERVER ***
    access-list outside extended permit tcp any host 213.xxx.xxx.3 eq www
    access-list outside extended permit tcp any host 213.xxx.xxx.3 eq https
    access-list outside remark ***
    access-list outside remark *** OUTSIDE ACCESS TO INSIDE CITRIX ***
    access-list outside extended permit tcp any host 213.xxx.xxx.4 eq www
    access-list outside extended permit tcp any host 213.xxx.xxx.4 eq https
    access-list outside extended permit tcp any host 213.xxx.xxx.4 eq citrix-ica
    access-list outside remark ***
    access-list outside remark *** MACONOMY ACCESS TO INSIDE MACONOMY ***
    access-list outside extended permit tcp host 193.xxx.xxx.5 host
    213.xxx.xxx.5 eq www
    access-list outside extended permit tcp host 193.xxx.xxx.5 host
    213.xxx.xxx.5 eq 8080
    access-list outside extended permit tcp host 193.xxx.xxx.5 host
    213.xxx.xxx.5 eq 3389
    access-list outside extended permit tcp host 193.xxx.xxx.5 host
    213.xxx.xxx.5 eq 4444
    access-list outside extended permit tcp host 193.xxx.xxx.225 host
    213.xxx.xxx.5 eq www
    access-list outside extended permit tcp host 193.xxx.xxx.225 host
    213.xxx.xxx.5 eq 8080
    access-list outside extended permit tcp host 193.xxx.xxx.225 host
    213.xxx.xxx.5 eq 3389
    access-list outside extended permit tcp host 193.xxx.xxx.225 host
    213.xxx.xxx.5 eq 4444
    access-list outside extended permit tcp host 83.xxx.xxx.237 host
    213.xxx.xxx.5 eq www
    access-list outside extended permit tcp host 83.xxx.xxx.237 host
    213.xxx.xxx.5 eq 8080
    access-list outside extended permit tcp host 83.xxx.xxx.237 host
    213.xxx.xxx.5 eq 3389
    access-list outside extended permit tcp host 83.xxx.xxx.237 host
    213.xxx.xxx.5 eq 4444
    access-list outside remark ***
    access-list outside extended permit tcp host 83.xxx.xxx.42 host
    213.xxx.xxx.5 eq 3389
    pager lines 24
    logging enable
    logging trap notifications
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask
    255.255.255.255
    static (inside,outside) 213.xxx.xxx.3 192.168.0.8 netmask 255.255.255.255
    static (inside,outside) 213.xxx.xxx.4 192.168.0.240 netmask 255.255.255.255
    static (inside,outside) 213.xxx.xxx.5 192.168.0.243 netmask 255.255.255.255
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 87.xxx.xxx.42 255.255.255.255 outside
    http 87.xxx.xxx.154 255.255.255.255 outside
    http 213.xxx.xxx.2 255.255.255.255 outside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh 213.xxx.xxx.2 255.255.255.255 outside
    ssh 87.xxx.xxx.154 255.255.255.255 outside
    ssh 87.xxx.xxx.42 255.255.255.255 outside
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 60

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:ea68dxxxx3ac3dc6139e8484aa644ef1
    : end
     
    Martin, Dec 14, 2007
    #10
  11. Martin

    Martin Guest

    skrev:
    > Hi
    >
    > That's wrong, the hosts can be unlimited, there is only a limit for
    > the maximum VPN tunnels, not the numbers of hosts in the LAN. Martin
    > write, that the clients can also not access the internet after a
    > reload, so that's not a license problem.
    >
    > I think the problem is the arp proxy. Depends on the installed OS, try
    > a "sysopt noproxyarp inside" and/or "arp timeout 60". But with these
    > commands, sometimes i have problems with static's. But it can be a
    > light to the solution.
    >
    > cu ivo
    >


    could it be a bug in the firmware. My asa5505 uses: ASA Version 7.2(2).
    maybe there are a newer version.

    I try "sysopt noproxyarp inside" later to day...

    best regards
    Martin
     
    Martin, Dec 14, 2007
    #11
  12. Martin

    Brian V Guest

    "Martin" <> wrote in message
    news:47622009$0$90272$...
    >
    >>>

    >>
    >> I must have read your original post wrong! My appologies.. You most
    >> certainly do have an unlimited user license. Post your config ans we'll
    >> see if anything is wrong in there.

    >
    > this is my comlete config:
    > ----
    > ASA Version 7.2(2)
    > !
    > hostname xxxx-ASA
    > domain-name xxxx.xxx.local
    > enable password w20F3xxxxR7bAzEw encrypted
    > names
    > !
    > interface Vlan2
    > nameif outside
    > security-level 0
    > ip address 213.xx.xx.2 255.255.255.192
    > !
    > interface Vlan4
    > nameif inside
    > security-level 100
    > ip address 192.168.0.254 255.255.255.0
    > !
    > interface Ethernet0/0
    > switchport access vlan 2
    > !
    > interface Ethernet0/1
    > switchport access vlan 4
    > !
    > interface Ethernet0/2
    > switchport access vlan 4
    > !
    > interface Ethernet0/3
    > switchport access vlan 4
    > !
    > interface Ethernet0/4
    > switchport access vlan 4
    > !
    > interface Ethernet0/5
    > switchport access vlan 4
    > !
    > interface Ethernet0/6
    > switchport access vlan 4
    > !
    > interface Ethernet0/7
    > switchport access vlan 4
    > !
    > passwd w20F3xxxxR7bAzEw encrypted
    > ftp mode passive
    > clock timezone CEST 1
    > clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    > dns server-group DefaultDNS
    > domain-name xxxx.xxxx.local
    > access-list outside remark *** GENERAL ICMP FILTER ***
    > access-list outside extended permit icmp any any echo-reply
    > access-list outside extended permit icmp any any time-exceeded
    > access-list outside extended permit icmp any any unreachable
    > access-list outside remark ***
    > access-list outside remark *** VIRUS112 ACCESS TO INSIDE MAILSERVER ***
    > access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host
    > 213.xxx.xxx.3 eq smtp
    > access-list outside extended permit tcp 194.xxx.xxx.0 255.255.255.0 host
    > 213.xxx.xxx.3 eq smtp
    > access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host
    > 213.xxx.xxx.3 eq smtp
    > access-list outside remark *** Webmail/OMA ACCESS TO INSIDE MAILSERVER ***
    > access-list outside extended permit tcp any host 213.xxx.xxx.3 eq www
    > access-list outside extended permit tcp any host 213.xxx.xxx.3 eq https
    > access-list outside remark ***
    > access-list outside remark *** OUTSIDE ACCESS TO INSIDE CITRIX ***
    > access-list outside extended permit tcp any host 213.xxx.xxx.4 eq www
    > access-list outside extended permit tcp any host 213.xxx.xxx.4 eq https
    > access-list outside extended permit tcp any host 213.xxx.xxx.4 eq
    > citrix-ica
    > access-list outside remark ***
    > access-list outside remark *** MACONOMY ACCESS TO INSIDE MACONOMY ***
    > access-list outside extended permit tcp host 193.xxx.xxx.5 host
    > 213.xxx.xxx.5 eq www
    > access-list outside extended permit tcp host 193.xxx.xxx.5 host
    > 213.xxx.xxx.5 eq 8080
    > access-list outside extended permit tcp host 193.xxx.xxx.5 host
    > 213.xxx.xxx.5 eq 3389
    > access-list outside extended permit tcp host 193.xxx.xxx.5 host
    > 213.xxx.xxx.5 eq 4444
    > access-list outside extended permit tcp host 193.xxx.xxx.225 host
    > 213.xxx.xxx.5 eq www
    > access-list outside extended permit tcp host 193.xxx.xxx.225 host
    > 213.xxx.xxx.5 eq 8080
    > access-list outside extended permit tcp host 193.xxx.xxx.225 host
    > 213.xxx.xxx.5 eq 3389
    > access-list outside extended permit tcp host 193.xxx.xxx.225 host
    > 213.xxx.xxx.5 eq 4444
    > access-list outside extended permit tcp host 83.xxx.xxx.237 host
    > 213.xxx.xxx.5 eq www
    > access-list outside extended permit tcp host 83.xxx.xxx.237 host
    > 213.xxx.xxx.5 eq 8080
    > access-list outside extended permit tcp host 83.xxx.xxx.237 host
    > 213.xxx.xxx.5 eq 3389
    > access-list outside extended permit tcp host 83.xxx.xxx.237 host
    > 213.xxx.xxx.5 eq 4444
    > access-list outside remark ***
    > access-list outside extended permit tcp host 83.xxx.xxx.42 host
    > 213.xxx.xxx.5 eq 3389
    > pager lines 24
    > logging enable
    > logging trap notifications
    > logging asdm informational
    > mtu outside 1500
    > mtu inside 1500
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-522.bin
    > no asdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > static (inside,outside) tcp interface 3390 192.168.0.2 3389 netmask
    > 255.255.255.255
    > static (inside,outside) 213.xxx.xxx.3 192.168.0.8 netmask 255.255.255.255
    > static (inside,outside) 213.xxx.xxx.4 192.168.0.240 netmask
    > 255.255.255.255
    > static (inside,outside) 213.xxx.xxx.5 192.168.0.243 netmask
    > 255.255.255.255
    > access-group outside in interface outside
    > route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.1 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > http server enable
    > http 87.xxx.xxx.42 255.255.255.255 outside
    > http 87.xxx.xxx.154 255.255.255.255 outside
    > http 213.xxx.xxx.2 255.255.255.255 outside
    > http 192.168.0.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > telnet timeout 5
    > ssh 213.xxx.xxx.2 255.255.255.255 outside
    > ssh 87.xxx.xxx.154 255.255.255.255 outside
    > ssh 87.xxx.xxx.42 255.255.255.255 outside
    > ssh 192.168.0.0 255.255.255.0 inside
    > ssh timeout 60
    > console timeout 60
    >
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 512
    > policy-map global_policy
    > class inspection_default
    > inspect dns preset_dns_map
    > inspect ftp
    > inspect h323 h225
    > inspect h323 ras
    > inspect rsh
    > inspect rtsp
    > inspect sqlnet
    > inspect skinny
    > inspect sunrpc
    > inspect xdmcp
    > inspect sip
    > inspect netbios
    > inspect tftp
    > !
    > service-policy global_policy global
    > prompt hostname context
    > Cryptochecksum:ea68dxxxx3ac3dc6139e8484aa644ef1
    > : end



    Again, I appologize about the license! I got to stop replying to posts when
    I'm exhausted!

    Your config looks just fine, not seeing anything shy of the default setting
    for the DNS MTU. Using 512 can cause DNS querries to fail I always set it to
    4092. A "show service-policy" will let you know how many drops you have had.
    To change that setting:
    conf t
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 4092

    Back to your original issue. XX host cannot go to the internet. When this
    host drops, can you ping the firewall? Do you have an internal router inside
    as well? If so, can the user ping that? Next time it happens upen up ASDM,
    go in to logging, use debug packets and filter to that specific host, see
    what the logs say.

    About your other post. 7.2(2), while there is "newer" software, 7.2(2) is
    actually a very stable release, running in 100's of our customers. 7.2(3) is
    the latest in the 7X train, thats still too new for us to roll to our
    customers, we have a 90day policy unless they are experiencing issues that
    the release will fix.
     
    Brian V, Dec 14, 2007
    #12
  13. * Brian V wrote:
    > Your config looks just fine, not seeing anything shy of the default setting
    > for the DNS MTU. Using 512 can cause DNS querries to fail I always set it to
    > 4092.


    This is not an MTU, and the minimal value should be 4096.
     
    Lutz Donnerhacke, Dec 14, 2007
    #13
  14. Martin

    Brian V Guest

    "Lutz Donnerhacke" <> wrote in message
    news:-jena.de...
    >* Brian V wrote:
    >> Your config looks just fine, not seeing anything shy of the default
    >> setting
    >> for the DNS MTU. Using 512 can cause DNS querries to fail I always set it
    >> to
    >> 4092.

    >
    > This is not an MTU, and the minimal value should be 4096.


    4096 is the packet size. 4092 is the largest a DNS data segment should be.

    What is it if not an MTU? It specifies the largest size a DNS inspect data
    segment should be.

    Maximum Transmission Unit (MTU) refers to the size (in bytes) of the largest
    packet that a given layer of a communications protocol can pass onwards.

    Am I wrong?
     
    Brian V, Dec 14, 2007
    #14
  15. Martin

    Martin Guest


    > Again, I appologize about the license! I got to stop replying to posts
    > when I'm exhausted!
    >
    > Your config looks just fine, not seeing anything shy of the default
    > setting for the DNS MTU. Using 512 can cause DNS querries to fail I
    > always set it to 4092. A "show service-policy" will let you know how
    > many drops you have had. To change that setting:
    > conf t
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 4092
    >
    > Back to your original issue. XX host cannot go to the internet. When
    > this host drops, can you ping the firewall? Do you have an internal
    > router inside as well? If so, can the user ping that? Next time it
    > happens upen up ASDM, go in to logging, use debug packets and filter to
    > that specific host, see what the logs say.
    >
    > About your other post. 7.2(2), while there is "newer" software, 7.2(2)
    > is actually a very stable release, running in 100's of our customers.
    > 7.2(3) is the latest in the 7X train, thats still too new for us to roll
    > to our customers, we have a 90day policy unless they are experiencing
    > issues that the release will fix.
    >
    >


    Hi Brian, thank you for your reply.

    When the host loses Internet it can not ping the firewall. All the
    others can. Next time I will look at the log om the firewall - great idea.

    I do not have any internal routers.

    My network is build up with 6 c2960 cisco switches, but the hosts
    Internet is down no matter what switch I connect it to.

    But when an hour is gone (and an host restart) the host's Internet is back.

    Are there any thing I should check on the switches?

    Best regards
    Martin
     
    Martin, Dec 15, 2007
    #15
  16. Martin

    Brian V Guest

    "Martin" <> wrote in message
    news:476326af$0$90267$...
    >
    >> Again, I appologize about the license! I got to stop replying to posts
    >> when I'm exhausted!
    >>
    >> Your config looks just fine, not seeing anything shy of the default
    >> setting for the DNS MTU. Using 512 can cause DNS querries to fail I
    >> always set it to 4092. A "show service-policy" will let you know how many
    >> drops you have had. To change that setting:
    >> conf t
    >> policy-map type inspect dns preset_dns_map
    >> parameters
    >> message-length maximum 4092
    >>
    >> Back to your original issue. XX host cannot go to the internet. When this
    >> host drops, can you ping the firewall? Do you have an internal router
    >> inside as well? If so, can the user ping that? Next time it happens upen
    >> up ASDM, go in to logging, use debug packets and filter to that specific
    >> host, see what the logs say.
    >>
    >> About your other post. 7.2(2), while there is "newer" software, 7.2(2) is
    >> actually a very stable release, running in 100's of our customers. 7.2(3)
    >> is the latest in the 7X train, thats still too new for us to roll to our
    >> customers, we have a 90day policy unless they are experiencing issues
    >> that the release will fix.
    >>
    >>

    >
    > Hi Brian, thank you for your reply.
    >
    > When the host loses Internet it can not ping the firewall. All the others
    > can. Next time I will look at the log om the firewall - great idea.
    >
    > I do not have any internal routers.
    >
    > My network is build up with 6 c2960 cisco switches, but the hosts Internet
    > is down no matter what switch I connect it to.
    >
    > But when an hour is gone (and an host restart) the host's Internet is
    > back.
    >
    > Are there any thing I should check on the switches?
    >
    > Best regards
    > Martin
    >
    >


    The 2960 is a basic L2 switch, so there is probably not much there. Is it
    always one specific host, if so, you may want to look at his switch port. Is
    it always 1hr?
    When it happens again, in addition to looking at the logs on the firewall
    get a "show xlate" (just the counts, the first line) a "show conn" (again,
    first line) and a "show local-host" (first 3 lines)
     
    Brian V, Dec 15, 2007
    #16
  17. Martin

    Martin Guest


    >>

    >
    > The 2960 is a basic L2 switch, so there is probably not much there. Is
    > it always one specific host, if so, you may want to look at his switch
    > port. Is it always 1hr?
    > When it happens again, in addition to looking at the logs on the
    > firewall get a "show xlate" (just the counts, the first line) a "show
    > conn" (again, first line) and a "show local-host" (first 3 lines)



    thank you very much for your help Brian.

    The problem has not occurred for some time now (one week).

    I will return when it happens again... and now I have some ides to solve
    it :)


    best regards
    Martin
     
    Martin, Dec 15, 2007
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chad Mahoney
    Replies:
    0
    Views:
    414
    Chad Mahoney
    Apr 12, 2004
  2. spec
    Replies:
    7
    Views:
    1,336
    Peter
    Jun 5, 2006
  3. jmoore00

    Loses Internet Connection

    jmoore00, Sep 24, 2007, in forum: General Computer Support
    Replies:
    0
    Views:
    998
    jmoore00
    Sep 24, 2007
  4. ForumKid
    Replies:
    0
    Views:
    999
    ForumKid
    Dec 3, 2008
  5. only1j
    Replies:
    0
    Views:
    1,491
    only1j
    May 5, 2011
Loading...

Share This Page