Main Page | Report Page

 

  Computers Forum Index » Computer - DCOM - Cisco » Inside hosts loses connection to the Internet - ASA5505

Author Message
Martin
Posted: Thu Dec 13, 2007 11:43 pm
 
Quote:
Martin,

You say that when these hosts lose Internet capabilities, you are not
able to ping their default gateway? If that's so, it sounds more like
a problem before you hit the ASA. Have you checked all cabling &
switches that are in place before you hit the ASA? Next time it
happens, start by checking the switches these machines are connected
to..see if you have connectivity, errors...etc.

neteng
http://blog.humanmodem.com


Hi neteng,

On the computers that have lost the Internet, everything else works.
Intranet, filesshares, printers, and so om. ONLY the Internet is lost.
an arp -a shows the gareways MAC, but the GW's IP can not be ping'ed.

It does not help to reboot or place the computer anyware else in the
network. if I wait en hour and reboot the computer, Internet is back.

I am a little lost :-(


best regards
Martin
 
googlegroups@ruetsche.com
Posted: Thu Dec 13, 2007 11:44 pm
 
Hi

That's wrong, the hosts can be unlimited, there is only a limit for
the maximum VPN tunnels, not the numbers of hosts in the LAN. Martin
write, that the clients can also not access the internet after a
reload, so that's not a license problem.

I think the problem is the arp proxy. Depends on the installed OS, try
a "sysopt noproxyarp inside" and/or "arp timeout 60". But with these
commands, sometimes i have problems with static's. But it can be a
light to the solution.

cu ivo





On Dec 13, 10:14 pm, Martin <ikke...@email.local> wrote:
Quote:
"39 maximum active" is the number of hosts that the firewall has seen
active at one time, you should never have more than 10 maximum active
since that is what you are licensed for. In laymans terms, you cannot
have more than 10 devices on your LAN that go to the internet. It is
telling you right now you have 7 active hosts. You need to upgrade your
license on the ASA since you obviously have more than 10. No, you dont
have a problem with your timouts.

How do you see I only have a license for 10 devices?

If I run a: show activation-key
I see this output:
-----
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.
------

inside hosts = unlimeted, does that not mean I can use unlimited devises?

best regards
Martin

 
Brian V
Posted: Fri Dec 14, 2007 12:55 am
 
"Martin" <ikkeMIN@email.local> wrote in message
news:47616f2d$0$90265$14726298@news.sunsite.dk...
Quote:

Martin,

You say that when these hosts lose Internet capabilities, you are not
able to ping their default gateway? If that's so, it sounds more like
a problem before you hit the ASA. Have you checked all cabling &
switches that are in place before you hit the ASA? Next time it
happens, start by checking the switches these machines are connected
to..see if you have connectivity, errors...etc.

neteng
http://blog.humanmodem.com


Hi neteng,

On the computers that have lost the Internet, everything else works.
Intranet, filesshares, printers, and so om. ONLY the Internet is lost.
an arp -a shows the gareways MAC, but the GW's IP can not be ping'ed.

It does not help to reboot or place the computer anyware else in the
network. if I wait en hour and reboot the computer, Internet is back.

I am a little lost :-(


best regards
Martin

You only have a 10 device license on the ASA. A show local-host will tell
you how many are in use. If you hit 11, they cant go thru the ASA,
licensing...
 
Martin
Posted: Fri Dec 14, 2007 2:22 am
 
Quote:

You only have a 10 device license on the ASA. A show local-host will
tell you how many are in use. If you hit 11, they cant go thru the ASA,
licensing...


If I run that command the output is starting with this:
Licensed host limit: Unlimited.
Interface inside: 7 active, 39 maximum active, 0 denied

Why only 39 maximum active and not "unlimited"?
What does it mean?

Do I have a problem with my timeouts:
-----
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
------

best regards
Martin
 
Brian V
Posted: Fri Dec 14, 2007 3:03 am
 
"Martin" <ikkeMIN@email.local> wrote in message
news:4761946b$0$90274$14726298@news.sunsite.dk...
Quote:


You only have a 10 device license on the ASA. A show local-host will tell
you how many are in use. If you hit 11, they cant go thru the ASA,
licensing...


If I run that command the output is starting with this:
Licensed host limit: Unlimited.
Interface inside: 7 active, 39 maximum active, 0 denied

Why only 39 maximum active and not "unlimited"?
What does it mean?

Do I have a problem with my timeouts:
-----
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
------

best regards
Martin

"39 maximum active" is the number of hosts that the firewall has seen active
at one time, you should never have more than 10 maximum active since that is
what you are licensed for. In laymans terms, you cannot have more than 10
devices on your LAN that go to the internet. It is telling you right now you
have 7 active hosts. You need to upgrade your license on the ASA since you
obviously have more than 10. No, you dont have a problem with your timouts.
 
Martin
Posted: Fri Dec 14, 2007 3:14 am
 
Quote:

"39 maximum active" is the number of hosts that the firewall has seen
active at one time, you should never have more than 10 maximum active
since that is what you are licensed for. In laymans terms, you cannot
have more than 10 devices on your LAN that go to the internet. It is
telling you right now you have 7 active hosts. You need to upgrade your
license on the ASA since you obviously have more than 10. No, you dont
have a problem with your timouts.

How do you see I only have a license for 10 devices?

If I run a: show activation-key
I see this output:
-----
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.
------

inside hosts = unlimeted, does that not mean I can use unlimited devises?

best regards
Martin
 
Brian V
Posted: Fri Dec 14, 2007 5:38 am
 
"Martin" <ikkeMIN@email.local> wrote in message
news:4761a0ce$1$90267$14726298@news.sunsite.dk...
Quote:

"39 maximum active" is the number of hosts that the firewall has seen
active at one time, you should never have more than 10 maximum active
since that is what you are licensed for. In laymans terms, you cannot
have more than 10 devices on your LAN that go to the internet. It is
telling you right now you have 7 active hosts. You need to upgrade your
license on the ASA since you obviously have more than 10. No, you dont
have a problem with your timouts.

How do you see I only have a license for 10 devices?

If I run a: show activation-key
I see this output:
-----
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

The flash activation key is the SAME as the running key.
------

inside hosts = unlimeted, does that not mean I can use unlimited devises?

best regards
Martin



I must have read your original post wrong! My appologies.. You most
certainly do have an unlimited user license. Post your config ans we'll see
if anything is wrong in there.
 
Martin
Posted: Fri Dec 14, 2007 7:33 am
 
googlegroups@ruetsche.com skrev:
Quote:
Hi

That's wrong, the hosts can be unlimited, there is only a limit for
the maximum VPN tunnels, not the numbers of hosts in the LAN. Martin
write, that the clients can also not access the internet after a
reload, so that's not a license problem.

I think the problem is the arp proxy. Depends on the installed OS, try
a "sysopt noproxyarp inside" and/or "arp timeout 60". But with these
commands, sometimes i have problems with static's. But it can be a
light to the solution.

cu ivo


could it be a bug in the firmware. My asa5505 uses: ASA Version 7.2(2).
maybe there are a newer version.

I try "sysopt noproxyarp inside" later to day...

best regards
Martin
 
Martin
Posted: Sat Dec 15, 2007 10:29 pm
 
Quote:


The 2960 is a basic L2 switch, so there is probably not much there. Is
it always one specific host, if so, you may want to look at his switch
port. Is it always 1hr?
When it happens again, in addition to looking at the logs on the
firewall get a "show xlate" (just the counts, the first line) a "show
conn" (again, first line) and a "show local-host" (first 3 lines)


thank you very much for your help Brian.

The problem has not occurred for some time now (one week).

I will return when it happens again... and now I have some ides to solve
it :-)


best regards
Martin
 
 
Page 1 of 1    
All times are GMT
The time now is Thu Jul 24, 2014 12:24 am