Virgn Media and Cisco ASA

Durzel · 11 Mar 2011 at 12:28

I've had a Cisco ASA 5505 connected to a Virgin Media cable modem for the past 3 years. During this time the modem has changed a couple of times (speed increases, going from 10Mb to 50Mb, etc).

In the past 6 months or so I have noticed that every 1-2 weeks I would lose internet connectivity, the outside interface would seem to stop forwarding traffic from the inside network, and the ASA itself would not ping any outside address (I haven't yet tested whether it can ping the next hop - the CM gateway).

The interface itself show in the CLI as being up, and no errors or collisions are reported on "show interface".

Administratively shutting down the interface and bringing it back up again, or simply rebooting the ASA, fixes the problem straight away and allows the inside network to use the internet again.

In the last couple of days the frequency of this connection dropout has increased massively to the point where now I seem to lose internet connectivity within an hour of rebooting the device. It doesn't seem tied to any particular traffic, or load, as it will do it regardless of either.

I've tried resetting the device to factory defaults (configure factory-default) and also moving the outside connection from eth0/0 to eth0/7 (to make sure the port wasn't defective). Neither have had any effect.

This morning I manually set the port speed for eth0/7 to 10Mbps, it was previously auto on both speed and duplex. As of this post the outside connection has remained up for around 4 hours, but I'm not really that confident that it has actually fixed the problem.

Would auto-negotiation and/or a duplex/speed mismatch cause a previously working interface to abruptly stop processing traffic, with no apparent errors or collisions reported? Would faulty RAM cause something like this?

ASA is running 8.2.4 with ASDM 6.4.1, with the standard 256MB memory from new.

derfderfley · 11 Mar 2011 at 20:08

I seen this with ASA's in the past, usually it's worse when the kit it's plugged into is another piece of Cisco kit!

A couple of things I would try before swapping out the ASA, hard setting the speed but leaving the duplex to auto, swapping the network cable out. And try getting Virgin to swap out the modem, you've tried different ports on the ASA, but it may be the other end at fault.

Durzel · 11 Mar 2011 at 21:48

Thanks for your help.

As it turned out the connection died about 2 hours after my original post, so setting to 10Mbps didn't fix it. Also setting it to 100/full didn't work either.

I've now changed the ethernet cable. Guess I'm going to have to go through a process of elimination.

darael · 11 Mar 2011 at 22:16

Tried resetting to defaults, then re-flashing, followed by another resetting to defaults?

Durzel · 11 Mar 2011 at 23:32

Not yet no.

I did see this earlier though after it had dropped the outside connection again:

Code:

diva# clear arp
diva# arp-req: generating request for scion at interface inside
arp-send: arp request built from 10.27.0.1 001e.f715.7a75 for scion at 12400150
arp-in: response at inside from scion 0030.1bae.20f2 for 10.27.0.1 001e.f715.7a75
arp-set: added arp inside scion 0030.1bae.20f2 and updating NPs at 12400150
arp-in: resp from scion for 10.27.0.1 on inside at 12400150
arp-send: sending all saved block to inside scion at 12400150
arp-req: generating request for 94.169.96.1 at interface outside
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12400740
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12401760
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12402760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12406760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 001e.f715.7a75
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12409660
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12411760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12416760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12421760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12426760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 001e.f715.7a75
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12430660
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12431760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12436760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12441760
show arp
	inside nexus bcae.c5b3.d3f8 12
	inside scion 0030.1bae.20f2 42
diva# 
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12446760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
conf t
diva(config)# 
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12451760
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 001e.f715.7a75
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12452160
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
diva(config)# int eth0/0
diva(config-if)# shutdown
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
diva(config-if)# 
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12456760
diva(config-if)# no shutdown
arp-req: generating request for 94.169.96.1 at interface outside
arp-req: request for 94.169.96.1 still  pending
arp-send: arp request built from 94.169.96.79 001e.f715.7a75 for 94.169.96.1 at 12461760
arp-in: response at outside from 94.169.96.1 0030.b8d2.1450 for 94.169.96.79 001e.f715.7a75
arp-set: added arp outside 94.169.96.1 0030.b8d2.1450 and updating NPs at 12461800
arp-in: resp from 94.169.96.1 for 94.169.96.79 on outside at 12461800
show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 20005 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 15875 messages logged
on 3922 for outside:80.190.225.139/17385 to inside:nexus/61851 duration 0:02:01 bytes 17
%ASA-5-111008: User 'enable_15' executed the 'interface Ethernet 0/0' command.
%ASA-6-305012: Teardown dynamic UDP translation from inside:scion/44132 to outside:94.169.96.79/3777 duration 0:02:30
%ASA-4-411002: Line protocol on Interface Ethernet0/0, changed state to down
%ASA-4-411002: Line protocol on Interface outside, changed state to down
%ASA-4-411004: Interface Ethernet0/0, changed state to administratively down
%ASA-5-111008: User 'enable_15' executed the 'shutdown' command.
%ASA-6-110003: Routing failed to locate next hop for UDP from inside:94.169.96.79/45470 to outside:78.129.239.48/9987
%ASA-6-110002: Failed to locate egress interface for UDP from inside:nexus/51664 to 80.190.225.139/17385
%ASA-6-302016: Teardown UDP connection 3932 for outside:80.190.225.139/17385 to inside:nexus/58589 duration 0:02:01 bytes 17
%ASA-6-302016: Teardown UDP connection 3923 for outside:194.168.4.100/53 to inside:nexus/52180 duration 0:02:08 bytes 140
%ASA-6-302016: Teardown UDP connection 3924 for outside:194.168.8.100/53 to inside:nexus/52180 duration 0:02:07 bytes 105
<--- More --->
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 0000.0000.0000
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12468760
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 0000.0000.0000
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12468770
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 0000.0000.0000
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12468780
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 0000.0000.0000
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12468790
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
arp-in: request at inside from nexus bcae.c5b3.d3f8 for 10.27.0.1 0000.0000.0000
arp-in: rqst for me from nexus for 10.27.0.1, on inside
arp-set: added arp inside nexus bcae.c5b3.d3f8 and updating NPs at 12469160
arp-in: generating reply from 10.27.0.1 001e.f715.7a75 to nexus bcae.c5b3.d3f8
%ASA-6-305012: Teardown dynamic UDP translation from inside:scion/45372 to outside:94.169.96.79/13575 duration 0:02:30
%ASA-7-710005: UDP request discarded from vorniz/41443 to inside:10.27.0.255/3052
%ASA-6-302016: Teardown UDP connection 3894 for outside:78.129.239.48/9987 to inside:nexus/54162 duration 0:03:54 bytes 64458
%ASA-7-609002: Teardown local-host outside:78.129.239.48 duration 0:03:54
%ASA-6-302016: Teardown UDP connection 3925 for outside:194.168.4.100/53 to inside:nexus/61591 duration 0:02:08 bytes 136
%ASA-6-302016: Teardown UDP connection 3928 for outside:194.168.8.100/53 to inside:nexus/61591 duration 0:02:07 bytes 102
%ASA-6-302016: Teardown UDP connection 3926 for outside:194.168.4.100/53 to inside:nexus/49220 duration 0:02:08 bytes 136
%ASA-6-302016: Teardown UDP connection 3929 for outside:194.168.8.100/53 to inside:nexus/49220 duration 0:02:07 bytes 102
%ASA-6-305012: Teardown dynamic UDP translation from inside:nexus/54739 to outside:94.169.96.79/10560 duration 0:02:30
%ASA-4-411001: Line protocol on Interface outside, changed state to up
%ASA-7-609001: Built local-host identity:94.169.96.79
%ASA-7-609001: Built local-host outside:62.30.64.114
%ASA-6-302015: Built outbound UDP connection 3972 for outside:62.30.64.114/67 (62.30.64.114/67) to identity:94.169.96.79/68 (94.169.96.79/68)
%ASA-4-411003: Interface Ethernet0/0, changed state to administratively up
%ASA-5-111008: User 'enable_15' executed the 'no shutdown' command.
%ASA-4-411001: Line protocol on Interface Ethernet0/0, changed state to up
%ASA-7-609001: Built local-host outside:78.129.239.48
%ASA-6-302015: Built outbound UDP connection 3973 for outside:78.129.239.48/9987 (78.129.239.48/9987) to inside:nexus/54162 (94.169.96.79/45470)
%ASA-6-302016: Teardown UDP connection 3930 for outside:194.168.4.100/53 to inside:nexus/58588 duration 0:02:08 bytes 148
%ASA-6-302016: Teardown UDP connection 3931 for outside:194.168.8.100/53 to inside:nexus/58588 duration 0:02:07 bytes 111
%ASA-6-305012: Teardown dynamic UDP translation from inside:scion/59395 to outside:94.169.96.79/34138 duration 0:02:30
%ASA-6-305011: Built dynamic UDP translation from inside:nexus/51665 to outside:94.169.96.79/53394
%ASA-6-302015: Built outbound UDP connection 3974 for outside:80.190.225.139/17385 (80.190.225.139/17385) to inside:nexus/51665 (94.169.96.79/53394)
%ASA-7-710005: UDP request discarded from 70.42.62.85/5062 to outside:94.169.96.79/14070
diva(config-if)# no debug arp
debug arp  disabled.

Note how it just keeps repeating the same two lines, requesting from the next hop gateway (94.169.96.1) but never succeeds. When I shutdown the outside interface and bring it back up, it gets a response immediately.