Page 1 of 2
Issue with Cisco ASA 5505 VPN going down overnight
Posted: Tue Sep 09, 2008 10:09 pm
We just recently received authorization to install a Cisco ASA 5505 and our installation schematic is attached here as a PDF. We contacted the technical support and had them bring us online with the "extended access". For the past few weeks the VPN connection goes down sometime overnight. It works at least for a few hours after "fixing" it (power-cycle) but the VPN light will either go to orange or will be blank sometime overnight - exactly when, I do not know since I'm not there the whole time
I have not been able to resolve this with Church tech support and I have tried a number of things like swapping out the antiquated surge protector, swapping out the Cat5e cable b/w modem and router, not sharing the fax machine on the filtered DSL line, had the configuration re-scripted from tech support... I'm not sure what else to check.
Anyway, I'm about to send it back to get an exchange but I thought that I'd ask this forum just in case.
Posted: Tue Sep 09, 2008 10:22 pm
Welcome to the forum, James. Sorry to hear about your troubles. We installed UPS's on all the modems/firewalls/switches and have only had one unexplained "glitch" that required a power cycle.
BTW, how is your DSL modem configured? Is it in "bridge" mode, or is the firewall, NAT, etc. still turned on?
Posted: Tue Sep 09, 2008 10:44 pm
jamesm76 wrote:Anyway, I'm about to send it back to get an exchange
Probably not a bad idea. Anything you can think of as far as environment? Perhaps the firewall is in too small a cabinet and overheats? Is there anything else in the building that might use the phone line over night such as an alarm system?
Do you know when you bring the firewall back up if you have the same public IP address?
Any way of testing the phone system itself? I've heard of people who've run into problems where their phone dies every night in cold weather. Something in the system isn't protected well enough. Although right now it's not cold. But .... Maybe a outside phone box is exposed to the sprinkler system? Stranger things have happened.
Posted: Tue Sep 09, 2008 10:57 pm
Hi Mike & Russell,
Thanks for the quick replies. One thing that I didn't mention in my original posting was that prior to the Cisco ASA 5505 we had a Netgear router and only connected the Family History Room (no MLS computers). I know that this is still "wrong" and I didn't want to focus on that so I omitted the detail on the original posting. But it is an important detail in knowing that the connection worked before and was stable for about a year and a half.
I do not have any DSL modem settings handy at the moment. But the status lights do look OK (all green). Also, it worked before with the Netgear router. And it does work with the Cisco 5505 until it goes down at some point overnight.
The alarm system interference is an interesting theory. I can look into that... I don't know of it being shared, but who knows?
The heat theory is also a good possibility. I have the DSL modem on top of the 5505 right now (although the modem is about 1/3 the size of the 5505). Both are under-mounted using a wire cabinet organization shelf (big 1" holes on the bottom and all sides). That said, the router is hot to the touch on the top where the modem sits. Perhaps I should try to relocate the DSL modem to allow heat dissipation on the top. To me it seems like the 5505 should be robust enough to handle something like that given the cost (!).
The phone wiring board is all in a communications room which is kept dry and temparate.
Posted: Wed Sep 10, 2008 3:08 am
Yeah, there were a few things in the details that sounded a little odd.
But I'd start by not stacking the equipment. As much cooling as you can get without resorting to fans would be a good idea. (I don't like fans - noise and dust.)
Posted: Wed Sep 10, 2008 8:22 am
OK, so I went into the Clerk's office this morning and as expected, the VPN was down (VPN light was off on the 5505). I relocated the DSL modem to a different area so that the top of the router would be unobstructed to allow better heat dissipation. I will check up on this over the next day or so and will post my findings here. If this experiment fails and unless someone else knows what is going on, I'm going to exchange the router. Thanks for the help so far...
Posted: Thu Sep 11, 2008 7:37 am
Maybe your DSL is providing you with dynamic IP address which in turn breaks it nightly? Just a guess... VPNs are more stable with static addresses.
Posted: Thu Sep 11, 2008 8:40 am
jamesm76 wrote:OK, so I went into the Clerk's office this morning and as expected, the VPN was down (VPN light was off on the 5505). I relocated the DSL modem to a different area so that the top of the router would be unobstructed to allow better heat dissipation. I will check up on this over the next day or so and will post my findings here. If this experiment fails and unless someone else knows what is going on, I'm going to exchange the router. Thanks for the help so far...
James, at this point it seems isolated to the router or the DSL service provider.
It may be a "Quality of Service" issue. To isolate this try testing the DSL service this way...
1. Go to http://www.mycooltools.com
2. Click on "MyVoipSpeed"
3. Click on the Virginia VOIP test location (it's the furthest from you; the only dot on the east coast.)
4. Now Click the "Click to start test" button
This will give you test results shortly. Snap a screen shot of this screen & the summary screen when it is complete. Next repeat the test with the closest server to you.
Do this a few times to get a better sampling. If there's a lot of variation then your DSL provider might have a flaky network node somewhere between your building and the provider.
Get the results to your DSL provider. The level 1 support people won't have a clue what this stuff means so you'll need to ask for advanced network support team.
Posted: Thu Sep 11, 2008 12:15 pm
Thanks Rictersmith and Daddy-o. I will look into both of your suggestions.
BTW, we are getting 1.5Mbps down from a server closest to us (B/W Sacramento and San Francisco - about 70 miles).
Our Stake Clerk (I'm the Tech Specialist) also worked with 2nd or 3rd level church support last night. There was an issue with the DNS settings which cuased NSLOOKUP issues (it was previously 192.168.0.1).
I will post my findings here in a day or so.
Netgear Seem to have Problems (with ASA)
Posted: Sat Sep 13, 2008 2:29 pm
I found that Netgear equipment I had installed require Static IP address to be set on PCs to get relible connections. Things seem run fine for a day or two and then would loss connections and would have to reset the Netgear equipment to get the connection going again. Have not had any problems since we set Static IPs on all equipment behind the Netgear equipment.