Question : Intermittent internet connectivity for PCs in small remote office

I have a small remote office……

Infrastructure:

(1) Cisco ASA 5505 on IOS version 8.3.1 – (192.168.2.1)
(1) HP Procurve 2610-24-PWR managed POE switch that provides connectivity to a ShoreTel VoIP phone system and has layer-3 routing capability to enable connectivity between the data and voice networks – (192.168.2.2 (data) / 192.168.4.1 (voice))
(2) HP Procurve 1800-24G Unmanaged Gigabit switches
(1) Windows 2003 Server that is a DC and performs internal DNS/DHCP functions (192.168.2.11)
(~ 10) Windows XP/7 clients (192.168.2.xx)

IP Configuration from DHCP:

IP Address – 192.168.2.xx
Subnet Mask – 255.255.255.0
Default Gateway – 192.168.2.2

Problem:

There is a most-frustrating network-related problem where when a PC boots-up for the first time, receives an IP address from DHCP, but cannot access the internet / WAN.  It can ping around the local LAN by both hostname and IP address, but not beyond the firewall.

At first it was intermittent, a PC or two would experience this and a reboot would usually clear it up.  Then the problem started getting a little worse.  The first thing I generally attempted beyond a reboot was changing the default gateway from the POE switch (192.168.2.2) to the firewall (192.168.2.1), thinking it was a problem with the POE switch.  This worked the first couple times it happened.  

So, as a result, I ended up changing the DHCP options to configure network connections with the firewall as the default gateway.  Then the problem would rear its ugly head a little more often and this week, it has gotten a lot worse.

On 4 separate PCs – (all of which are 2 years old or less)
1)      After constant reboots, changing default gateways back and forth, applying a static IP – nothing worked until I reinstalled the NIC card on a Windows 7 laptop and the internet started working
2)      On another Windows 7 machine, after a couple of reboots, changing default gateways, simply applying a static IP with the default gateway to the Firewall fixed the issue.
3)      On a Windows XP machine, I used the popular WinsockXP reset utility to clean-up the IP stack after reboots, default-gateway changing, static IP application with both gateways, etc.  
4)      I have (2) XP machines – a desktop and a laptop that cannot connect to the internet at all no matter what I did.

For each problematic client machine except the first one, I was able to remote desktop into it from the site’s domain controller to do troubleshooting.

The caveat to this whole thing is that the DC has had no issues connecting to the internet whether it has a default gateway of the POE switch or the Firewall.

Machines that would work sometimes would intermittently start experiencing internet / WAN connectivity issues again.  I am 99.9% (really 100%) sure that the client-PCs are not the issue and there’s either a problem at the firewall or with the POE switch configuration.

Historically, from what I’ve been told, the firewall would occasionally need to be unplugged and plugged back in during office-wide internet issues about once a month.  Rebooting the firewall is what fixed the internet issues for that office today.

We just moved into a new office about 2 months ago – the firewall is the same, but the POE switch and the VoIP system were added.  Previously, all client default gateways pointed at the firewall.

So, given the troubleshooting I’ve done on the client PCs to the point that there’s nothing there pointing to issues on the machines considering the widespread issues network-wide, I’m still convinced there’s an issue at the firewall or with the POE switch configuration.

I have attached my firewall config and my POE switch config.  I am hopeful that someone can make some suggestions as to where to go next. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:

Firewall:


: Saved
:
ASA Version 8.3(1) 
!
hostname DC-ASA
domain-name intranet.ceadvisors.com
enable password encrypted
passwd encrypted
names
name 192.168.1.0 Marlboro-LAN
name 192.168.5.0 VPN-IPPool
name 192.168.2.0 DC-LAN
name 192.168.1.13 CEADC1
name 192.168.1.14 CEADC2
name xx.xxx.xxx.xxx Marlboro-Firewall
name 192.168.3.0 Marlboro-VoIP
name 192.168.4.0 DC-VoIP
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address xx.xx.xxx.xx 255.255.255.0 
!
interface Ethernet0/0
 description Inside
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.2.11
domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
object network DC-LAN 
 subnet 192.168.2.0 255.255.255.0
object network Marlboro-LAN 
 subnet 192.168.1.0 255.255.255.0
object network VPN-IPPool 
 subnet 192.168.5.0 255.255.255.0
object network Marlboro-VoIP 
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.2.2 
 host 192.168.2.2
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network DC-VoIP 
 subnet 192.168.4.0 255.255.255.0
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside_cryptomap extended permit ip object DC-LAN object Marlboro-LAN 
access-list outside_cryptomap extended permit ip object DC-VoIP object Marlboro-LAN 
access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside-access-in extended permit icmp any any echo-reply 
access-list outside-access-in extended permit icmp any any time-exceeded 
access-list outside-access-in extended permit icmp any any unreachable 
access-list outside-access-in extended permit tcp any host 192.168.2.11 eq 3389 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static DC-LAN DC-LAN destination static Marlboro-LAN Marlboro-LAN
nat (inside,any) source static DC-LAN DC-LAN destination static VPN-IPPool VPN-IPPool
nat (inside,any) source static DC-LAN DC-LAN destination static Marlboro-VoIP Marlboro-VoIP
nat (inside,any) source static DC-VoIP DC-VoIP destination static Marlboro-LAN Marlboro-LAN
nat (inside,any) source static DC-VoIP DC-VoIP destination static VPN-IPPool VPN-IPPool
!
object network obj-192.168.2.2
 nat (inside,outside) static interface service tcp 3389 3389 
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.x 1
route inside DC-VoIP 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (inside) host CEADC1
 key *****
aaa-server CEADC2 protocol radius
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http VPN-IPPool 255.255.255.0 inside
http DC-LAN 255.255.255.0 inside
http Marlboro-LAN 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http Marlboro-Firewall 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer Marlboro-Firewall 
crypto map outside_map0 1 set transform-set THREEDES
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet DC-LAN 255.255.255.0 inside
telnet Marlboro-LAN 255.255.255.0 inside
telnet VPN-IPPool 255.255.255.0 inside
telnet Marlboro-Firewall 255.255.255.255 outside
telnet timeout 5
ssh Marlboro-LAN 255.255.255.0 inside
ssh DC-LAN 255.255.255.0 inside
ssh VPN-IPPool 255.255.255.255 inside
ssh Marlboro-Firewall 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 192.168.2.11
dhcpd domain intranet.ceadvisors.com
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  url-list value CEA_Servers
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  file-entry enable
  file-browsing enable
username xxxxxx password xxxxxx encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 username-from-certificate use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.12 timeout 2 retry 2
 nbns-server CEADC1 timeout 2 retry 2
tunnel-group xx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
tunnel-group CEA type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:596bb78897e1745641fd3a18be88e5ee
: end
asdm image disk0:/asdm-631.bin
asdm location Marlboro-VoIP 255.255.255.0 inside
no asdm history enable


POE Switch:

hostname "ConEnergyDCpoe"
time timezone -300
time daylight-time-rule Continental-US-and-Canada
sntp server 192.168.4.10
ip routing
timesync sntp
sntp unicast
snmp-server community "public" Unrestricted
vlan 1
   name "VoIP"
   untagged 2-28
   ip address 192.168.4.1 255.255.255.0
   no untagged 1
   exit
vlan 2
   name "PC LAN"
   untagged 1
   ip address 192.168.2.2 255.255.255.0
   exit
ip route 0.0.0.0 0.0.0.0 192.168.2.1

Answer : Intermittent internet connectivity for PCs in small remote office

Sorry, In the current versions of MS Access, PivotChart Objects (Series, DataPoints) cannot respond to Events.

:-(

JeffCoachman
Random Solutions  
 
programming4us programming4us