Cisco Small Business ISA500 Series Security Appliances Administration Guide (HTML) - Troubleshooting [Cisco Small Business ISA500 Series Integrated Security Appliances]

Table Of Contents

Troubleshooting

Internet Connection

Date and Time

Pinging to Test LAN Connectivity

Testing the LAN Path from Your PC to Your Security Appliance

Testing the LAN Path from Your PC to a Remote Device

Troubleshooting

This chapter describes how to fix some common issues that you may encounter when using the security appliance. It includes the following sections:

•Internet Connection

•Date and Time

•Pinging to Test LAN Connectivity

Internet Connection

Symptom: You cannot access the Configuration Utility from a PC on your LAN.
Recommended Actions:

STEP 1 Check the Ethernet connection between the PC and the security appliance.

STEP 2 Ensure that the IP address of your PC is on the same subnet as the security appliance. If you are using the recommended addressing scheme, your PC's address should be in the range 192.168.75.100 to 192.168.75.200.

STEP 3 Check the IP address of your PC. If the PC cannot reach a DHCP server, some versions of Windows and MacOS generate and assign an IP address. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the PC to the security appliance and reboot your PC.

STEP 4 If your IP address has changed and you don't know what it is, reset the security appliance to the factory default settings.

If you do not want to reset to factory-default settings and lose your configuration, reboot the security appliance and use a packet sniffer (such as Ethereal™) to capture packets sent during the reboot. Look at the ARP packets to locate the LAN interface address.

STEP 5 Launch your web browser and ensure that Java, JavaScript, or ActiveX is enabled. If you are using Internet Explorer, click Refresh to ensure that the Java applet is loaded. Close the browser and launch it again.

STEP 6 Ensure that you are using the correct login information. The factory default login name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information.

Symptom: The security appliance does not save my configuration changes.
Recommended Actions:

STEP 1 When entering configuration settings, click OK or Save before moving to another page or tab; otherwise your changes are lost.

STEP 2 Click Refresh or Reload in the browser, which will clear a cached copy of the old configuration.

Symptom: The security appliance cannot access the Internet.
Possible Cause: If you use dynamic IP addresses, your security appliance is not requesting an IP address from the ISP.
Recommended Actions:

STEP 1 Launch your browser and determine if you can connect to an external site such as www.cisco.com.

STEP 2 Launch the Configuration Utility and login.

STEP 3 Click Status > Dashboard.

STEP 4 In the WAN Interface(s) area, find the WAN1 Address. If 0.0.0.0 is shown, your security appliance has not obtained an IP address from your ISP. See the next symptom.

Symptom: The security appliance cannot obtain an IP address from the ISP.
Recommended Actions:

STEP 1 Turn off power to the cable or DSL modem.

STEP 2 Power off the security appliance.

STEP 3 Then reapply power to the cable or DSL modem.

STEP 4 When the modem lights indicate that it has resynchronized with the ISP, reapply power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom.

Symptom: The security appliance still cannot obtain an IP address from the ISP.
Recommended Actions:

STEP 1 Click Networking > WAN > WAN Settings.

STEP 2 Click the Edit (pencil) icon to configure the primary WAN port.

The WAN - Add/Edit window opens.

STEP 3 Ask your ISP the following questions:

•What type of network addressing mode is required for your Internet connection? In the IPv4 tab, choose the correct ISP connection type in the IP Address Assignment drop-down list, and then enter the account information as specified by the ISP.

•Is your ISP expecting you to login from a particular Ethernet MAC address? If yes, in the IPv4 tab, choose Use the following MAC address from the MAC Address Source drop-down list, and then enter the required MAC address in the MAC Address field.

Symptom: The security appliance can obtain an IP address, but PC is unable to load Internet pages.
Recommended Actions:

STEP 1 Ask your ISP for the addresses of its designated DNS servers. Configure your PC to recognize those addresses. For details, see your operating system documentation.

STEP 2 On your PC, configure the security appliance to be its TCP/IP gateway.

Date and Time

Symptom: Date shown is January 1, 2000.
Possible Cause: The security appliance has not yet successfully reached a Network Time Server (NTS).
Recommended Actions:

STEP 1 If you have just configured the security appliance, click Device Management > Date and Time.

STEP 2 Review the settings for the date and time.

STEP 3 Verify your Internet access settings.

Symptom: The time is off by one hour.
Possible Cause: The security appliance does not automatically adjust for Daylight Savings Time.
Recommended Actions:

STEP 1 Click Device Management > Date and Time.

STEP 2 Enable the Daylight Saving Time Adjustment feature.

STEP 3 Click Save to apply your settings.

Pinging to Test LAN Connectivity

The security appliance and most TCP/IP terminal devices contain a ping utility that sends an ICMP echo-request packet to the designated device. The device responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the ping utility in your PC or workstation.

This section includes the following topics:

•Testing the LAN Path from Your PC to Your Security Appliance

•Testing the LAN Path from Your PC to a Remote Device

Testing the LAN Path from Your PC to Your Security Appliance

STEP 1 On your PC, click the Windows Start button, and then click Run.

STEP 2 Type ping <IP_address> where <IP_address> is the IP address of the security appliance. Example: ping 192.168.75.1.

STEP 3 Click OK.

STEP 4 Observe the display:

•If the path is working, you see this message sequence:
Pinging <IP address> with 32 bytes of data Reply from <IP address>: bytes=32 time=NN ms TTL=xxx

•If the path is not working, you see this message sequence:
Pinging <IP address> with 32 bytes of data Request timed out

•If the path is not working, check the physical connections between the PC and the security appliance. If the LAN port light is off, verify that the corresponding link lights are lit for your network interface card and for any hub ports that are connected to your workstation and security appliance.

•If the path is still not up, test the network configuration.

–Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC.

–Verify that the IP addresses for the security appliance and PC are correct and on the same subnet.

Testing the LAN Path from Your PC to a Remote Device

STEP 1 On your PC, click the Windows Start button, and then click Run.

STEP 2 Type ping -n 10 <IP_address> where -n 10 specifies a maximum of 10 tries and <IP address> is the IP address of a remote device such as your ISP's DNS server. Example: ping -n 10 10.1.1.1.

STEP 3 Click OK and then observe the display (see the previous procedure).

STEP 4 If the path is not working, perform the following tasks:

•Check that the PC has the IP address of your security appliance is listed as the default gateway. (If the IP configuration of your PC is assigned by DHCP, this information is not visible in your PC's Network Control Panel.)

•Verify that the network (subnet) address of your PC is different from the network address of the remote device.

•Verify that the cable or DSL modem is connected and functioning.

•Call your ISP and go through the questions listed in The security appliance cannot obtain an IP address from the ISP.

•Ask your ISP if it rejects the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by allowing traffic from the MAC address of only your broadband modem. Some ISPs additionally restrict access to the MAC address of just a single PC connected to that modem. If this is the case, configure your security appliance to clone or spoof the MAC address from the authorized PC. See Configuring WAN Settings for Your Internet Connection, page 122.

	Cisco Small Business ISA500 Series Security Appliances Administration Guide (HTML)
	Troubleshooting
Cisco Small Business ISA500 Series Security Appliances Administration Guide (HTML) Getting Started Configuration Wizards Status Networking Wireless Firewall Security Services VPN Users Device Management Troubleshooting Specifications Factory Default Settings Where to Go from Here	Download this chapter Troubleshooting Download the complete book Cisco ISA500 Series Security Appliances Administration Guide (PDF - 4 MB) Feedback Table Of Contents Troubleshooting Internet Connection Date and Time Pinging to Test LAN Connectivity Testing the LAN Path from Your PC to Your Security Appliance Testing the LAN Path from Your PC to a Remote Device Troubleshooting This chapter describes how to fix some common issues that you may encounter when using the security appliance. It includes the following sections: •Internet Connection •Date and Time •Pinging to Test LAN Connectivity Internet Connection Symptom: You cannot access the Configuration Utility from a PC on your LAN. Recommended Actions: STEP 1 Check the Ethernet connection between the PC and the security appliance. STEP 2 Ensure that the IP address of your PC is on the same subnet as the security appliance. If you are using the recommended addressing scheme, your PC's address should be in the range 192.168.75.100 to 192.168.75.200. STEP 3 Check the IP address of your PC. If the PC cannot reach a DHCP server, some versions of Windows and MacOS generate and assign an IP address. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the PC to the security appliance and reboot your PC. STEP 4 If your IP address has changed and you don't know what it is, reset the security appliance to the factory default settings. If you do not want to reset to factory-default settings and lose your configuration, reboot the security appliance and use a packet sniffer (such as Ethereal™) to capture packets sent during the reboot. Look at the ARP packets to locate the LAN interface address. STEP 5 Launch your web browser and ensure that Java, JavaScript, or ActiveX is enabled. If you are using Internet Explorer, click Refresh to ensure that the Java applet is loaded. Close the browser and launch it again. STEP 6 Ensure that you are using the correct login information. The factory default login name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information. Symptom: The security appliance does not save my configuration changes. Recommended Actions: STEP 1 When entering configuration settings, click OK or Save before moving to another page or tab; otherwise your changes are lost. STEP 2 Click Refresh or Reload in the browser, which will clear a cached copy of the old configuration. Symptom: The security appliance cannot access the Internet. Possible Cause: If you use dynamic IP addresses, your security appliance is not requesting an IP address from the ISP. Recommended Actions: STEP 1 Launch your browser and determine if you can connect to an external site such as www.cisco.com. STEP 2 Launch the Configuration Utility and login. STEP 3 Click Status > Dashboard. STEP 4 In the WAN Interface(s) area, find the WAN1 Address. If 0.0.0.0 is shown, your security appliance has not obtained an IP address from your ISP. See the next symptom. Symptom: The security appliance cannot obtain an IP address from the ISP. Recommended Actions: STEP 1 Turn off power to the cable or DSL modem. STEP 2 Power off the security appliance. STEP 3 Then reapply power to the cable or DSL modem. STEP 4 When the modem lights indicate that it has resynchronized with the ISP, reapply power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom. Symptom: The security appliance still cannot obtain an IP address from the ISP. Recommended Actions: STEP 1 Click Networking > WAN > WAN Settings. STEP 2 Click the Edit (pencil) icon to configure the primary WAN port. The WAN - Add/Edit window opens. STEP 3 Ask your ISP the following questions: •What type of network addressing mode is required for your Internet connection? In the IPv4 tab, choose the correct ISP connection type in the IP Address Assignment drop-down list, and then enter the account information as specified by the ISP. •Is your ISP expecting you to login from a particular Ethernet MAC address? If yes, in the IPv4 tab, choose Use the following MAC address from the MAC Address Source drop-down list, and then enter the required MAC address in the MAC Address field. Symptom: The security appliance can obtain an IP address, but PC is unable to load Internet pages. Recommended Actions: STEP 1 Ask your ISP for the addresses of its designated DNS servers. Configure your PC to recognize those addresses. For details, see your operating system documentation. STEP 2 On your PC, configure the security appliance to be its TCP/IP gateway. Date and Time Symptom: Date shown is January 1, 2000. Possible Cause: The security appliance has not yet successfully reached a Network Time Server (NTS). Recommended Actions: STEP 1 If you have just configured the security appliance, click Device Management > Date and Time. STEP 2 Review the settings for the date and time. STEP 3 Verify your Internet access settings. Symptom: The time is off by one hour. Possible Cause: The security appliance does not automatically adjust for Daylight Savings Time. Recommended Actions: STEP 1 Click Device Management > Date and Time. STEP 2 Enable the Daylight Saving Time Adjustment feature. STEP 3 Click Save to apply your settings. Pinging to Test LAN Connectivity The security appliance and most TCP/IP terminal devices contain a ping utility that sends an ICMP echo-request packet to the designated device. The device responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the ping utility in your PC or workstation. This section includes the following topics: •Testing the LAN Path from Your PC to Your Security Appliance •Testing the LAN Path from Your PC to a Remote Device Testing the LAN Path from Your PC to Your Security Appliance STEP 1 On your PC, click the Windows Start button, and then click Run. STEP 2 Type ping <IP_address> where <IP_address> is the IP address of the security appliance. Example: ping 192.168.75.1. STEP 3 Click OK. STEP 4 Observe the display: •If the path is working, you see this message sequence: `Pinging <IP address> with 32 bytes of data Reply from <IP address>: bytes=32 time=NN ms TTL=xxx` •If the path is not working, you see this message sequence: `Pinging <IP address> with 32 bytes of data Request timed out` •If the path is not working, check the physical connections between the PC and the security appliance. If the LAN port light is off, verify that the corresponding link lights are lit for your network interface card and for any hub ports that are connected to your workstation and security appliance. •If the path is still not up, test the network configuration. –Verify that the Ethernet card driver software and TCP/IP software are installed and configured on the PC. –Verify that the IP addresses for the security appliance and PC are correct and on the same subnet. Testing the LAN Path from Your PC to a Remote Device STEP 1 On your PC, click the Windows Start button, and then click Run. STEP 2 Type ping -n 10 <IP_address> where -n 10 specifies a maximum of 10 tries and <IP address> is the IP address of a remote device such as your ISP's DNS server. Example: ping -n 10 10.1.1.1. STEP 3 Click OK and then observe the display (see the previous procedure). STEP 4 If the path is not working, perform the following tasks: •Check that the PC has the IP address of your security appliance is listed as the default gateway. (If the IP configuration of your PC is assigned by DHCP, this information is not visible in your PC's Network Control Panel.) •Verify that the network (subnet) address of your PC is different from the network address of the remote device. •Verify that the cable or DSL modem is connected and functioning. •Call your ISP and go through the questions listed in The security appliance cannot obtain an IP address from the ISP. •Ask your ISP if it rejects the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by allowing traffic from the MAC address of only your broadband modem. Some ISPs additionally restrict access to the MAC address of just a single PC connected to that modem. If this is the case, configure your security appliance to clone or spoof the MAC address from the authorized PC. See Configuring WAN Settings for Your Internet Connection, page 122.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks