DSL reliability

[jdlessley]

One thought I've had as I've been looking around the stake is that the modem and firewall were never plugged into a surge protector just straight in the wall. Can power surges cause grief with the internet connection?

Most certainly. There are other power grid conditions that wreck havac with modems, routers, and other electronic equipment. There can be momentary power interruptions and momentary brown outs (under power). We experience those on our commercial power grid for the stake center. This caused both modem problems and Cisco PIX 501 problems. We installed an uninterruptible power supply/surge protector (APC UPS for around $60) to remove those issues. However after years of unprotected operations I think the PIX has been damaged. (That's another story for another thread) If you do not have power losses or brown outs then just a surge proctector will suffice. But if you suspect power losses (it's the short ones, less than a couple of seconds, that cause most of the problems) or brown outs then an uninterruptible power supply would be better.

[jdlessley]

I've been getting reports that the internet goes down regularly. My question is: Does this sound like a modem - reliablity issue or is this a firewall issue?

The next time your internet goes down and before any corrective measures are taken, check the LED status lights on the modem and the PIX. The modem Internet light should be on and steady. If it is not then something has caused the modem to lose the internet connection. Power surges, a momentary power loss, as well as a momentary brown out can cause this. Long duration, greater than 3 to 5 seconds, full outages will be corrected by the modem when it goes through a full power up after electrical power is restored. Power surges, short outages or brown outs may not cause the modem to reset but remain in a partial failure mode.

The other part of the problem is the PIX in the same conditions of power surges, short power interruptions, or brown outs. So when you check the LED lights on the modem also check the LED lights on the PIX. The one light that will give you a quick clue that the PIX is only partially functioning is the VPN Tunnel light. If it is out then the PIX needs to be reset. You can also check the other PIX LEDs to determine status.

If the PIX appears to be functioning by the correct LED lights being on, then try pinging the modem from a computer hard wired to the network. Alternatively try accessing the modem through its web browser interface. If you know the IP address of the modem enter that in the address bar of the browser. Some modems use an IP address of 192.168.0.1. If you cannot access the modem when the modem is on then the most likely difficulty is that the PIX is in partial failure from a power problem.

If the modem Internet light is out and the PIX VPN Tunnel light is out then a very good suspect is a power issue that caused partial failures of both the PIX and the modem.

[danpass]

...check the LED lights on the PIX. The one light that will give you a quick clue that the PIX is only partially functioning is the VPN Tunnel light. If it is out then the PIX needs to be reset.

Not only should the VPN light be on, but also should be green. Occasionally, when I investigate connectivity problems to the Internet, I have found the VPN light on, but amber rather than green. I've never bothered to research what the amber color indicates, but I do know that unless it is green, we do not have full connectivity.

[aebrown]

Not only should the VPN light be on, but also should be green. Occasionally, when I investigate connectivity problems to the Internet, I have found the VPN light on, but amber rather than green. I've never bothered to research what the amber color indicates, but I do know that unless it is green, we do not have full connectivity.

That's a good hint for the ASA Firewall. However, this thread was talking about a PIX firewall, and amber isn't an option for its VPN light.

The ASA Firewall's VPN light can be green or amber. It has three states:

• Solid Green: The VPN tunnel is established.
• Flashing Green:The system is initiating the VPN tunnel.
• Solid Amber: The tunnel failed to initiate.

But the PIX 501 (and I would guess the PIX 505 is the same) only has a green VPN Tunnel light:

• Green: One or more VPN Tunnels are active.
• Off: No VPN Tunnels are active.

[Mikerowaved]

Greetings dkcook2,

I know you're getting a lot of help from a lot of sources, so I hope this isn't overwhelming you. I noticed this last question in your original post was never answered...

How does the name server work?

HERE is a pretty good explanation. If you are told by CHQ (or someone else) it might be a nameserver issue, here's a real simple test that's much simpler than trying to use NSLookup. Both commands below are executed from a command prompt (START --> RUN --> CMD).

1. Type ping yahoo.com - Within about 5 seconds, all 4 packets sent should get a positive reply. If so, you have a good connection to the Internet with a healthy nameserver. If not, try #2.
2. Type ping 206.190.60.37 - (This is the public IP address of yahoo.com, so we just bypassed the nameserver.) If you get a good reply this time, then you are connected to the Internet, however, your ISP's nameserver was indeed misbehaving in step #1.

Some ISP's are more prone to having nameserver issues than others. I've certainly seen my share of these problems, but fortunately not for quite a few years.

Oh, and you might want to print this out and keep it somewhere. (Or cut 'n paste it to a text file.) Trying to remember an IP address when the Internet is down can be a little rough.

[dkcook2-p40]

This is great feedback and very helpful. I will print out this feedback and use it all the next time the internet goes down in this buidling. I'm learning a lot.

The lights on the firewall and modem sound like a great source of troubleshooting where the main cause is.

I will also use the ping command sequence instead of nslookup.

I had one follow up question on the name server. Mike mentioned that some ISPs are prone to name server problems. Does that mean the name server is something that the ISP controls? or is it something that is controlled by the firewall router, modem, or a local computer? Sorry for my ignorance on this.

Thanks again for your help you guys are great.

[rmrichesjr]

This is great feedback and very helpful. I will print out this feedback and use it all the next time the internet goes down in this buidling. I'm learning a lot.

The lights on the firewall and modem sound like a great source of troubleshooting where the main cause is.

I will also use the ping command sequence instead of nslookup.

I had one follow up question on the name server. Mike mentioned that some ISPs are prone to name server problems. Does that mean the name server is something that the ISP controls? or is it something that is controlled by the firewall router, modem, or a local computer? Sorry for my ignorance on this.

Thanks again for your help you guys are great.

I don't know how the Church's meetinghouse internet setup handles this, but in other domains, the choice of DNS servers can be done at the local computer, the firewall/router, or the ISP. Most residential internet setups have the ISP control DNS settings, usually via DHCP. However, my ISP supplies instructions to override the ISP-supplied settings by manually setting things on the router. My Linux machines have their own DNS settings to reduce risk of DNS poisoning if the router were to be cracked.

[jdlessley]

I had one follow up question on the name server. Mike mentioned that some ISPs are prone to name server problems. Does that mean the name server is something that the ISP controls?

Yes.

Another thing. I made an assumption when reading post number 15 of this thread. I assumed that you made a typo when you said you had a PIX 505 modem. I assumed you meant the Cisco PIX 501 security appliance and proceded on with that assumption. While my comments are valid for the Cisco PIX 501, I cannot verify applicability to the Cisco ASA 5505 for which you may have been referring since I have no experience with that device. I could not find a PIX 505 modem doing a Google search nor a PIX 505 router or security appliance. Could you verify what you meant by a PIX 505 modem?

[Mikerowaved]

I had one follow up question on the name server. Mike mentioned that some ISPs are prone to name server problems. Does that mean the name server is something that the ISP controls? or is it something that is controlled by the firewall router, modem, or a local computer? Sorry for my ignorance on this.

No problem. Yes, the nameservers we are dealing with are generally under the control of the ISP.

[jdlessley]

dkcook2,
I made an assumption when reading post number 15 of this thread. I assumed that you made a typo when you said you had a PIX 505 modem. I assumed you meant the Cisco PIX 501 security appliance and proceded on with that assumption. While my comments are valid for the Cisco PIX 501, I cannot verify applicability to the Cisco ASA 5505 for which you may have been referring since I have no experience with that device. I could not find a PIX 505 modem doing a Google search nor a PIX 505 router or security appliance. Could you verify what you meant by a PIX 505 modem?