topic Re: ASA 5510, routing issue. in Network Security

ASA 5510, routing issue.

AyoubC — Wed, 13 May 2020 03:42:15 GMT

Hello Folks,

reaching out to you for some help,

I have a simple setup in my 5510 , 2 interfaces: first one for OUTSIDE and second one for Inside with multiple sub-interfaces (vlans) :

- all subinterface on the same security level,

- same-security-traffic permit inter-interface "enabled",

the issue that i'm facing, is a host in a new subinterface (vlan333 / host ip 172.16.210.19) can't reach another host in another subinterface (vlan30 / host ip 10.10.30.10)

see configuration attached the running config and below a screenshot from ASDM logging

Those things make me confused:

- i can ping 10.10.30.10 from other hosts in another subinterface

- if I disable ICMP inspection (from service policy rule) then I can see successful ping but TCP / UDP failed,

- in the capture above, I can't understand why "via-subnet2:172.16.210.19" however 172.16.210.19 belong to via-subnet1 interface (see running-config)

Waiting for your valuable ideas!!!

thanks

Re: ASA 5510, routing issue.

Marius Gunnerud — Wed, 13 May 2020 13:01:01 GMT

Is there any routing on the switch connected to the ASA? Looks like there is asynchronous routing possibly.

Re: ASA 5510, routing issue.

AyoubC — Wed, 13 May 2020 16:37:11 GMT

Thanks for your reply,

there is no routing in the core switch where ASA is plugged.

the network is very small and simple, multiple access switches are connected to the core switch, and uplink with different VLAN to the ASA inside (ASA is playing the role of the router on a stick) and ASA natting traffic to internet via the OUTSIDE interface,

Any other ideas based on what i shared?

Re: ASA 5510, routing issue.

Marius Gunnerud — Wed, 13 May 2020 17:26:48 GMT

Which other subinterface works? I am a little uncertain how another subinterface will work. You need to configure hairpining by using the command same-security-traffic permit intra-interface to allow ingress and egress of the same traffic flow on the same interface (traffic entering and exiting on the same interface). I suggest adding this command and then test again.

Re: ASA 5510, routing issue.

Marius Gunnerud — Wed, 13 May 2020 17:31:02 GMT

Also, just an observation, if this is a production network I suggest removing or at the very least specify more specific addresses for your http and ssh configuration on the outside interface.

ssh 0.0.0.0 0.0.0.0 OUTSIDE

http 0.0.0.0 0.0.0.0 OUTSIDE

Re: ASA 5510, routing issue.

Marvin Rhoads — Wed, 13 May 2020 17:41:28 GMT

It looks a lot like asymmetric routing - traffic goes out one way and tries to go back another.

Does the core switch where the multiple VLANs are configured have any SVIs in those VLANs at all? Even without ip routing configured, a connected interface will affect traffic flow.

Re: ASA 5510, routing issue.

AyoubC — Wed, 13 May 2020 18:12:01 GMT

Hello @Marius Gunnerud ,

security-traffic permit intra-interface is enabled,

I enabled ssh and https from anywhere just to troubleshoot this issue, i'll ABSOLUTELLY restrict access shortly

Regards,

thanks.

Re: ASA 5510, routing issue.

Marius Gunnerud — Wed, 13 May 2020 18:21:18 GMT

in the configuration you posted the same-security-traffic permit intra-interface command is missing. I only see the same-security-traffic permit inter-interface command.

Re: ASA 5510, routing issue.

AyoubC — Thu, 14 May 2020 00:04:50 GMT

Hello Marvin,

your approach looks good, yes I have SVIs in core switch I tried to verify one more time everything, run Wireshark in all ends but results are weird,

for instance look at this capture from ASA,

the crazy thing here is, "Routing failed to locate next hop for TCP fromvms:10.10.30.10 to Aruba-MCs:172.16.210.20"

one thing i can't understand, Aruba-MCs:172.16.210.20, Aruba-MCs is the subinterface for 10.10.62.0/24 (refer to run config). how can we explain that? any idea?

Re: ASA 5510, routing issue.

Marius Gunnerud — Thu, 14 May 2020 08:30:47 GMT

I specifically asked if there was routing on the switch and you said "no", and now you are saying there is? Adding IP to SVIs on a layer 3 switch enables routing between the SVIs unless they are placed in their own VRF (routing instance). If you set the default gateway on the end devices to the ASA instead of the switch you will get asynchronous routing which you are now seeing. This is where the end device in VLAN 333 sends traffic destined for VLAN 30 to the ASA, the ASA sends this traffic to VLAN 30, but the endpoint in VLAN 30 sends the traffic directly to the end point in VLAN 333. And then the process continues. The ASA drops the next traffic flow indicating "no connection" as it did not see the return traffic from VLAN 30.

You need to set the default gateway to the switch SVI IP or remove the SVI IP for one or both of the VLANs and make sure that the correct default gateway is set on the endpoints.

The error you are getting for routing and the drop error is because you do not have the same-security-traffic permit intra-interface command (or at least it was not present in the configuration you posted earlier).

Re: ASA 5510, routing issue.

AyoubC — Thu, 14 May 2020 14:30:53 GMT

Hello Marius,
totally missed that routing may happen in Core switch with SVIs. when you asked I was only thinking about static routes,
any way, i deleted all necessary vlan sub-interfaces from core switch, i have now only vlan to trunk traffic to ASA inside uplink, and I'm still getting same errors, I don't know what's wrong even the network is so simple,
but do you think my previous question
Aruba-MCs:172.16.210.20, Aruba-MCs is the subinterface for 10.10.62.0/24 (refer to run config). how can we explain that? any idea?

Re: ASA 5510, routing issue.

Marius Gunnerud — Thu, 14 May 2020 16:24:10 GMT

if you issue the command show run | in same-security-traffic on the ASA do you see entries for both inter-interface as well as intra-interface?

in the initial configuration you posted for the ASA I only saw an entry for inter-interface.

I suggest adding the command same-security-traffic permit intra-interface and then check connectivity. If it still doesn't work please post a fresh configuration of the ASA as well as the core switch (remember to remove any public IPs, usernames and passwords). Also please indicate which interface is connected to the ASA.

Screenshot from the configuration file you posted.

Re: ASA 5510, routing issue.

AyoubC — Fri, 15 May 2020 02:01:50 GMT

I can see both inter/intra see attached run config

I added also run config of core switch (it's an Aruba s1500) looks similar to cisco switch,

coreswitch (port ge/0/0/11) --> connect to --> ASA (port 0/1)

Re: ASA 5510, routing issue.

AyoubC — Fri, 15 May 2020 02:09:02 GMT

Hello Marius/marvin,
I was able to sort out the issue,
the issue was on vlan 333 it self, I found that the host in vlan 333 is using aruba WLC as a default gateway and thus when traffic is getting forwarded to ASA for routing to vlan 30 we see: Routing failed to locate next hop for TCP from vms:10.10.30.10 to Aruba-MCs:172.16.210.20, while Aruba-MCs is sub-interface for 10.10.62.0/24 and 172.16.210.20 belongs to VLAN network30

any way, thank you for your recomendations (SVIs, and Intra-interfaces routing) Appriciate,