topic Packet Inspection Blocking? in Network Security

Packet Inspection Blocking?

KGrev — Fri, 02 Jun 2023 18:41:52 GMT

Hi,

Im using an ASA5585.

If I have a PC_B outside the asa and PC_A inside the asa, PC_A can ping PC_B. If I disconnect PC_B from its connection, PC_A will begin to have incomplete pings to PC_B. This is normal. However if I reconnect PC_B to the network the pings from PC_A will continue to fail. If I log into the ASA and use "clear conn address <PC_B ip>" the pings become successful.

Some sort of statefull thing/inspection/timeout may be happening but i'm unsure how to figure out whats going on.

I did increase the timeout of icmp to 1minute as a test but that didn't change anything.

Here is a chunk from my config if it helps.

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect esmtp _default_esmtp_map
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect ip-options _default_ip_options_map
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect icmp error
class class-default
set connection timeout idle 1:00:00 embryonic 0:00:30 half-closed 0:10:00
idle 1:00:00
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
set connection decrement-ttl
user-statistics accounting

!
!
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:01:00

Any advice is greatly appreciated.

Re: Packet Inspection Blocking?

Flavio Miranda — Fri, 02 Jun 2023 18:48:44 GMT

As a test purpose, can try to add a static NAT ?

arp outside <IP PC B> <Mac address PC B>

Re: Packet Inspection Blocking?

KGrev — Fri, 02 Jun 2023 19:01:00 GMT

@Flavio MirandaThanks for your response.

I added the command but with the static nat entry to pings are still blocked after the disconnect period ends.

Re: Packet Inspection Blocking?

MHM Cisco World — Fri, 02 Jun 2023 19:04:57 GMT

set connection timeout idle 1:00:00<<- this not normal timeout' this and idle did you change the these defualt value?

Re: Packet Inspection Blocking?

KGrev — Fri, 02 Jun 2023 19:11:44 GMT

@MHM Cisco WorldThanks for your response. I don't believe I changed that. What is the default?

Re: Packet Inspection Blocking?

MHM Cisco World — Sun, 04 Jun 2023 08:13:35 GMT

timeout conn hh:mm:ss —The idle time after which a connection closes, between 0:5:0 and 1193:0:0. The default is 1 hour (1:0:0).
timeout icmp hh:mm:ss —The idle time for ICMP, between 0:0:2 and 1193:0:0. The default is 2 seconds (0:0:2).
timeout icmp-error hh:mm:ss —The idle time before the ASA removes an ICMP connection after receiving an ICMP echo-reply packet, between 0:0:0 and 0:1:0 or the timeout icmp value, whichever is lower. The default is 0 (disabled). When this timeout is disabled, and you enable ICMP inspection, then the ASA removes the ICMP connection as soon as an echo-reply is received; thus any ICMP errors that are generated for the (now closed) connection are dropped. This timeout delays the removal of ICMP connections so you can receive important ICMP errors.

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:01:00

this what I talking about keep it default if not solve your issue then
share the NAT config