topic Re: ASA Session setup through wrong interface, session stays there in Network Security

ASA Session setup through wrong interface, session stays there

Jan — Tue, 12 Mar 2019 04:52:19 GMT

When an interface gets down Sessions are setup using default route, and never time out, nor get invalidated, when the interface comes back up.

Hi, I had this happen to me

Jouni Forss — Tue, 07 Oct 2014 08:14:19 GMT

Hi,

I had this happen to me some weeks ago when a colleague was replacing some IPS devices connected to a customer ASA firewall.

I would say that the situation is just as you describe. It certainly was in our case. As the physical interface is down the specific route is removed and the default route is used. This in turn builds the xlate which then continues to forward the traffic wrong even though the physical interface has come up. I guess this really only affects UDP traffic as TCP connections would have to be formed again and again if they didnt go through. In our case the customer had problem with the connections from their WLC.

I am not really sure what could be done to correct this. I am wondering if a NAT configuration between INSIDE and TRANSFER would do the trick or would this just be ignored if either of the interfaces were down? If the NAT configuration was matched (even if the traffic is dropped) even though the other interface is down then I guess this should prevent traffic from getting forwarded to external networks.

So maybe a Static Identity NAT from INSIDE to TRANSFER where you essentially configure NAT for the source LAN subnets and NAT them to themselves. This should force traffic coming from TRANSFER towards the LAN subnets to always follow the NAT configurations rather than the routing table.

As I said, I am not sure if the NAT configuration would be ignored if the other interface is down.

- Jouni

EDIT: Typos

Re: ASA Session setup through wrong interface, session stays there

AFL_CCO_TECH — Wed, 17 May 2023 13:14:26 GMT

This may be related to the "timeout floating-conn" setting which now defaults to infinity / 0:00:00 - There is a documentation bug noted under https://bst.cisco.com/bugsearch/bug/CSCtn72626

Changing the timeout floating-conn to something other than a non-zero setting may resolve the concern and allow connections to be rebuilt on the proper interface as dictated by the routing table.

Re: ASA Session setup through wrong interface, session stays there

oliver-bernal — Tue, 10 Dec 2024 14:22:18 GMT

Thanks @AFL_CCO_TECH I have been looking for this solution for several weeks now.