ASA 5580 local-host problem

Leo Liu — Tue, 12 Mar 2019 04:43:46 GMT

We have 2 border routers (7609-S) running BGP routing protocol with 3 different ISPs and are connecting to 2 ASA5580-40 firewalls (Active-standby mode).

A server X on Interent is connecting to our server Y in LAN. Server X is unable to connect to server Y if any of the 3 ISP links got interrupted. Even link is recovered but X still failed to connection to Y everytime.

We found that didn't find any IPINIP connection when I do " show local-host x.x.x.x(IP of X) on ASA firewall:

(IP of X & Y are shown as x.x.x.x and y.y.y.y for confidentiality)

FW01# sh local-host x.x.x.x
Interface Inside: 1554344 active, 1610150 maximum active, 0 denied
Interface Outside: 1040329 active, 1465152 maximum active, 0 denied
local host: <x.x.x.x>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

Conn:
UDP Outside x.x.x.x:434 Outside y.y.y.y:434, idle 0:00:00, bytes 3310318788, flags -
Interface Stateful: 1 active, 2 maximum active, 0 denied
Interface management: 1 active, 4 maximum active, 0 denied
Interface Failover: 1 active, 2 maximum active, 0 denied

Once I issue "clear local-host x.x.x.x", the connection is up:

FW01# clear local-host x.x.x.x
FW01# sh local-host x.x.x.x
Interface Inside: 1554451 active, 1610150 maximum active, 0 denied
Interface Outside: 1039506 active, 1465152 maximum active, 0 denied
local host: <x.x.x.x>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

Conn:
    IPINIP Outside x.x.x.x Inside y.y.y.y, idle 0:00:00, bytes 3440
    UDP Outside x.x.x.x:434 Inside y.y.y.y:434, idle 0:00:00, bytes 2156, flags -
    IPINIP Outside x.x.x.x Inside y.y.y.y, idle 0:00:00, bytes 2784
Interface Stateful: 1 active, 2 maximum active, 0 denied
Interface management: 1 active, 4 maximum active, 0 denied
Interface Failover: 1 active, 2 maximum active, 0 denied

We have workaround to do clear local-host everytime now but are still finding solution on it. Could anyone adivce on it please? thanks in advance.

Hello; This specifies UDP

Maykol Rojas — Tue, 16 Sep 2014 00:40:17 GMT

Hello;

This specifies UDP (typo on the document or whatever) but you can use the "timeout-floating-conn".

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

It will kill the connection that is floating on an non existing interface instead of waiting for the whole hour or to manually clear the conn.

Mike.

topic ASA 5580 local-host problem in Network Security

ASA 5580 local-host problem

Hello; This specifies UDP