topic Ask the Expert: Troubleshooting Adaptive Security Appliances (AS in Network Security

Ask the Expert: Troubleshooting Adaptive Security Appliances (ASA), Private Internet Exchange (PIX) and Firewall Service Modules (FWSM)

ciscomoderator — Tue, 12 Mar 2019 00:46:49 GMT

With Kureli Sankar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask any questions about adaptive security appliances (ASAs), Private Internet Exchange (PIX), and firewall services modules (FWSMs) with Cisco Expert Kureli Sankar. This is a continuation of the live Webcast.

Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco ASA, FWSM, Cisco Security Manager, the Content Security and Control module, and the zone-based firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate-level networking courses. Sankar holds a degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security (#35505) certification.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through January 25, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

Webcast related links:

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Jouni Forss — Mon, 14 Jan 2013 22:05:59 GMT

Hi,

I posted this problem some time ago and though if you would have any additional ideas as to whats causing this problem then any advice would be welcome

Heres my original post with a lot of information

https://supportforums.cisco.com/thread/2158473

To summarize the situation for this post

ASA 5585-X Firewalls running Multiple Context Mode in several different 8.4(x) softwares
Enabling TCP Syslog with missmatched TCP port with the server stops all traffic through the Context without the use of "logging permit-hostdown" beforehand (Expected now that I know about it)
To enable traffic to pass through the Context again there was no other solution other than to "reboot" the context by removing it and configuring it again.

This made me doubt the whole TCP Syslog setup even though naturally my first error was not to use the "logging permit-hostdown" configuration before I enabled TCP Syslog.

Surely though its not supposed to keep blocking the traffic even after the TCP Syslog server became reachable?

I would like to get TCP Syslog enabled in all our environments but to be honest am a bit paranoid if I might run into more problems which would cause problematic situations for our more critical environments.

- Jouni

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Kureli Sankar — Tue, 15 Jan 2013 18:27:07 GMT

Jouni,

Glad that you attended the webcast. I hope it was educational for many of our forum readers and customers.

The request to stop processing if the firewall cannot log requirement was put in by our DoD. Hard set requirement, I know. If we CANNOT LOG who is doing what through the firewall, then, we simply DO NOT want to build those connections. I know, we get burned by this problem off and on.

Well, if your enterprise is extremely strict then, you do not want to add the "logging permit-hostdown" command. Wait for the help desk to receive the calls and fix the syslog server to get traffic flowing again.

Once the syslog server becomes available the firewall should automatically start building connections through it without the need for "logging permit-hostdown". Allow me some time and I shall test this out in our lab and get back to you.

-Kureli

Re: Ask the Expert: Troubleshooting Adaptive Security Appliances

Kureli Sankar — Tue, 15 Jan 2013 19:37:32 GMT

Jouni,

Tested on ASA running 9.0.1(2) image

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-5-111008: User 'cisco' executed the 'logging host inside 192.168.2.2 6/1469' command.

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-5-111010: User 'cisco', running 'CLI' from IP 192.168.2.2, executed 'logging host inside 192.168.2.2 6/1469'

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766400 for inside:192.168.2.2/1469 (192.168.2.2/1469) to identity:192.168.2.1/41310 (192.168.2.1/41310)

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-414003: TCP Syslog Server inside:192.168.2.2/1469 not responding, New connections are denied based on logging permit-hostdown policy

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766400 for inside:192.168.2.2/1469 to identity:192.168.2.1/41310 duration 0:00:00 bytes 0 TCP Reset-O

Jan 15 2013 03:15:00 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766073 for inside:192.168.2.2/1468 to identity:192.168.2.1/60777 duration 0:09:28 bytes 242437 TCP FINs

Jan 15 2013 03:15:03 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:04 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:09 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-6-302016: Teardown UDP connection 2766335 for Corp_NET_12345:76.14.0.98/514 to inside:192.168.2.2/1105 duration 0:02:01 bytes 1200

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:76.14.0.98 duration 0:02:01

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766401 for inside:192.168.2.2/1469 (192.168.2.2/1469) to identity:192.168.2.1/31690 (192.168.2.1/31690)

Jan 15 2013 03:15:10 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

logging host inside 192.168.2.2 6/1468

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-6-414008: New connections are now allowed due to change of logging permit-hostdown policy.

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-5-111008: User 'cisco' executed the 'logging host inside 192.168.2.2 6/1468' command.

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-5-111010: User 'cisco', running 'CLI' from IP 192.168.2.2, executed 'logging host inside 192.168.2.2 6/1468'

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766406 for inside:192.168.2.2/1468 (192.168.2.2/1468) to identity:192.168.2.1/42911 (192.168.2.1/42911)

Jan 15 2013 03:15:25 14.36.109.35 : %ASA-3-414003: TCP Syslog Server inside:192.168.2.2/1468 not responding, New connections are denied based on logging permit-hostdown policy

Jan 15 2013 03:15:26 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766406 for inside:192.168.2.2/1468 to identity:192.168.2.1/42911 duration 0:00:00 bytes 0 TCP Reset-O

Jan 15 2013 03:15:26 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:29 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:29 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766230 for Corp_NET_12345:172.18.109.166/8014 to inside:192.168.2.2/3720 duration 0:05:19 bytes 624 TCP Reset-I

Jan 15 2013 03:15:29 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:172.18.109.166 duration 0:05:19

Jan 15 2013 03:15:30 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609001: Built local-host identity:172.16.1.6

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609001: Built local-host Corp_NET_12345:70.39.176.3

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766407 for Corp_NET_12345:70.39.176.3/8080 (70.39.176.3/8080) to identity:172.16.1.6/20244 (172.16.1.6/20244)

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-6-775005: Scansafe: Primary server Corp_NET_12345:70.39.176.3 is now reachable

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766407 for Corp_NET_12345:70.39.176.3/8080 to identity:172.16.1.6/20244 duration 0:00:00 bytes 0 TCP FINs

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609002: Teardown local-host identity:172.16.1.6 duration 0:00:00

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:70.39.176.3 duration 0:00:00

Jan 15 2013 03:15:31 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:32 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:34 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:35 14.36.109.35 : %ASA-3-201008: Disallowing new connections.

Jan 15 2013 03:15:35 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766408 for inside:192.168.2.2/1468 (192.168.2.2/1468) to identity:192.168.2.1/60034 (192.168.2.1/60034)

Jan 15 2013 03:15:35 14.36.109.35 : %ASA-6-414007: TCP syslog server connection restored. New connections allowed.

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-7-609001: Built local-host Corp_NET_12345:172.18.109.166

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-3-302013: Built outbound TCP connection 2766409 for Corp_NET_12345:172.18.109.166/8014 (172.18.109.166/8014) to inside:192.168.2.2/3816 (172.16.1.5/3816)

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-3-302014: Teardown TCP connection 2766409 for Corp_NET_12345:172.18.109.166/8014 to inside:192.168.2.2/3816 duration 0:00:00 bytes 2729 TCP FINs

Jan 15 2013 03:15:36 14.36.109.35 : %ASA-7-609002: Teardown local-host Corp_NET_12345:172.18.109.166 duration 0:00:00

So, without the "logging permit-hostdown" command in the config.

I changed the syslog tcp port to some incorrect port at

Jan 15 2013 03:15:00 14.36.109.35 : 'logging host inside 192.168.2.2 6/1469'

conns were denied and I fixed the port at

Jan 15 2013 03:15:25 14.36.109.35 : logging host inside 192.168.2.2 6/1468

Jan 15 2013 03:15:35 14.36.109.35 : and the TCP syslog server connection restored log at

So, it took about 10 seconds for connections to start automatically building. As you can see during this time TO the box connections were built without any problem.

-Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Jouni Forss — Tue, 15 Jan 2013 19:49:10 GMT

Hi,

To completely test this situation I guess you would have to try it either in 8.4(1)9 or 8.4(2) for ASA 5585-X where I witnessed it.

I ran into the problem in a device with 8.4(1)9 (Software that corrected a bug in Active FTP for 5585-X SSP-20 and other multicore platforms) and I tested the situation in another ASA 5585-X with 8.4(2) and ran into the same problem

I simply wasnt able to get the connections working again.

Is your test ASA in single or multiple mode? If in single, could it have something to do with this? I have only tested this in a multiple mode ASA 5585-X SSP20

- Jouni

Re: Ask the Expert: Troubleshooting Adaptive Security Appliances

Kureli Sankar — Tue, 15 Jan 2013 19:56:25 GMT

Agree. 5585 platform and multiple context testing will take a bit longer to accomplish.

The point I was trying to make is the fact though not documented in the command reference, as soon the the syslog server becomes available, we SHOULD start building new "THROUGH" the box connections without the need for any additional command.

I will let you know on the 5585 multiple context 8.2.x code a bit later.

-Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

SIRIPHAN SONMANEE — Wed, 16 Jan 2013 04:02:19 GMT

How about load balance script of asa - x series ? Could be advices ?

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Milan Rai — Wed, 16 Jan 2013 05:44:24 GMT

I tried my best to attend the Webcast but i was not................I send mail regarding my problem but it was not solved???? dont know why i was not able to attend...????

Just i would like to know is about the IPS......support on through ASA.......

Do we have this option ??? or we need to go for other vendor.........If i am going for ASA as my firewall........Then why dont i have the option for IPS service?????

If i didn't knew that we do have those support please describe me on very simple words.....

Thank You

Milan

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

melepruma — Wed, 16 Jan 2013 08:16:33 GMT

Does the New ASA module for the 6500 support ture active-active cluster operation (same VLAN active on both ASA modules in the two chassis in VSS configuration) on SUP 720?

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Kureli Sankar — Thu, 17 Jan 2013 00:54:45 GMT

active/active failover setup is certainly possible. Is this what you mean?

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/ha_active_active.html#wp1074591

The requirement for act/act failover is multiple context mode.

-Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Kureli Sankar — Thu, 17 Jan 2013 01:00:20 GMT

Milan,

So sorry that you couldn't attend. The audio recording along with the slide deck will be made available soon. You can watch/listen at your own time. I will let our forum admins know about the trouble that you had.

IPS module is supported in the ASA platform. What model are you thinking about?

Check this data sheet:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Pls. see under.

Table 10.

Characteristics of Cisco ASA 5500 Series AIP SSM and SSC Models

-Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Kureli Sankar — Thu, 17 Jan 2013 02:19:04 GMT

Siriphan,

Could you please elaborate a little? What scripts are these? What is the purpose?

Thanks,

Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

erichild2 — Fri, 18 Jan 2013 14:15:56 GMT

Good Day,

An issue we seem to be facing with our ASA 5520 8.4(2) is with previously working site2site VPNs no longer working properly.

The tunnels seem to have remained up but to get full data traveling in both directions we have had to

add an outside interface Access Rule.

The only change known is we created a new s2s vpn and it wouldn't work until the Outside Access rule was created.

Not sure if it is a cause or a product of the issue.

Is this something anyone has seen.

Thank You,

Eric

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

Kureli Sankar — Sat, 19 Jan 2013 05:30:17 GMT

Eric,

I have not seen this problem. Do you have "sysopt connection permit-vpn" command in the config?

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517364

Pls. add that and let me know if the outside acl is still required.

-Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

mj11 — Sun, 20 Jan 2013 19:35:11 GMT

Hi Kureli

Subject: FWSM 3.2(20) SIP traffic being dropped by FW. Inspection SIP enabled.

Source: 192.168.5.101 Destination:192.168.254.26

Cap SIP1= Receiving interface Cap SIP2=Exiting interface

We are experiencing a problem passing SIP packets through our FWSM on a new service but have SIP already working successfully. We can see the packets arriving at the firewall but not leaving and have not been unable to determine why this is, we have captured on the ASP but did not see anything. We have tried both UDP and TCP. Interestingly, if we telnet using port 5060, the packets pass fine, however when actual SIP packets are sent, they do not arrive. Below is a packet capture from the FWSM on both interfaces.

FW01# sh cap SIP1 detail

26 packets seen, 26 packets captured

1: 15:03:48.2232889848 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#810 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id6762)

2: 15:03:48.2232889848 0008.7cbb.2040 0000.0c07.ac62 0x8100 78: 802.1Q vlan#810 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6762)

3: 15:03:49.2232890848 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#810 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id 6767)

4: 15:03:49.2232890848 0008.7cbb.2040 0000.0c07.ac62 0x8100 78: 802.1Q vlan#810 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6767)

5: 15:03:50.2232891848 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#810 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id 6771)

6: 15:03:50.2232891848 0008.7cbb.2040 0000.0c07.ac62 0x8100 78: 802.1Q vlan#810 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6771)

7: 15:03:51.2232892858 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#810 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id 6775)

8: 15:03:51.2232892858 0008.7cbb.2040 0000.0c07.ac62 0x8100 78: 802.1Q vlan#810 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6775)

9: 15:04:57.2232958948 00d0.0143.b400 0008.7cbb.2040 0x8100 70: 802.1Q vlan#810 P0 192.168.5.101.50505 > 192.168.254.26.5060: S

2621387575:2621387575(0) win 8192 (DF) (ttl 127, id 6935)

10: 15:04:57.2232958948 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50505: S [tcp sum ok]

3750378220:3750378220(0) ack 2621387576 win 4128 (ttl 252, id 26637)

11: 15:04:57.2232958948 00d0.0143.b400 0008.7cbb.2040 0x8100 64: 802.1Q vlan#810 P0 192.168.5.101.50505 > 192.168.254.26.5060: . [tcp sum ok]

2621387576:2621387576(0) ack 3750378221 win 65392 (DF) (ttl 127, id 6936)

12: 15:04:57.2232958948 00d0.0143.b400 0008.7cbb.2040 0x8100 353: 802.1Q vlan#810 P3 192.168.5.101.50505 > 192.168.254.26.5060: P

2621388112:2621388407(295) ack 3750378221 win 65392 (DF) [tos 0x60] (ttl 127, id 6938)

13: 15:04:57.2232958948 00d0.0143.b400 0008.7cbb.2040 0x8100 594: 802.1Q vlan#810 P3 192.168.5.101.50505 > 192.168.254.26.5060: .

2621387576:2621388112(536) ack 3750378221 win 65392 (DF) [tos 0x60] (ttl 127, id 6937)

14: 15:04:57.2232958958 0008.7cbb.2040 00aa.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50505: P [tcp sum ok]

3750378221:3750378221(0) ack 2621387576 win 4128 (DF) (ttl 255, id 8467)

15: 15:04:57.2232958958 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50505: . [tcp sum ok]

3750378221:3750378221(0) ack 2621388112 win 8192 (DF) (ttl 255, id 8468)

16: 15:04:57.2232958958 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50505: . [tcp sum ok]

3750378221:3750378221(0) ack 2621388407 win 8192 (DF) (ttl 255, id 8469)

17: 15:04:57.2232958958 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50505: R [tcp sum ok]

3750378221:3750378221(0) win 8192 (DF) (ttl 255, id 8470)

18: 15:05:10.2232972138 00d0.0143.b400 0008.7cbb.2040 0x8100 70: 802.1Q vlan#810 P0 192.168.5.101.50508 > 192.168.254.26.5060: S

3408136717:3408136717(0) win 8192 (DF) (ttl 127, id 6990)

19: 15:05:10.2232972138 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50508: S [tcp sum ok]

455106242:455106242(0) ack 3408136718 win 4128 (ttl 252, id 39032)

20: 15:05:10.2232972138 00d0.0143.b400 0008.7cbb.2040 0x8100 64: 802.1Q vlan#810 P0 192.168.5.101.50508 > 192.168.254.26.5060: . [tcp sum ok]

3408136718:3408136718(0) ack 455106243 win 65392 (DF) (ttl 127, id 6991)

21: 15:05:10.2232972138 00d0.0143.b400 0008.7cbb.2040 0x8100 352: 802.1Q vlan#810 P3 192.168.5.101.50508 > 192.168.254.26.5060: P

3408137254:3408137548(294) ack 455106243 win 65392 (DF) [tos 0x60] (ttl 127, id 6993)

22: 15:05:10.2232972138 00d0.0143.b400 0008.7cbb.2040 0x8100 594: 802.1Q vlan#810 P3 192.168.5.101.50508 > 192.168.254.26.5060: .

3408136718:3408137254(536) ack 455106243 win 65392 (DF) [tos 0x60] (ttl 127, id 6992)

23: 15:05:10.2232972138 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50508: P [tcp sum ok]

455106243:455106243(0) ack 3408136718 win 4128 (DF) (ttl 255, id 23984)

24: 15:05:10.2232972138 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50508: . [tcp sum ok]

455106243:455106243(0) ack 3408137254 win 8192 (DF) (ttl 255, id 23985)

25: 15:05:10.2232972138 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50508: . [tcp sum ok]

455106243:455106243(0) ack 3408137548 win 8192 (DF) (ttl 255, id 23986)

26: 15:05:10.2232972138 0008.7cbb.2040 0000.0c07.ac62 0x8100 64: 802.1Q vlan#810 P0 192.168.254.26.5060 > 192.168.5.101.50508: R [tcp sum ok]

455106243:455106243(0) win 8192 (DF) (ttl 255, id 23987)

26 packets shown

FW01# sh cap SIP2 detail

16 packets seen, 16 packets captured

1: 15:03:48.2232889848 0008.7cbb.2040 0000.0c07.acff 0x8100 78: 802.1Q vlan#800 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id 6762)

2: 15:03:48.2232889848 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#800 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6762)

3: 15:03:49.2232890848 0008.7cbb.2040 0000.0c07.acff 0x8100 78: 802.1Q vlan#800 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id 6767)

4: 15:03:49.2232890848 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#800 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6767)

5: 15:03:50.2232891848 0008.7cbb.2040 0000.0c07.acff 0x8100 78: 802.1Q vlan#800 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id 6771)

6: 15:03:50.2232891848 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#800 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6771)

7: 15:03:51.2232892858 0008.7cbb.2040 0000.0c07.acff 0x8100 78: 802.1Q vlan#800 P0 192.168.5.101 > 192.168.254.26: icmp: echo request (ttl 127, id 6775)

8: 15:03:51.2232892858 00d0.0143.b400 0008.7cbb.2040 0x8100 78: 802.1Q vlan#800 P0 192.168.254.26 > 192.168.5.101: icmp: echo reply (ttl 252, id 6775)

9: 15:04:57.2232958948 0008.7cbb.2040 0000.0c07.acff 0x8100 70: 802.1Q vlan#800 P0 192.168.5.101.50505 > 192.168.254.26.5060: S

153485530:153485530(0) win 8192 (DF) (ttl 127, id 6935)

10: 15:04:57.2232958948 00d0.0143.b400 0008.7cbb.2040 0x8100 64: 802.1Q vlan#800 P0 192.168.254.26.5060 > 192.168.5.101.50505: S [tcp sum ok]

3750378220:3750378220(0) ack 153485531 win 4128 (ttl 252, id 26637)

11: 15:04:57.2232958948 0008.7cbb.2040 0000.0c07.acff 0x8100 64: 802.1Q vlan#800 P0 192.168.5.101.50505 > 192.168.254.26.5060: . [tcp sum ok]

153485531:153485531(0) ack 3750378221 win 65392 (DF) (ttl 255, id 8466)

12: 15:05:10.2232972138 0008.7cbb.2040 0000.0c07.acff 0x8100 70: 802.1Q vlan#800 P0 192.168.5.101.50508 > 192.168.254.26.5060: S

3150694522:3150694522(0) win 8192 (DF) (ttl 127, id 6990)

13: 15:05:10.2232972138 00d0.0143.b400 0008.7cbb.2040 0x8100 64: 802.1Q vlan#800 P0 192.168.254.26.5060 > 192.168.5.101.50508: S [tcp sum ok]

455106242:455106242(0) ack 3150694523 win 4128 (ttl 252, id 39032)

14: 15:05:10.2232972138 0008.7cbb.2040 0000.0c07.acff 0x8100 64: 802.1Q vlan#800 P0 192.168.5.101.50508 > 192.168.254.26.5060: . [tcp sum ok]

3150694523:3150694523(0) ack 455106243 win 65392 (DF) (ttl 255, id 23983)

15: 15:05:57.2233018958 00d0.0143.b400 0008.7cbb.2040 0x8100 64: 802.1Q vlan#800 P0 192.168.254.26.5060 > 192.168.5.101.50505: . [tcp sum ok]

3750378220:3750378220(0) ack 153485531 win 4128 (ttl 252, id 26638)

16: 15:06:10.2233032148 00d0.0143.b400 0008.7cbb.2040 0x8100 64: 802.1Q vlan#800 P0 192.168.254.26.5060 > 192.168.5.101.50508: . [tcp sum ok]

455106242:455106242(0) ack 3150694523 win 4128 (ttl 252, id 39033)

16 packets shown

Regrads MJ

Re: Ask the Expert: Troubleshooting Adaptive Security Appliances

Kureli Sankar — Mon, 21 Jan 2013 14:39:01 GMT

MJ,

This does look like SIP inspection problem. I am not aware of any sip related defects in the code that you are running. The SYN and SYN ACK packets are the same inside to outside but, the ACK packet isn't the same.

11: 15:04:57.2232958948 00d0.0143.b400 0008.7cbb.2040 0x8100 64: 802.1Q vlan#810 P0 192.168.5.101.50505 > 192.168.254.26.5060: . [tcp sum ok] 2621387576:2621387576(0) ack 3750378221 win 65392 (DF) (ttl 127, id 6936)

11: 15:04:57.2232958948 0008.7cbb.2040 0000.0c07.acff 0x8100 64: 802.1Q vlan#800 P0 192.168.5.101.50505 > 192.168.254.26.5060: . [tcp sum ok] 153485531:153485531(0) ack 3750378221 win 65392 (DF) (ttl 255, id 8466)

The packet ID doesn't match inside to outside for the ACK packet. It would be better to see the captures in the form of a .pcap files instead of text based output.

I'd suggest opening a TAC case and working with an engineer. Let me know the case no. once you open it.

-Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

mj11 — Tue, 22 Jan 2013 11:41:19 GMT

Hi Kureli

Thanks for the response, we have disabled SIP for this flow via a class-map and now this working.

Many thanks MJ

Re: Ask the Expert: Troubleshooting Adaptive Security Appliances

nick.ehlers — Tue, 22 Jan 2013 17:40:55 GMT

Kureli,

Thanks for doing this Q&A!

My question is, on a ASA 5510 running 8.2.x code. How do I properly implement Group Based authentication for anyconnect Remote VPN. It will be used in this context. Users from X organization will browse to the public IP address of the ASA from home bringing up the Remote VPN Login page. The user logs in with their Active Directory credentials and based on what group they are in they will be given certain access based on that group, obviously refering to certain ACLs applied to each group.

The customer has windows 2008 R2 so the ASA is pulling from LDAP, they have no radius server. I've made an attempt at the config myself and am hoping you can check my work to see if this will work or not?

Here is the config:

access-list ADMIN-VPN-SPLIT extended permit ip 192.168.254.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list ADMIN-VPN-SPLIT extended permit ip 10.0.0.0 255.255.0.0 192.168.254.0 255.255.255.0

ip local pool VPN-POOL 192.168.254.1-192.168.254.254

ldap attribute-map CISCOMAP

map-name memberOf Group-Policy

map-value memberOf "CN=VPN.Admin.User,OU=VPN,OU=Security Groups,OU=TEST,DC=TEST,DC=local" ADMIN

map-value memberOf "CN=VPN.Default.Users,OU=VPN,OU=Security Groups,OU=TEST,DC=TEST,DC=local" "Standard Users"

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 10.0.2.1

ldap-base-dn DC=TEST,DC=local

ldap-group-base-dn DC=TEST,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password Test123!

ldap-login-dn CN=LDAP,OU=Users,OU=_Applications,OU=TEST,DC=TEST,DC=local

ldap-over-ssl enable

server-type microsoft

ldap-attribute-map CISCOMAP

webvpn

enable outside

character-encoding windows-1252

anyconnect-essentials

svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 4 regex "Windows CE"

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 5 regex "Windows NT"

svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 6 regex "Intel Mac OS X"

svc enable

tunnel-group-list enable

group-policy NoAccess internal

group-policy NoAccess attributes

banner value You have no access

wins-server none

dns-server value 10.0.2.1 10.0.2.2

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value TEST.local

address-pools none

group-policy DfltGrpPolicy attributes

vpn-filter value 150

group-policy ADMIN internal

group-policy ADMIN attributes

wins-server none

dns-server value 10.0.2.1 10.0.2.2

vpn-simultaneous-logins 3

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ADMIN-VPN-SPLIT

default-domain value TEST.local

address-pools value VPN-POOL

webvpn

svc keep-installer installed

svc dpd-interval gateway 60

svc ask enable default webvpn

hidden-shares visible

activex-relay enable

file-entry enable

file-browsing enable

url-entry enable

group-policy "Standard Users" internal

group-policy "Standard Users" attributes

banner value You have full access to the TEST network.

wins-server none

dns-server value 10.0.2.1 10.0.2.2

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ADMIN-VPN-SPLIT

default-domain value TEST.local

group-policy LDAP-ALLOWACCESS internal

group-policy LDAP-ALLOWACCESS attributes

banner value You have logged in with the LDAP-ALLOWACCESS group Policy

dns-server value 10.0.2.1 10.0.2.2

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ADMIN-VPN-SPLIT

default-domain value isi.local

address-pools value VPN-POOL

webvpn

svc keep-installer installed

svc dpd-interval gateway 60

svc ask enable default webvpn

hidden-shares visible

activex-relay enable

file-entry enable

file-browsing enable

url-entry enable

group-policy LDAP-NOACCESS internal

group-policy LDAP-NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec svc

webvpn

svc ask none default svc

tunnel-group ADMIN-VPN general-attributes

address-pool VPN-POOL

authentication-server-group LDAP

default-group-policy ADMIN

authorization-required

tunnel-group ADMIN-VPN webvpn-attributes

nbns-server 10.0.2.1 timeout 2 retry 2

group-alias ADMIN-VPN disable

group-alias Admin enable

group-alias DEFAULT disable

group-alias Default disable

group-alias Defaults disable

group-alias User disable

tunnel-group "Standard Users" general-attributes

address-pool VPN-POOL

authentication-server-group LDAP

default-group-policy "Standard Users"

tunnel-group "Standard Users" webvpn-attributes

group-alias Users enable

Thanks!

oh and also - how can I verify that if they dont authenticate to any particular group that they will be denied access?

Message was edited by: Nick Ehlers

Re: Ask the Expert: Troubleshooting Adaptive Security Appliances

Kureli Sankar — Wed, 23 Jan 2013 17:59:30 GMT

Nick,

Let me review your config and get back to you.

-Kureli

Ask the Expert: Troubleshooting Adaptive Security Appliances (AS

sestonenppd — Wed, 23 Jan 2013 18:13:04 GMT

Is it recommended/possible to attach a 5510 running code version 8.2(5) in transparent mode to a Nexus 2248? We have 2 contexts but are only connecting one (2 ports) now and the other at a later date. We had an older 5510 connected to these same ports running code version 7.0(7) with no problems. However, when we connect up the new 5510, one port or the other sends a BPDU causing the port to errdisable. Is this a configuration, version, or compatibility problem?