Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
2
Replies

Problem since 8.2.4 upgrade - ASA5510

Mike McWethy
Level 1
Level 1

‎09-22-2011 12:18 PM - edited ‎03-11-2019 02:28 PM

I have an ASA5510 running in production. I have about 28 site-to-site vpn tunnels that have been working perfectly for the last year or so. I was running 8.0.4 and recently upgraded to 8.2.4. Since the upgrade, I have an issue that I haven't figured out. One of my clients with a tunnel can no longer FTP us. When I do a packet tracer on the ASA, all phases are "ALLOW" but at the very end, the action is "drop" due to "IPSEC spoof detected." None of my crypto config for the tunnel including the crypto ACL has not been changed. I can provide whatever configuration you'd need to help me solve this issue. I have researched the issue, but I have yet to solve this problem. This same tunnel had NO issues prior to the 8.2.4 upgrade. Thanks for your help.

P.S I thought about trying to disable "inspect FTP," but I am not sure I really want to do this though it may solve the problem. I am running FTP passive mode on the ASA so  I don't believe "inspect FTP" is required....

Mike

1 person had this problem
Labels:
0 Helpful
2 Replies 2

ilwadhi.r
Level 1
Level 1

‎09-22-2011 01:53 PM

can you share the complete error message ?

0 Helpful

Mike McWethy
Level 1
Level 1
In response to ilwadhi.r

‎09-22-2011 02:34 PM

Here is the complete output from packet-tracer. I have changed the IPs so these are not the actual IPs. If the tunnel is up, the last line (drop reason) says "IPSEC spoof detected." The tunnel wasn't up at the moment I ran this packet tracer, but I believe the problem has to do with the fact that the packet is arriving on the "outside" interface and trying to exit out my "dmz3" interface so it appears I have some asymmetric routing going on. This issue, however, cropped up only after the 8.2.4 upgrade. Any suggestions?

ASA5510-1# packet-tracer input outside tcp 202.227.97.200 50010 96.13.127.131 $

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (DMZ3,outside) 96.13.127.131 96.13.127.131 netmask 255.255.255.255
nat-control
  match ip DMZ3 host 96.13.127.131 outside any
    static translation to 96.13.127.131
    translate_hits = 25107, untranslate_hits = 416406
Additional Information:
NAT divert to egress interface DMZ3
Untranslate 96.13.127.131/0 to 96.13.127.131/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_outside in interface outside
access-list acl_outside extended permit tcp any host 96.13.127.131 eq ftp
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac303430, priority=12, domain=permit, deny=false
        hits=194899, user_data=0xa8b3ac00, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=96.13.127.131, mask=255.255.255.255, port=21, dscp=0x0

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab9bf608, priority=0, domain=inspect-ip-options, deny=true
        hits=8046596, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabc7a4e0, priority=70, domain=inspect-ftp, deny=false
        hits=135, user_data=0xace4d860, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac252650, priority=20, domain=lu, deny=false
        hits=3873834, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac40fdf8, priority=12, domain=ipsec-tunnel-flow, deny=true
        hits=3708924, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (DMZ3,outside) 96.13.127.131 96.13.127.131 netmask 255.255.255.255
nat-control
  match ip DMZ3 host 96.13.127.131 outside any
    static translation to 96.13.127.131
    translate_hits = 25107, untranslate_hits = 416406
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac2f2a08, priority=5, domain=nat-reverse, deny=false
        hits=284551, user_data=0xac2f2568, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=96.13.127.131, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ3,outside) 96.13.127.131 96.13.127.131 netmask 255.255.255.255
nat-control
  match ip DMZ3 host 96.13.127.131 outside any
    static translation to 96.13.127.131
    translate_hits = 25107, untranslate_hits = 416406
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xac2f2bb0, priority=5, domain=host, deny=false
        hits=350050, user_data=0xac2f2568, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=96.13.127.131, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xac1285b0, priority=0, domain=inspect-ip-options, deny=true
        hits=527498, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xae673798, priority=70, domain=encrypt, deny=false
        hits=111, user_data=0x0, cs_id=0xac013850, reverse, flags=0x0, protocol=0
        src ip=96.13.127.0, mask=255.255.255.0, port=0
        dst ip=202.227.97.200, mask=255.255.255.255, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card