Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
10
Helpful
1
Replies

ASA 5580 local-host problem

Go to solution
Leo Liu
Level 1
Level 1

‎09-08-2014 09:08 PM - edited ‎03-11-2019 09:43 PM

We have 2 border routers (7609-S) running BGP routing protocol with 3 different ISPs and are connecting to 2 ASA5580-40 firewalls (Active-standby mode).

A server X on Interent is connecting to our server Y in LAN. Server X is unable to connect to server Y if any of the 3 ISP links got interrupted. Even link is recovered but X still failed to connection to Y everytime.

We found that didn't find any IPINIP connection when I do " show local-host x.x.x.x(IP of X) on ASA firewall:

(IP of X & Y are shown as x.x.x.x and y.y.y.y for confidentiality)

FW01# sh local-host x.x.x.x
Interface Inside: 1554344 active, 1610150 maximum active, 0 denied
Interface Outside: 1040329 active, 1465152 maximum active, 0 denied
local host: <x.x.x.x>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

  Conn:
    UDP Outside x.x.x.x:434 Outside y.y.y.y:434, idle 0:00:00, bytes 3310318788, flags -
Interface Stateful: 1 active, 2 maximum active, 0 denied
Interface management: 1 active, 4 maximum active, 0 denied
Interface Failover: 1 active, 2 maximum active, 0 denied


Once I issue "clear local-host x.x.x.x", the connection is up:

FW01# clear local-host x.x.x.x
FW01# sh local-host x.x.x.x  
Interface Inside: 1554451 active, 1610150 maximum active, 0 denied
Interface Outside: 1039506 active, 1465152 maximum active, 0 denied
local host: <x.x.x.x>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

  Conn:
    IPINIP Outside x.x.x.x Inside y.y.y.y, idle 0:00:00, bytes 3440
    UDP Outside x.x.x.x:434 Inside y.y.y.y:434, idle 0:00:00, bytes 2156, flags -
    IPINIP Outside x.x.x.x Inside y.y.y.y, idle 0:00:00, bytes 2784
Interface Stateful: 1 active, 2 maximum active, 0 denied
Interface management: 1 active, 4 maximum active, 0 denied
Interface Failover: 1 active, 2 maximum active, 0 denied


We have workaround to do clear local-host everytime now but are still finding solution on it. Could anyone adivce on it please? thanks in advance.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎09-15-2014 05:40 PM

Hello;

 

This specifies UDP (typo on the document or whatever) but you can use the "timeout-floating-conn".

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

 

It will kill the connection that is floating on an non existing interface instead of waiting for the whole hour or to manually clear the conn.

 

Mike.

Mike

View solution in original post

1 Reply 1

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎09-15-2014 05:40 PM

Hello;

 

This specifies UDP (typo on the document or whatever) but you can use the "timeout-floating-conn".

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

 

It will kill the connection that is floating on an non existing interface instead of waiting for the whole hour or to manually clear the conn.

 

Mike.

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card