ASA Firewall Blocking SCP copy between the servers

ashvaldo · ‎01-26-2015

Good day all,

We are experiencing challenges related to SCP copy between the servers. I have reviewed the configurations applied on our Firewalls and I'm not able to detect any abnormalties on the configuration applied.

I'm not sure if increasing the MTU size will make a difference. I have attached the output setting for our rules currently applied.

#######################################################################################################

mtu OUTSIDE 1500
mtu INSIDE 1500
mtu Monitor-Port-Channel-104 1500
monitor-interface OUTSIDE
monitor-interface INSIDE
monitor-interface Monitor-Port-Channel-104
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route OUTSIDE 0.0.0.0 0.0.0.0 10.15.2.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 OUTSIDE
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 30
no threat-detection statistics tcp-intercept
username admin password 76QP4zi7MB2mshOI encrypted
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global

####################################################################################################################

Any assistance will be grately appreciated.

Marius Gunnerud · ‎01-26-2015

Do you have basic connectivity between the servers (ie. ping between the servers)? Just remember to disable windows firewall or any other locally installed firewall when testing with ping.

Have you run a packet tracer to see if the SCP packet is allowed through the firewall? By default SCP uses port TCP 22.

packet-tracer input <ingress interface> tcp <source IP> 12345 <destination IP> 22 detailed

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

ashvaldo · ‎01-26-2015

Good day Marius,

The host are able to ping and connect to each other vai telnet. The concern is when we try to do the SCP connection when it fails. The host are IBM p570 and the connectivity problem exist when performing and NFS mount. The connection is established and after a short while the connection is lost resulting in the ORACLE Database hanging.

The only device between the host are the CISCO ASA Firewalls and TIPPINGPOINT. We have checked both ASA and TIPPINGPOINT devices and the result remain unchanged.

Thanks so much the feedback received thus far.

united001 · ‎01-27-2015

The problem isn't going to be be a layer 1-4 issue since you establish the connection, but it drops sporadically. I would run a network capture on the firewall to see if the host is sending a reset. If that doesn't prove useful, I would run a capture on the nfs host and see if it's doing something strange like port hopping.

You will likely find your answer in the capture on the nfs host since you aren't likely hitting the conn timeouts in your config. SCP has no RFC, so the protocol implementations may vary depending on the library being used between devices.

I have run into issues with SCP between hosts that were caused by library bugs between hosts, so you may have ran into something similar.

Good luck!