I have seen an issue with an ASA setting up a connection and keeping this connection through a wrong interface.
Background:
ASA is perimeter Firewall, has a default route towards outside and some routes pointing to inside (10.10.0.0) and some to a transfer VLAN (10.16.0.0)
We had to reboot the Coreswitch on the inside thus the inside interface of the ASA was down.
After some time i noticed, that several connections from Transfer networks where not able to conntact my internal networks.
Show of session:
sh conn address 10.10.6.3 | i 6343
UDP outside 10.10.6.3:6343 Transfer 10.16.90.3:1027, idle 0:00:01, bytes 11494416, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.20.10:1027, idle 0:00:01, bytes 13079268, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.10.10:1027, idle 0:00:01, bytes 41900464, flags -
I have several devices (10.16.90.3, 10.16.20.10, 10.16.10.10) that try to sent sflow data to a internal station (10.10.6.3).
but instead of sending the session to the inside interface, the data is sent towards outside.
After i clear a connection for one of the addresses, the session is setup correctly and i start receiving sflow again:
ASA/pri/act# clear conn address 10.16.10.10
45 connection(s) deleted.
ASA/pri/act# sh conn address 10.10.6.3 | i 6343
UDP Transfer 10.16.10.10:1027 inside 10.10.6.3:6343, idle 0:00:00, bytes 536, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.90.3:1027, idle 0:00:18, bytes 11500984, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.20.10:1027, idle 0:00:04, bytes 13083344, flags -
What has happend (educated guess)
- inside interface of ASA goes down, connected route(s) gets removed
- data arrives for some network which is (unreachable atm) on inside
- default route is used, session is setup through outside
- inside interface comes back, routes appear in routing table
- data arrives for some network which is ( now reachable again) on inside
- uses existing session thus sending to outside instead of inside
- session never expires as data arrives regulary
I noticed only UDP traffic being wrong (sflow, Siemens HiPath CAPWAP,...)
sFlow was not received for about a week and comes back immeadiatly after i clear the connection.
Is this expected behavior? I could imagine that a new/better/other route could/should invalidate existing sessions?
What would be a fix to stop that from happening again?