cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1448
Views
1
Helpful
3
Replies

ASA Session setup through wrong interface, session stays there

Jan
Level 1
Level 1
I have seen an issue with an ASA setting up a connection and keeping this connection through a wrong interface.
Background:
ASA is perimeter Firewall, has a default route towards outside and some routes pointing to inside (10.10.0.0) and some to a transfer VLAN (10.16.0.0)
We had to reboot the Coreswitch on the inside thus the inside interface of the ASA was down.
After some time i noticed, that several connections from Transfer networks where not able to conntact my internal networks.

Show of session:

sh conn address 10.10.6.3 | i 6343
UDP outside 10.10.6.3:6343 Transfer 10.16.90.3:1027, idle 0:00:01, bytes 11494416, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.20.10:1027, idle 0:00:01, bytes 13079268, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.10.10:1027, idle 0:00:01, bytes 41900464, flags -

I have several devices (10.16.90.3, 10.16.20.10, 10.16.10.10) that try to sent sflow data to a internal station (10.10.6.3).
but instead of sending the session to the inside interface, the data is sent towards outside.

After i clear a connection for one of the addresses, the session is setup correctly and i start receiving sflow again:

ASA/pri/act# clear conn address 10.16.10.10
45 connection(s) deleted.
ASA/pri/act# sh conn address 10.10.6.3 | i 6343
UDP Transfer 10.16.10.10:1027 inside 10.10.6.3:6343, idle 0:00:00, bytes 536, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.90.3:1027, idle 0:00:18, bytes 11500984, flags -
UDP outside 10.10.6.3:6343 Transfer 10.16.20.10:1027, idle 0:00:04, bytes 13083344, flags -


What has happend (educated guess)
- inside interface of ASA goes down, connected route(s) gets removed
- data arrives for some network which is (unreachable atm) on inside
- default route is used, session is setup through outside
- inside interface comes back, routes appear in routing table
- data arrives for some network which is ( now reachable again) on inside
- uses existing session thus sending to outside instead of inside
- session never expires as data arrives regulary

I noticed only UDP traffic being wrong (sflow, Siemens HiPath CAPWAP,...)
sFlow was not received for about a week and comes back immeadiatly after i clear the connection.

Is this expected behavior? I could imagine that a new/better/other route could/should invalidate existing sessions?

What would be a fix to stop that from happening again?
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni