Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
0
Helpful
1
Replies

DCE/RPC through ASA5510+ issues

jose cortes
Level 1
Level 1

‎02-17-2012 10:16 AM - edited ‎03-11-2019 03:31 PM

Hi Everybody,

We are working on an Automation System from Honywell, there is a server called eSERVER and this one should take information form other server in the Control side.

The issue is: When all the device are within the same LAN network the system works perfect. But when I put the eSERVER behind an ASA something happens and the system does not work properly.

I opened all the ports described on Honywell deployment guide but it did not work. Then I open all the IP traffic through the ASA and mad a packet capture to identify any issue with the communication.

I found a lot of packet with this description:

source               destination          protocol          Info

172.17.20.14      192.168.1.1         DCERPC        Request: call_id: 524 opnum: 8 ctx_id: 0

192.168.1.1        172.17.20.14       DCERPC        Response: call_id: 524 ctx_id: 0

I don't know much about RPC protocol and i tried con configure the Packet inspection with the port 135/TCP but it did not work.

Could you please give me a headlight in this issue I need to know if the problem is with the ASA or with the servers and protocols when the devices are in different IP segments.

BTW I'm attaching the packet captures that I made with the ASA if you want to check them.

Thanks and Regards

Jose

1 person had this problem
Labels:
122718-First Test.pcap.zip
122719-Second Test.pcap.zip
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎02-29-2012 01:11 PM

Hi Jose,

I would recommend opening a TAC case to have this investigated further. The ASA has limited support for certain DCERPC calls, so its possible that Honeywell's implementation uses UUIDs that are not supported by the inspection engine. If you have opened all ports through the ACL, you should disable the DCERPC inspection to prevent any interoperability issues.

If you leave the inspection enabled and decide to open a TAC case, you'll need to get the following:

1. Captures on the inside and outside interfaces of the ASA

2. Syslogs from the ASA during a failed connection

3. Output of the following ASA debugs:

       debug dcerpc error

       debug dcerpc event

       debug dcerpc packet

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card