DCE/RPC through ASA5510+ issues

jose cortes · ‎02-17-2012

Hi Everybody,

We are working on an Automation System from Honywell, there is a server called eSERVER and this one should take information form other server in the Control side.

The issue is: When all the device are within the same LAN network the system works perfect. But when I put the eSERVER behind an ASA something happens and the system does not work properly.

I opened all the ports described on Honywell deployment guide but it did not work. Then I open all the IP traffic through the ASA and mad a packet capture to identify any issue with the communication.

I found a lot of packet with this description:

source destination protocol Info

172.17.20.14 192.168.1.1 DCERPC Request: call_id: 524 opnum: 8 ctx_id: 0

192.168.1.1 172.17.20.14 DCERPC Response: call_id: 524 ctx_id: 0

I don't know much about RPC protocol and i tried con configure the Packet inspection with the port 135/TCP but it did not work.

Could you please give me a headlight in this issue I need to know if the problem is with the ASA or with the servers and protocols when the devices are in different IP segments.

BTW I'm attaching the packet captures that I made with the ASA if you want to check them.

Thanks and Regards

Jose

mirober2 · ‎02-29-2012

Hi Jose,

I would recommend opening a TAC case to have this investigated further. The ASA has limited support for certain DCERPC calls, so its possible that Honeywell's implementation uses UUIDs that are not supported by the inspection engine. If you have opened all ports through the ACL, you should disable the DCERPC inspection to prevent any interoperability issues.

If you leave the inspection enabled and decide to open a TAC case, you'll need to get the following:

1. Captures on the inside and outside interfaces of the ASA

2. Syslogs from the ASA during a failed connection

3. Output of the following ASA debugs:

debug dcerpc error

debug dcerpc event

debug dcerpc packet

-Mike