10-15-2012 03:55 AM - edited 03-11-2019 05:08 PM
Friends
In packet tracer fail, the traffic can get through, the unicast rpf is not dropping it.
In packet tracer fail, looks like the return packet is DROPed because of uRPF.
ASA1# show ip verify statistics
interface OCODC: 0 unicast rpf drops
interface Internet: 0 unicast rpf drops
interface VPN: 0 unicast rpf drops
interface P2P: 0 unicast rpf drops
interface TCSDMZ: 0 unicast rpf drops
uRPF does not show any drops. I do not see an explicit command under the interface. Is it enabled or disabled by default?
Can someone explain if this drop is caused by RPF and how do I prevent this?
Is this a porblem with the way my routetable is set up or NAT?
Regards,
vinayaka.
10-15-2012 05:05 AM
I did some additional testing and found out this is due to NAT reverse path failure. I would need some one to explain how is this occurring for the traffic from DMZ to OCODC and not vice versa
ASA1# show asp drop
Frame drop:
Punt rate limit exceeded (punt-rate-limit) 40799
Invalid IP header (invalid-ip-header) 36
Invalid IP length (invalid-ip-length) 4
Invalid TCP Length (invalid-tcp-hdr-length) 2282
Invalid UDP Length (invalid-udp-length) 168
No valid adjacency (no-adjacency) 18535
Flow is denied by configured rule (acl-drop) 104833232
First TCP packet not SYN (tcp-not-syn) 2080932
TCP failed 3 way handshake (tcp-3whs-failed) 46781
TCP RST/FIN out of order (tcp-rstfin-ooo) 1364
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 4
TCP SYNACK on established conn (tcp-synack-ooo) 2
TCP packet SEQ past window (tcp-seq-past-win) 18005
TCP invalid ACK (tcp-invalid-ack) 1
TCP replicated flow pak drop (tcp-fo-drop) 264
TCP RST/SYN in window (tcp-rst-syn-in-win) 326
IPSEC tunnel is down (ipsec-tun-down) 13
Slowpath security checks failed (sp-security-failed) 724091
Expired flow (flow-expired) 19
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 8260
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 302
DNS Inspect invalid packet (inspect-dns-invalid-pak) 15
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 11
DNS Inspect packet too long (inspect-dns-pak-too-long) 175
DNS Inspect id not matched (inspect-dns-id-not-matched) 37899
FP L2 rule drop (l2_acl) 5214
Interface is down (interface-down) 95
Dropped pending packets in a closed socket (np-socket-closed) 1
Last clearing: Never
Flow drop:
Flow is denied by access rule (acl-drop) 1217270
NAT reverse path failed (nat-rpf-failed) 24
Need to start IKE negotiation (need-ike) 52996
Inspection failure (inspect-fail) 2103906
No valid adjacency (no-adjacency) 18535
Last clearing: Never
Regards,
Vinayak.
10-15-2012 10:37 AM
Hello Vinaya,
Here is the NAT rules you are doing on the ASA:
static (OCODC,TCSDMZ) 172.17.50.0 10.62.253.0 netmask 255.255.255.0
static (TCSDMZ,OCODC) 172.0.0.0 172.0.0.0 netmask 255.0.0.0
So if you want to access 10.62.253.0 from TCSDMZ you should access it pointing 172.17.50.0 so basically you are doing the packet-tracer wrong.
Do it like this:
packet-tracer input TCSDMZ tcp 172.17.62.160 1026 172.17.50.15 80
Any other question..Sure..Just remember to rate all of my answers.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide