Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
2
Replies

droped by uRPF

Vinayaka Raman
Level 1
Level 1

‎10-15-2012 03:55 AM - edited ‎03-11-2019 05:08 PM

Friends

                 

In packet tracer fail, the traffic can get through, the unicast rpf is not dropping it.

In packet tracer fail, looks like the return packet is DROPed because of uRPF.

ASA1# show ip verify statistics

interface OCODC: 0 unicast rpf drops

interface Internet: 0 unicast rpf drops

interface VPN: 0 unicast rpf drops

interface P2P: 0 unicast rpf drops

interface TCSDMZ: 0 unicast rpf drops

uRPF does not show any drops. I do not see an explicit command under the interface. Is it enabled or disabled by default?

Can someone explain if this drop is caused by RPF and how do I prevent this?

Is this a porblem with the way my routetable is set up or NAT?

Regards,

vinayaka.

Regards Vinayak
Labels:
136798-partial_config.txt.zip
136797-packet tracer fail.txt.zip
136781-packet tracer pass.txt.zip
0 Helpful
2 Replies 2

Vinayaka Raman
Level 1
Level 1

‎10-15-2012 05:05 AM

I did some additional testing and found out this is due to NAT reverse path failure. I would need some one to explain how is this occurring for the traffic from DMZ to OCODC and not vice versa

ASA1# show asp drop

Frame drop:

Punt rate limit exceeded (punt-rate-limit)                               40799

Invalid IP header (invalid-ip-header)                                       36

Invalid IP length (invalid-ip-length)                                       4

Invalid TCP Length (invalid-tcp-hdr-length)                               2282

Invalid UDP Length (invalid-udp-length)                                   168

No valid adjacency (no-adjacency)                                       18535

Flow is denied by configured rule (acl-drop)                         104833232

First TCP packet not SYN (tcp-not-syn)                                 2080932

TCP failed 3 way handshake (tcp-3whs-failed)                             46781

TCP RST/FIN out of order (tcp-rstfin-ooo)                                 1364

TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             4

TCP SYNACK on established conn (tcp-synack-ooo)                             2

TCP packet SEQ past window (tcp-seq-past-win)                           18005

TCP invalid ACK (tcp-invalid-ack)                                           1

TCP replicated flow pak drop (tcp-fo-drop)                                 264

TCP RST/SYN in window (tcp-rst-syn-in-win)                                 326

IPSEC tunnel is down (ipsec-tun-down)                                       13

Slowpath security checks failed (sp-security-failed)                   724091

Expired flow (flow-expired)                                                19

ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)       8260

ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn)                                   302

DNS Inspect invalid packet (inspect-dns-invalid-pak)                       15

DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)         11

DNS Inspect packet too long (inspect-dns-pak-too-long)                     175

DNS Inspect id not matched (inspect-dns-id-not-matched)                 37899

FP L2 rule drop (l2_acl)                                                 5214

Interface is down (interface-down)                                         95

Dropped pending packets in a closed socket (np-socket-closed)               1

Last clearing: Never

Flow drop:

Flow is denied by access rule (acl-drop)                               1217270

NAT reverse path failed (nat-rpf-failed)                                   24

Need to start IKE negotiation (need-ike)                                 52996

Inspection failure (inspect-fail)                                     2103906

No valid adjacency (no-adjacency)                                       18535

Last clearing: Never

Regards,

Vinayak.

Regards Vinayak
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Vinayaka Raman

‎10-15-2012 10:37 AM

Hello Vinaya,

Here is the NAT rules you are doing on the ASA:

static (OCODC,TCSDMZ) 172.17.50.0 10.62.253.0 netmask 255.255.255.0

static (TCSDMZ,OCODC) 172.0.0.0 172.0.0.0 netmask 255.0.0.0

So if you want to access 10.62.253.0 from TCSDMZ you should access it pointing 172.17.50.0 so basically you are doing the packet-tracer wrong.

Do it like this:

packet-tracer input  TCSDMZ tcp  172.17.62.160 1026 172.17.50.15 80

Any other question..Sure..Just remember to rate all of my answers.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card