Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
2
Replies

FPR 6.7 - NAT for UDP port 12446 not working.

Xividar
Level 1
Level 1

‎03-15-2021 07:22 AM

Hi Guys,

I have x3 Cisco SD-WAN controllers behind my FirePower. I have a 1:1 NAT for each controller, if I send ICMP from my vManage, I can see the packets getting translated to my public address, no issue there. However, any UDP packets generated from vManage do not get translated, specifically UDP with a source 12446.

Is there anything specific to UDP port 12446? These packets would be to initiate a DTLS connection from my C-Edge through the FirePower.

Cheers.

0 Helpful
2 Replies 2

Sheraz.Salim
VIP
VIP

‎03-15-2021 03:17 PM

check this link might help you https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/214517-vedge-can-t-establish-ipsec-tunnel-if-on.html

 

otherwise setup the capture on ASA or capture the ASP drops. but dont think ASA will drop or temper the UDP.

please do not forget to rate.
0 Helpful

Xividar
Level 1
Level 1
In response to Sheraz.Salim

‎03-16-2021 01:08 AM

Hey @Sheraz.Salim I saw this document, helpful, but not applicable in my case.


And this is not for ASA, it's for FirePower. I tried the same setup on ASA, and it works 100% fine, so it is something with FirePower for sure. Like I said, if I take a packet capture in my core, UDP packets from vManage though FirePower are NOT NAT'd. ICMP packets from vManage ARE NAT'd.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card