Intra-Interface-Traffic fails at first try - second try works

Philipp_Flesch · ‎07-12-2012

Hi,

we are running two ASA5550 as fail-over.

Everything works fine. But there is still a little "bug".

[...]

same-security-traffic permit intra-interface

[...]

is enabled.

Now, let's open an PostgreSQL-Connection from 10.10.1.22 to 10.10.1.8 (same subnet, same interface "IT").

First try (using psql for a connection), I get

[...]

11:27:56|106015|10.10.1.22|51019|10.10.1.8|5432|Deny TCP (no connection) from 10.10.1.22/51019 to 10.10.1.8/5432 flags RST on interface IT

11:27:56|302014|10.10.1.22|51019|10.10.1.8|5432|Teardown TCP connection 290800318 for IT:10.10.1.22/51019 to IT:10.10.1.8/5432 duration 0:00:00 bytes 0 TCP Reset-O

11:27:56|302013|10.10.1.22|51019|10.10.1.8|5432|Built inbound TCP connection 290800318 for IT:10.10.1.22/51019 (10.10.1.22/51019) to IT:10.10.1.8/5432 (10.10.1.8/5432)

11:27:53|302014|10.10.1.22|51019|10.10.1.8|5432|Teardown TCP connection 290800140 for IT:10.10.1.22/51019 to IT:10.10.1.8/5432 duration 0:00:00 bytes 0 TCP Reset-O

11:27:53|302013|10.10.1.22|51019|10.10.1.8|5432|Built inbound TCP connection 290800140 for IT:10.10.1.22/51019 (10.10.1.22/51019) to IT:10.10.1.8/5432 (10.10.1.8/5432)

[...]

in the ASA log.

psql now runs into a time out.

Starting the second try, the ASA doesn't report any packets and the connection is established.

Luis Silva Benavides · ‎07-13-2012

Phillip,

Based on the syslogs the reset packet is coming from another device "Reset-O". The best way to troubleshoot this issue will be applying captures on the IT interface in order to track the source MAC of the reset and to have a better picture of the traffic flow.

Luis Silva