03-02-2016 09:31 PM - edited 03-12-2019 12:26 AM
I am showing significant drops in NAT reverse failure and trying to figure out where the issue is.
Show ASP Drop
Flow is denied by configured rule (acl-drop) 6676289
NAT reverse path failed (nat-rpf-failed) 1075090
Objects
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Subnet
subnet 192.168.0.0 255.255.0.0
object network wls_sub
subnet 192.168.10.0 255.255.255.0
object network lan_sub
subnet 192.168.0.0 255.255.255.0
object network DMZ1
host 192.168.0.100
object network DMZ2
range 192.168.0.50
object network VPN
subnet 192.168.1.0 255.255.255.0
object network serv-1
host 192.168.0.100
object network serv-1-ext
host a.b.c.d
object network serv-1
host 192.168.0.50
object network serv-1-ext
host a.b.c.d
object network corp_inside
subnet 192.168.0.0 255.255.255.0
object-group network REMOTE_SUBNET
network-object 192.168.51.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
ACL
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list acl-inside extended permit ip any any
access-list acl-inside extended permit icmp any any
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq https
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq www
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq imap4
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq 9833
access-list outside_access_in extended permit udp any host 192.168.0.100 eq 9833
access-list outside_access_in extended permit tcp any host 192.168.0.50 eq 3389
access-list outside_access_in extended permit udp any host 192.168.0.50 eq 3389
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
access-list internal_traffic extended permit ip 192.168.0.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list wifi_access_in extended permit ip interface wifi interface inside
access-list wifi_access_in extended permit ip interface inside interface wifi
access-list wifi_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list wifi_access_in extended permit ip 192.168.100.0 255.255.255.0 any
NAT
nat (inside,outside) source static Inside_Subnet Inside_Subnet destination static REM_SUB REM_SUB no-proxy-arp route-lookup
nat (wifi,outside) source static wls_sub wls_sub destination static REM_SUB REM_SUB no-proxy-arp route-lookup
nat (wifi,inside) source static wls_sub wls_sub destination static lan_sub lan_sub no-proxy-arp route-lookup
nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN
nat (any,any) source static DMZ2 DMZ2
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (inside,inside) source dynamic Inside_Subnet interface destination static serv-1-ext serv-1
nat (wifi,inside) source dynamic wls_sub interface destination static serv-1-ext serv-1
nat (outside,inside) source dynamic any interface destination static serv-1-ext serv-1
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp
nat (inside,wifi) source static lan_sub lan_sub destination static wls_sub wls_sub no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network serv-2
nat (inside,outside) static serv-2-ext
object network corp_inside
nat (outside,outside) dynamic interface
object network serv-1
nat (inside,outside) static serv-1-ext
03-02-2016 09:40 PM
Have you ever cleared these counters? issue the command "clear asp drop" and then monitor to see how fast this increments.
Could you post the actual log you are seeing please.
--
Please remember to select a correct answer and rate helpful posts
03-02-2016 09:48 PM
This is after 10 seconds:
Frame drop:
No route to host (no-route) 2
Flow is denied by configured rule (acl-drop) 198
First TCP packet not SYN (tcp-not-syn) 22
TCP RST/FIN out of order (tcp-rstfin-ooo) 1
Slowpath security checks failed (sp-security-failed) 109
FP L2 rule drop (l2_acl) 177
Last clearing: 00:46:42 EST Mar 3 2016 by enable_15
Flow drop:
NAT reverse path failed (nat-rpf-failed) 104
Last clearing: 00:46:42 EST Mar 3 2016 by enable_15
03-02-2016 09:52 PM
Could you post the actual log messages that you are seeing please.
--
Please remember to select a correct answer and rate helpful posts
03-02-2016 10:52 PM
I apologize when you say actual log what are you referring too? The response above is the complete response from "show asp drop"
Here is current:
asa5506# show asp drop
Frame drop:
IPSEC tunnel is down (ipsec-tun-down) 1
No route to host (no-route) 206
Flow is denied by configured rule (acl-drop) 10662
First TCP packet not SYN (tcp-not-syn) 181
TCP RST/FIN out of order (tcp-rstfin-ooo) 18
TCP RST/SYN in window (tcp-rst-syn-in-win) 3
TCP packet failed PAWS test (tcp-paws-fail) 1
Slowpath security checks failed (sp-security-failed) 6529
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 2
DNS Inspect id not matched (inspect-dns-id-not-matched) 22
FP L2 rule drop (l2_acl) 8438
Last clearing: 00:46:42 EST Mar 3 2016 by enable_15
Flow drop:
NAT reverse path failed (nat-rpf-failed) 5232
Inspection failure (inspect-fail) 10
Last clearing: 00:46:42 EST Mar 3 2016 by enable_15
03-04-2016 03:28 PM
When I refer to log I mean the drops you would see in show log output. Are you experiencing any issues with connectivity in your network? or are you just seeing these ASP drops?
--
Please remember to select a correct answer and rate helpful posts
03-06-2016 09:04 AM
We are showing issues within the network on connectivity. Primary NAS seems to work no issues when users on inside connection are using it only, but for some reason when a wireless user connects to it there then seems to be a lag for both the wireless and inside users trying to access that NAS. NAS is running Windows 2012 Storage Server.
03-06-2016 02:30 AM
Hi,
First of all, please make below changes if possible. Manual NAT always takes preference over Object NAT and they are always processed from TOP to Bottom. It doesn't process them on the basis of Dynamic or Static. It process as whichever comes first so also try to make Object NATs when you are not using 'destination' keyword or in other words, when you are not performing destination nat.
Also when you are using identity nat, then always use no-proxy-arp route-lookup
So..
nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN no-proxy-arp route-lookup
nat (any,any) source static DMZ2 DMZ2 no-proxy-arp route-lookup
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (inside,inside) source dynamic Inside_Subnet interface destination static serv-1-ext serv-1
nat (wifi,inside) source dynamic wls_sub interface destination static serv-1-ext serv-1
nat (outside,inside) source dynamic any interface destination static serv-1-ext serv-1
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp no-proxy-arp route-lookup
Hope it would help.
Regards,
Akshay Rastogi
Remember to rate helpful hosts.
03-02-2016 09:45 PM
Hi D Blum,
Adding to what Marius said.
Would you be able to run a packet
I'd rather have these nat
"
nat
nat
nat
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-02-2016 10:21 PM
What packet tracers would you recommend?
In what way would you make the nat statements for specific?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide