Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
5
Helpful
3
Replies

Policy Based Routing - Layer-4 Suspected

Go to solution
netbeginner
Level 2
Level 2

‎12-22-2015 03:37 AM - edited ‎03-12-2019 12:04 AM

Dear Experts,

facing issue with ASA with policy based routing ( between MPLS cloud link and Conventional Point to point Lease Line ) 

We are able to influence the traffic as per requirement with PBR , But suspecting issue somewhere at layer-4.

Source Address :-   10.10.2.10  (At remote end network)

Destination End :-    10.20.9.79 (Local server)

Destination port :- 3389 TCP

Below is the logs captured during testing, Suspecting reverse traffic is having some issue.

 874: 16:36:57.938351        10.10.2.10.54323 > 10.20.9.79.3389: S 2139537486:2139537486(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
 875: 16:36:57.938565       10.20.9.79.3389 >  10.10.2.10.54323: S 765832908:765832908(0) ack 2139537487 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 876: 16:37:00.260454       10.20.9.79 >  10.10.2.10: icmp: echo request
 877: 16:37:00.946133       10.20.9.79.3389 >  10.10.2.10.54323: S 765832908:765832908(0) ack 2139537487 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 878: 16:37:00.948284       10.10.2.10.54323 > 10.20.9.79.3389: S 2139537486:2139537486(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
 879: 16:37:04.253023       10.20.9.79 >  10.10.2.10: icmp: echo request
 880: 16:37:06.950375       10.20.9.79.3389 >  10.10.2.10.54323: S 765832908:765832908(0) ack 2139537487 win 8192 <mss 1460,nop,nop,sackOK>
 881: 16:37:06.951946       10.10.2.10.54323 > 10.20.9.79.3389: S 2139537486:2139537486(0) win 8192 <mss 1380,nop,nop,sackOK>
 882: 16:37:21.541399       10.20.9.79.8409 >  10.10.2.10.22: S 3461016213:3461016213(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 883: 16:37:24.526339       10.20.9.79.8409 >  10.10.2.10.22: S 3461016213:3461016213(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 884: 16:37:26.580017       10.10.2.10.54324 > 10.20.9.79.33: S 986671988:986671988(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
 885: 16:37:26.580139       10.20.9.79.33 >  10.10.2.10.54324: R 0:0(0) ack 986671989 win 0

Requesting to please analyse and suggest the possible cause.

Rgds

***

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rishabh Seth
Level 7
Level 7

‎12-22-2015 11:40 AM

Hi,

 874: 16:36:57.938351        10.10.2.10.54323 > 10.20.9.79.3389: S 2139537486:2139537486(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
 875: 16:36:57.938565       10.20.9.79.3389 >  10.10.2.10.54323: S 765832908:765832908(0) ack 2139537487 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 876: 16:37:00.260454       10.20.9.79 >  10.10.2.10: icmp: echo request

From the captures above it looks like issue is with 10.20.9.79 to 10.10.2.10 communication.

Can you check the capture on ingress and egress interface and see which device is not responding and also confirm if the ASA is forwarding all the packets in both directions or is it dropping any packets.

Also as p.dath mentioned in his comment, be more descriptive while posting question so that we can help you better.

Thanks,

Rishabh Seth 

Rate if it helps.

View solution in original post

3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎12-22-2015 11:10 AM

You haven't said what is not actually working.  You need to say what the actual problem is.  What is not working.

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7

‎12-22-2015 11:40 AM

Hi,

 874: 16:36:57.938351        10.10.2.10.54323 > 10.20.9.79.3389: S 2139537486:2139537486(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
 875: 16:36:57.938565       10.20.9.79.3389 >  10.10.2.10.54323: S 765832908:765832908(0) ack 2139537487 win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
 876: 16:37:00.260454       10.20.9.79 >  10.10.2.10: icmp: echo request

From the captures above it looks like issue is with 10.20.9.79 to 10.10.2.10 communication.

Can you check the capture on ingress and egress interface and see which device is not responding and also confirm if the ASA is forwarding all the packets in both directions or is it dropping any packets.

Also as p.dath mentioned in his comment, be more descriptive while posting question so that we can help you better.

Thanks,

Rishabh Seth 

Rate if it helps.

Go to solution
netbeginner
Level 2
Level 2

‎12-22-2015 08:19 PM

Hi Rishab / P.Dath,

Your assumption seems to be correct. Please find the setup for more clarity.

1) For Point-2-Point link =>    (10.10.2.10.5) Remote Site Network --> P2P link <-- Our end Router --> Cisco 2900 Switch --> (Outside)ASA 5500 (Inside) --> Core Switch -- > Access Switch --> Server Farm (our end eg. 10.20.9.79 etc).

2) For MPLS setup =>   (10.10.2.10.5)Remote Site Network  --> MPLS Cloud <-- Our end UTM device (other manufacturer) --> Cisco 28900 switch --> (Outside) ASA 5500 (Inside) --> Core Switch --> Access Switch --> Server Farm (our end eg. 10.20.9.79 etc).

ASA is the central point for diverting traffic towards P2P link or towards MPLS link. For major traffic we are pointing trafic flow towards P2P link, But for some specific IPs we are using PBR on ASA 5500 and accordingly applying the PBR or ACL. Infact influence the traffic with PBR as per expectation But somehow end to end communication not happening on MPLS with PBR.

For communication between 10.20.9.79 & 10.10.2.10.5 we have below PBR on ASA.

access-list specific extended permit ip host 10.20.9.79 host 10.10.2.10.5

One thing to note here....when we removing this PBR and execute static route on ASA for 10.10.2.10.5 / 32 towards outside interface. everythings started working.

Rgds

***

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card