Solved: Yes I will definitely try it

mhcnetadmin · ‎03-12-2015

Hi All,

I have this strange problem with my ASA, I have configured ASA in transparent mode with inside outside interfaces and ACL and Inspection policy to block some sites, on my LAN I have 2 Exchange server 2010 (VMware) configured as cluster

when we connected the ASA to the network (inside to switch ,outside to internet router), the outlook on the LAN PCs started to disconnect and reconnect every 1 minute or so, when turning off the ASA the problem goes away !!!, so I tried the following I disconnected the outside interface and reconnected the router to the switch directly, but the problem persists and in the log of the ASA there were the following :

the 192.168.12.218 is the IP address of the Exchange Cluster,

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

192.168.12.218|60098|Deny TCP (no connection) from 192.168.12.116/52892 to 192.168.12.218/60098 flags RST ACK on interface inside

6|Mar 12 2015|11:58:32|106015|192.168.12.116|54159|192.168.12.218|135|Deny TCP (no connection) from 192.168.12.116/54159 to 192.168.12.218/135 flags RST ACK on interface inside
6|Mar 12 2015|11:58:31|106015|192.168.12.128|58399|192.168.12.218|135|Deny TCP (no connection) from 192.168.12.128/58399 to 192.168.12.218/135 flags RST on interface inside
6|Mar 12 2015|11:58:31|106015|192.168.12.128|58399|192.168.12.218|135|Deny TCP (no connection) from 192.168.12.128/58399 to 192.168.12.218/135 flags RST on interface inside
6|Mar 12 2015|11:58:31|106015|192.168.12.128|58399|192.168.12.218|135|Deny TCP (no connection) from 192.168.12.128/58399 to 192.168.12.218/135 flags FIN ACK on interface inside
6|Mar 12 2015|11:58:30|302016|224.0.0.252|5355|192.168.12.173|50769|Teardown UDP connection 483 for outside:224.0.0.252/5355 to inside:192.168.12.173/50769 duration 0:02:04 bytes 50
6|Mar 12 2015|11:58:30|302016|224.0.0.252|5355|192.168.12.173|59923|Teardown UDP connection 482 for outside:224.0.0.252/5355 to inside:192.168.12.173/59923 duration 0:02:04 bytes 50
6|Mar 12 2015|11:58:30|302014|192.168.12.218|60198|192.168.12.117|51438|Teardown TCP connection 628 for outside:192.168.12.218/60198 to inside:192.168.12.117/51438 duration 0:00:30 bytes 0 SYN Timeout
6|Mar 12 2015|11:58:29|106015|192.168.12.116|54162|192.168.12.218|60198|Deny TCP (no connection) from 192.168.12.116/54162 to 192.168.12.218/60198 flags PSH ACK on interface inside
6|Mar 12 2015|11:58:29|106015|192.168.12.116|54160|192.168.12.218|60198|Deny TCP (no connection) from 192.168.12.116/54160 to 192.168.12.218/60198 flags PSH ACK on interface inside
6|Mar 12 2015|11:58:29|302014|192.168.12.218|60198|192.168.12.117|51435|Teardown TCP connection 627 for outside:192.168.12.218/60198 to inside:192.16.12.117/51435 duration 0:00:30 bytes 0 SYN Timeout
6|Mar 12 2015|11:58:29|302014|192.168.12.218|135|192.168.12.117|51434|Teardown TCP connection 626 for outside:192.168.12.218/135 to inside:192.168.12.117/51434 duration 0:00:30 bytes 0 SYN Timeout
6|Mar 12 2015|11:58:27|302014|192.168.12.218|60198|192.168.12.116|54162|Teardown TCP connection 621 for outside:192.168.12.218/60198 to inside:192.168.12.116/54162 duration 0:00:30 bytes 0 SYN Timeout

----------------------------------------------------------------------------

I have changed the inside port to another interface, I also disabled the proxyarp on ASA and deleted the inspection policy .

The thing that confuses me is why I still have these logs on ASA although the traffic is not going through it?? And why there are a deny action fron and to exchange cluster?

I really appreciate your help because I am out of ideas

Thanks

Andre Neethling · ‎03-14-2015

HI. It could be that the ASA is trying to maintain states for all the connections. Applying tcp state bypass to the traffic could help. It did in my case.

Hope you get it sorted.

cheers

ANDRE

View solution in original post

Andre Neethling · ‎03-12-2015

Are you using your ASA as a default gateway for the inside network?

mhcnetadmin · ‎03-14-2015

As I said it is in transparent mode, the DG is the internet router and I have disconnected the ASA from router and still have logs from and to the exchange

Andre Neethling · ‎03-14-2015

Hi. I've had some similar behavior with an ASA. Try creating a new service policy. Use an ACL to match any traffic with your exchange cluster as a destination, and your exchange cluster as a source. Then you apply TCP state bypass to the rule. So it won't look for the connection in the State Table. This is strange behavior indeed.......... but I have seen something like this before.

Just for the sake of understanding your architecture. What are you using as a clustering mechanism for your Exchange Servers. I ask because Microsoft NLB does some strange things with the MAC address in this case.

mhcnetadmin · ‎03-14-2015

Thank you very much for your answer, well I didn't configure exchange but I think they have configured it using Microsoft NLB between the two servers and I did arp lookup for the cluster MAC and it was something that begins with 03

so first I should create service policy with access list to and from exchange cluster IP

then apply tcp state bypass,

Andre Neethling · ‎03-14-2015

Are you using ASDM or CLI?

mhcnetadmin · ‎03-14-2015

Both

Andre Neethling · ‎03-14-2015

I just did it now....... lol. Below see the CLI

access-list exchange-tcp-bypass line 1 extended permit ip any <exchange object>

access-list exchange-tcp-bypass line 2 extended permit ip <exchange object> any
class-map inside-class
match access-list exchange-tcp-bypass
policy-map inside-policy
class inside-class
set connection advanced-options tcp-state-bypass
service-policy inside-policy interface inside

mhcnetadmin · ‎03-14-2015

Thanks Andre I really appreciate it, I am reading about NLB and Cisco , it seems that they configured NLB in Mutlticast mode and it seems with Cisco switches causes some kind of flooding which explains why I still sees the logs of the IP address of the cluster, but I don't understand why shutting down ASA stops the problem?

Andre Neethling · ‎03-14-2015

HI. It could be that the ASA is trying to maintain states for all the connections. Applying tcp state bypass to the traffic could help. It did in my case.

Hope you get it sorted.

cheers

ANDRE

mhcnetadmin · ‎03-14-2015

Yes I will definitely try it tomorrow, Thanks for your help

mhcnetadmin · ‎03-23-2015

Thanks Andre, That did the trick, I really appreciate your time and effort

Andre Neethling · ‎03-23-2015

Pleasure....... Glad you got it sorted.

Andre Neethling · ‎03-14-2015

Ok....... With ASDM see below

Under Service Policy rules click add. Select Interface, and in the drop down list, make sure you select inside. Give it a name, like "Exchange State Bypass". Click next. Create new traffic class, and give it a name. Select "source and destination IP (ACL)". Click next. Select any as your source, and your exchange server object as the destination. Click next. You will now be on the "protocol inspection" tab. Click the "connection settings" tab and in the bottom right hand corner select TCP state bypass.

Strange Problem with ASA in transparednt mode need help