TCP connection works but UDP fails

Xavier Lloyd · ‎09-10-2011

Hey all,

I have a server on my LAN that initialises a VPN to another box on the Internet which has a public IP address. For some reason, when the tunnel is established using TCP everything works but when using UDP (port 5000) it fails. The connection passes through an ASA.

All the inbound access lists allow IP on all ports for the respective IP addresses (this is just for testing...it'll change after everything works out).

Any idea why something would fail for UDP and go through for TCP? Is there any inspection rule that I could be missing?

I put this on the firewall board and not the VPN board because the ASA isn't terminating or initialising the VPN, it's the servers.

Thanks all,

Xavier

Julio Carvajal · ‎09-10-2011

Hello Xavier,

Would you mind to provide us the output of these commands to start troubleshooting this :

-Show crypto isakamp sa

-Show crypto ipsec sa

-Show crypto map

Best Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Mohammad Alhyari · ‎09-11-2011

Hi Xavier ,

first thing would be :

check if the UDP connection is being built on the ASA .

use logs for this .

capture the UDP traffic comming on the ASA (on the inside and the outside) and see if there is any drops .

once you found a drop you need to invistigate it .

as si understand it is a vpn thorugh the ASA from a server inside your lan .

warm regards.

Xavier Lloyd · ‎09-12-2011

Hi all,

Well that's the thing. The VPN isn't being terminated on the ASA, the VPN is being terminated on the Linux servers and is just passing through the ASA.

I used the logs and the UDP connection is built. I see the UDP connection established messages (I also see TCP connection established for some reason). Then shortly after, I see UDP connection teardown and TCP connectionn teardown. I'm not seeing any message for packets being dropped or NAT translations failing...

I figured it might be a problem on the Linux server but the person who manages them says it's not and that he has other servers set up the same way and there's no problem. The error that he's seeing on the Linux is that there's a connection timeout.

I wonder if it could be some NAT problems. Maybe I should have a static one to one translation for the server behind my firewall or set up some port redirection. I'm at a loss.

Any ideas?

Many thanks

Xavier

Kureli Sankar · ‎09-12-2011

Xavier,

So you see the builds and the teardowns. What is the reason for the teardowns?

We will not build a connection if there is a problem with translation, access-list or route.

See what the reason is for the teardown and we shall take it from there.

Captures for both ingress and egress captures in addition to asp drop captures are the ones that are going to help us with this problem.

cap capin int inside match udp any any eq 5000 (I am assuming the name of the interface is inside)

cap capout int outside match udp any any eq 5000 (I am assuming the name of the interface is outside)

cap capasp typ asp-drop all

sh cap capin

sh cap capout

sh cap capasp | i 5000

-KS

Xavier Lloyd · ‎09-19-2011

Hi KS,

Thanks for the tips. We can only touch the equipment on Saturdays and last Saturday couldn't work so that's why I haven't replied until just now. I've saved these commands and will try them and post the output next time I get access to the equipment.

I don't think that the problem is with translations, ACLs or routes though because the connection works fine when the protocol is TCP (not sure of the port number).

I tried simulating the setup in GNS3 using routers to do the VPN and the PIX as the firewall. I'm still working on that setup though so I'll also post those results. Is there any way to get the routers to use IPSec over TCP and IPSec over UDP?

Xavier