10-24-2018 01:51 AM - edited 02-21-2020 08:23 AM
Hi Everyone, I am facing some weird issue where ping traffic works fine , however tcp/udp 5060 traffic fails.
There are 2 interfaces configured as below -
ASA/pri/act(config)# sh run int Ethernet0/2.1097
!
interface Ethernet0/2.1097
vlan 1097
nameif inside_host
security-level 100
ip address 10.30.197.1 255.255.255.0
ASA/pri/act(config)# sh run int Ethernet0/3.3897
!
interface Ethernet0/3.3897
vlan 3897
nameif fin_host
security-level 100
ip address 10.30.254.54 255.255.255.248
'same-security-traffic permit inter-interface' and 'same-security-traffic permit intra-interface' is in place.
Inspection for SIP and ICMP is Enabled.
When I do a capture, I see the packet being forwarded to the next module for processessing -
packet-tracer input inside_host tcp 10.30.197.10 5060 32.253.42.122 5060 detail
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad646b18, priority=13, domain=capture, deny=false
hits=85287, user_data=0xad90f710, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside_host, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabe958e8, priority=1, domain=permit, deny=false
hits=181625, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside_host, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 32.253.42.122 255.255.255.255 fin_host
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac2a9378, priority=2, domain=permit, deny=false
hits=288, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside_host, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabe4ac38, priority=0, domain=inspect-ip-options, deny=true
hits=396, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside_host, output_ifc=any
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabe94528, priority=20, domain=lu, deny=false
hits=7, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside_host, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac17edd0, priority=0, domain=inspect-ip-options, deny=true
hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=fin_host, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2959779, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside_host
input-status: up
input-line-status: up
output-interface: fin_host
output-status: up
output-line-status: up
Action: allow
However, when I apply capture on the inside_host and fin_host interfaces, I see request and reply reaching the host behind inside_host interface, and just the request coming on the fin_host interface -
capture capin type raw-data access-list test interface fin_host
capture capout type raw-data access-list test interface inside_host
sh cap capin
13 packets captured
1: 05:40:46.800800 802.1Q vlan#3897 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
2: 05:40:47.300979 802.1Q vlan#3897 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
3: 05:40:48.301208 802.1Q vlan#3897 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
4: 05:40:50.300445 802.1Q vlan#3897 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
5: 05:40:54.301177 802.1Q vlan#3897 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
6: 05:40:58.301116 802.1Q vlan#3897 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
7: 05:41:02.302291 802.1Q vlan#3897 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
sh cap capout
30 packets captured
1: 05:40:47.300994 802.1Q vlan#1097 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
2: 05:40:47.301437 802.1Q vlan#1097 P0 10.30.197.10.5060 > 32.253.42.122.5060: udp 489
3: 05:40:48.301223 802.1Q vlan#1097 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
4: 05:40:48.301681 802.1Q vlan#1097 P0 10.30.197.10.5060 > 32.253.42.122.5060: udp 489
5: 05:40:50.300475 802.1Q vlan#1097 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
6: 05:40:50.300918 802.1Q vlan#1097 P0 10.30.197.10.5060 > 32.253.42.122.5060: udp 489
7: 05:40:54.301192 802.1Q vlan#1097 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
8: 05:40:54.301635 802.1Q vlan#1097 P0 10.30.197.10.5060 > 32.253.42.122.5060: udp 489
9: 05:40:56.402414 802.1Q vlan#1097 P0 10.30.197.10.5060 > 32.253.42.122.5060: udp 439
10: 05:40:58.301162 802.1Q vlan#1097 P0 32.253.42.122.61442 > 10.30.197.10.5060: udp 405
There is NO ACL of any sort configured on these 2 interfaces, but I still do not see the reply packets from inside_host interface reaching fin_host interface.
Please suggest what exactly am I missing here.
Thanks for all your help in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide