I have a questiong regarding how ASA handles udp flow...
I have 2 applications that are communicating via udp. These 2 applications are between 2 ASA firewalls. These 2 ASA's are connected with DLL link as a primary line and VPN IPSec over the internet as a backup.I have tracking of routes set up so if the primary DLL link fails then the traffic is rerouted to the backup VPN IpSec over the internet.
The question is, what will happen with udp flow if main DLL link fails, will current flow be terminated and reestablished over the backup line and vice versa when the mail DLL will come back again?
Reason why I''m asking this is because we had this problem once ,udp flow between these 2 aplications was not rerouted to the backup line...
The behavior seems to be normal if you were using NAT for communicating with the end hosts. When the firewall fails over to the secondary ISP, the NAT address it uses will also change. This changes the source address of the packet. So, the application might reject newer packets as the source is different and terminate the connection.
On the other hand, if you are not using NAT (nat excemption or identiry NAT), then the failover should be transparent. Only thing to check in that scenario would be the delay in failing over. If you have configured the probe interval to about 30 seconds on the firewall, the firewall will not detect the failure of the primary link until that time. So, you might want to tune that value to your needs.
Hope this helps.
just to confirm are you
refering to failing over of routes or failover of firewall
i assume you are asking that when your primary route failed and when your back route came up through vpn the udp failed right
Yes, when a primary route fails and the secoundary ( floating) route becomes active, not failower to secoundary firewall.
Is in that case UDP flow terminated and NEW one is created over the secound backup route ? Please do notice that these UDP packets of the aplication are very dence, about 10 packet per second.
Thanx in advance
this issue has been reported before and there is a bug filed i guess, could you please tell me which version of code are you running
do you also experience this issue with tcp packets or is it with only udp packets
Hm, I didn't know this. No,with TCP everything is ok, the problem is only with UDP pakcet flow's. Actually, on one side is PIX 515E with 8.0.(4) and on the other side I just upgraded my ASA to 8.0.(5). Any suggestions ?
Thank you very much for your help...
i know someone who has worked on something similar i will try to get that person in the loop
but i guess that is something for which we have filed enhancement request and i it has been fixed
what about the ASA with 8.05 code does it also experience the same issue because the enhancement request that i found says that we have it incorporated in 8.05
First of all, thank You for your effort.
If you can get that person it would be very helpful.
Regarding 8.0(5) version, I've updated before couple of days and I havent tryed yet, because this is very important production application,first I wish to gather as much as information as possible so you are helping me allot. Let say it is corrected in 8.0(5) , but what will I do with my other PIX 515E with 8.0(4) beeng the latest version?
In 8.0.5 we introduce a code change per bug CSCso42904. Basically, when the route changes from one interface to another, we detect this change and drop the flow/conn. As a result, new packets force a new conn to be created following the new routing information. So... In thoery... 8.0.5 should take of this issue. Now you bring up a good point: What about PIX? Well, unfortunately we do not have anything we can do for the PIX platform at this point. THe product as yuou know has reach End of Life and there will be no new code builds beyond 8.0.4.x.