02-08-2023 08:25 AM - edited 02-08-2023 08:28 AM
Hello.
SYMPTOM:
-On enterprise ethernet LAN, workstation connects first-time through ASA-5525 with sftp to remote vendor. No symptom.
-On enterprise ethernet LAN, workstation connects second-time through ASA-5525 with sftp to remote vendor. Symptom is that after 3-way-handshake, remote vendor never again sends packets.
-On enterprise public Wifi (different gateway), workstation connects first-time through Ubiquity firewall with sftp to remote vendor. No symptom.
-On enterprise public Wifi (different gateway), workstation connects second-time through Ubiquity firewall with sftp to remote vendor. Symptom is that after 3-way-handshake, remote vendor never again sends packets.
---
My theory is that the random workstation SOURCE PORT is different between 1st and 2nd connection, but the remote vendor OSI layer-7 application is maintaining the 1st stale session, so it's sending return communication with stale PAT translation details; and thus workstation does not receive new communication return data.
Questions:
1. What are your thoughts on my theory? If it is incorrect, what do you suggest?
2. If you agree with my theory, what is the ASA-5525 PAT config that will solve this symptom?
Thank you.
Solved! Go to Solution.
02-08-2023 11:14 AM
Now, I know previously that ASA support FTP inspection but not SFTP
SFTP is FTP over SSH
so it need some sort of config
https://community.cisco.com/t5/network-security/sftp-application-inspection/td-p/1099303
check this link see how we can bypass SFTP over ASA.
thanks
MHM
02-08-2023 08:39 AM - edited 02-08-2023 09:22 AM
you meaning that same source send to destination, but the ASA use only old PAT entry and hence the traffic drop ?
If Yes then reduce the TCP timeout to make ASA always refresh the xlate entry for TCP
02-08-2023 08:51 AM
There is an important detail-- All other re-connects to the www are fine. It is this particular vendor that has the symptom. Thus, my theory is that this vendor's application config maintains stale OSI layer 4 or 5 info, and thus communicates back with this stale info, and thus the ASA-5525 drops the traffic.
In this exact situation, is "reduce the UDP timeout to make ASA always refresh the xlate entry for UDP" still the solution?
If yes, then what is the ASA 5525 CLI commands that fix this?
Thank you MHM!
02-08-2023 10:53 AM
Hello,
you cannot set the xlate timeout for UDP connections directly. You could use a policy map as in the example below:
ASA5525(config)# access list UDP_ACL extended permit ip any 192.168.1.11 255.255.255.255
ASA5525(config)# class-map UDP_CM
ASA5525(config-cmap)# match access-list UDP_ACL
ASA5525(config)# policy-map UDP_PM
ASA5525(config-pmap)# class UDP_CM
ASA5525(config-pmap-c)# set connection timeout UDP
02-08-2023 11:14 AM
Now, I know previously that ASA support FTP inspection but not SFTP
SFTP is FTP over SSH
so it need some sort of config
https://community.cisco.com/t5/network-security/sftp-application-inspection/td-p/1099303
check this link see how we can bypass SFTP over ASA.
thanks
MHM
02-08-2023 11:31 AM - edited 02-09-2023 08:18 AM
.
02-08-2023 02:16 PM - edited 02-09-2023 08:18 AM
.
02-09-2023 08:17 AM
link says...
"Server----I(ASA)O----client
Server inside, client outside, normally, need to have static mapping for the server and open port 22 to the server's mapped IP for traffic to flow through."
"normally, need to have static mapping for the server" Why?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide