Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1519
Views
0
Helpful
2
Replies

Slow path security checks failed in Cisco ASA 5506x

Antony.xavier
Level 1
Level 1

‎10-12-2021 10:27 PM

Hi There,

 

I tried to build site to site IPsec VPN tunnel between cisco ASA 5506x (Branch office) and ANS hub, tunnel is up but I see only RX traffic, TX count is zero. Checked at branch office firewall asp drop packet I see ANS hub ip address (2.2.2.2) is trying to  communicate with branch office (1.1.1.1) but packets are dropped at Branch office ASA due to SP-security checks failed, please find the below output for your reference.

 

ASA1# show cap asp | in 2.2.2.2

 

1907:   21:29:52.802265        2.2.2.2.500 > 1.1.1.1.500  udp 384 Drop-reason: (SP-security checks failed) SLOWPATH security checks failed

ASA1#

 

Please let me the know the troubleshooting steps to resolve this issue.

 

Regards,

Antony Xavier.

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-12-2021 11:26 PM

Hello,

 

not sure what 'ANS hub' is exactly, but slow path security check failures usually have to do with access rules. Can you post the configs of the ASA and whatever device is on the other side ?

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-14-2021 05:16 AM - edited ‎10-14-2021 05:17 AM

Hello @Antony.xavier ,

you may have a Firepower module on board and you mi ght be sending all the traffic to it for deep inspection.

 

Check the presence of the SFR module using

 

show module

 

and from the configuration of your ASA you need to check if you are sending to sfr module

 

use the following link as a reference

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html?referring_site=RE&pos=1&page=https://www.cisco.com/c/en/us/support/security/asa-firepower-services/series.html

 

if you have something like the following:

 

 

  • ciscoasa(config)# access-list sfr_redirect extended permit ip any any
  • Create a class-map in order to match the traffic on an access list:
    ciscoasa(config)# class-map sfr
    ciscoasa(config-cmap)# match access-list sfr_redirect
  • Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline (normal) deployment mode.

    Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.

    • In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission. This example shows how to create a policy-map and configure the ASA SFR module in the inline mode:
      ciscoasa(config)# policy-map global_policy
      ciscoasa(config-pmap)# class sfr
      ciscoasa(config-pmap-c)# sfr fail-open

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents