Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
0
Helpful
5
Replies

Firewall Behind ASA trying to establish a VPN - Not Working - Packets Altered

rhornberger
Level 1
Level 1

‎05-23-2012 06:50 AM

                   We are running into a really strange issue.  We have a Phoenix Contact MGuard firewall behind a Cisco ASA and it's trying to establish a VPN to another Phoenix MGuard halfway across the world and it's failing.  The logs on the MGuards say that the packet is being altered by a device and being discarded.  The odd thing is when I route the traffic via some Juniper Firewalls that we have, the same thing is not occuring, no alteration, everything is ok.  It seems to be based on the message that a checksum is being edited so the packet makes it to the other end but, the ASA is for some reason altering the packet.  I'm not even sure where to start on this one as the traffic is passing...  Right now, I'll keep it through the Juniper, just looking for some ideas...  The MGuard has a static NAT on the ASA...

Labels:
0 Helpful
5 Replies 5

rhornberger
Level 1
Level 1

‎05-23-2012 08:51 AM

I took some packet captures before and after the ASA and it would appear that the ASA is altering the responder cookie in the initial ISAKMP packet...  Very very odd...

0 Helpful

rhornberger
Level 1
Level 1

‎05-25-2012 11:46 AM

I believe we are looking at some sort of odd bug. Have a TAC case open with Cisco...  Nadda...  It's definitly the ASA however, have rerouted the VPN through a Juniper Firewall and Fortinet, no issues, works without issue every time.  I'll keep this updated...

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to rhornberger

‎05-25-2012 05:48 PM

Hello Richard,

Weird behavior, please keep us posted.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Patrick0711
Level 3
Level 3

‎05-25-2012 09:56 PM

What code version?

What kind of inspection is configured?

0 Helpful

rhornberger
Level 1
Level 1
In response to Patrick0711

‎05-26-2012 08:05 PM

The firewall is running 8.2.5

I turned off the UDP IPSec helper and that helped improve issues, It's not about 7 minutes to a reconnection rather than 10 but, its still altering the reciever ID. Dosn't make any sense.  I'm not getting anything back from my TAC case either.  Not too worried as I'm more than willing to route around to my Juniper Firewalls but, it's very odd that this behavior is occuring with just the ASA's...  I'd like to figure it out.

policy-map global-default
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect icmp error
class class_netbios
  inspect netbios
policy-map global_default
class class-default
  set connection advanced-options mss-map
  set connection decrement-ttl
!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents