Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4638
Views
0
Helpful
6
Replies

ASA 8.3 VPN site-to-site does not carry UDP traffic to other peer

Go to solution
Arturo Bianchi
Level 1
Level 1

‎10-14-2010 07:20 AM

Hi!!!!

Someone turned off the light :-) I say this because going from 6.2 to 6.3 I can not get basic things ...

On an ASA I established a VPN profile "site-to-site" to connect a remote location, on the other side (ASA 8.2) does not see any problem, I can pass any IP traffic over VPN without NAT; but on a new ASA5505 with fw version 8.3(1) and ASDM 6.3(1) I can't do this in any way :-(

What I get is trivial...

...It works perfectly with TCP and ICMP traffic but does not pass UDP traffic: in practice, if I follow the traffic to a remote private IP, with TCP and ICMP traffic I can see only packets in vlan 'inside' with private IP, but with UDP traffic in addition to these, I see the traffic on vlan 'outside' with the ASA public IP and changed source port:

   Inside: UDP From 172.16.2.128:6000 To 172.16.0.200:6000
Outside: UDP From 5.5.5.5:23400 To 172.16.0..200:6000

why?????

Obviously, the traffic is not encrypted and does not reach the other side of the tunnel!

Here are the important parts of the configuration:

interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.2.1 255.255.255.0

object network obj_any
   subnet 0.0.0.0 0.0.0.0

object network remote-network
  subnet 172.16.0.0 255.255.254.0


access-list outside_cryptomap extended permit ip 172.16.2.0 255.255.255.0 object remote-network

nat (inside,outside) source static any any destination static remote-network remote-network

object network obj_any

  nat (inside,outside) dynamic interface

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer ip.ip.ip.ip

crypto map outside_map0 1 set nat-t-disable

crypto map outside_map0 interface outside

Given that the new management object I have not yet entirely clear (ok, I do not find time to do a deep read of the documentation), someone is able to direct me to solve this trivial problem???

Note: if I remove my nat manual roule and I flag 'traslate network' on remote-network object so indicate they want NAT with remote-network ip then don't work any IP traffic versus remote site. Why, why have not more than the simple rules of 'nat exemption' of the older version and why the crypto-map applies only to TCP traffic?? Possible that there is an object of ANY kind that takes any IP traffic?

Many  thanks to all.

73,

Arturo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎10-19-2010 02:17 PM

Hi Arturo,

I know there are quite some NAT related bugs in 8.3(1) and although I can't remember a specific one that matches your symptoms, I would suggest you try 8.3(2) instead, or maybe even the latest available interim release (currently 8.3(2.4):

http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=8.3.2+Interim&mdfid=279916854&sftType=Adaptive+Security+Appliance+%28ASA%29+Software&optPlat=&nodecount=9&edesignator=null&modelName=Cisco+ASA+5510+Adaptive+Security+Appliance&treeMdfId=2...

If you then still see the problem, check

  packet-tracer input inside udp 172.16.2.2 1025 172.16.0.1 123 detail

  packet-tracer input inside tcp 172.16.2.2 1025 172.16.0.1 123 detail

and check what is different.

hth

Herbert

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎10-19-2010 02:17 PM

Hi Arturo,

I know there are quite some NAT related bugs in 8.3(1) and although I can't remember a specific one that matches your symptoms, I would suggest you try 8.3(2) instead, or maybe even the latest available interim release (currently 8.3(2.4):

http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=8.3.2+Interim&mdfid=279916854&sftType=Adaptive+Security+Appliance+%28ASA%29+Software&optPlat=&nodecount=9&edesignator=null&modelName=Cisco+ASA+5510+Adaptive+Security+Appliance&treeMdfId=2...

If you then still see the problem, check

  packet-tracer input inside udp 172.16.2.2 1025 172.16.0.1 123 detail

  packet-tracer input inside tcp 172.16.2.2 1025 172.16.0.1 123 detail

and check what is different.

hth

Herbert

0 Helpful

Go to solution
Arturo Bianchi
Level 1
Level 1
In response to Herbert Baerten

‎10-23-2010 10:45 AM

Hi Herbert,

thanks for reply, I have taken the first step, I updated the software: now ASA boot with FW 8.3(2) & ASDM 6.3(2); now I just put myself in the car and go to the customer, but first I want to read carefully the document Cisco ASA 5500 Migration Guide for Version 8.3

Note: if I try to do a packet trace, it fails because now it is down the inside vlan :-( During the week I have to physically go on site or request the assistance of someone to move a phone to a firewall (the problem occurs with the IP phones) to verify the trouble!

73,

Arturo

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to Arturo Bianchi

‎10-24-2010 07:49 AM

OK, let us know how it goes

BTW it may also be important to take care in which order you do things.

In some circumstances you may need "sysopt connection reclassify-vpn" so maybe enable that (if it isn't already, don't know by heart if if is by default) and see if that helps.

cheers

Herbert

0 Helpful

Go to solution
Arturo Bianchi
Level 1
Level 1
In response to Herbert Baerten

‎11-09-2010 02:22 AM

Hi!

I solved by switching to 8.3(2), but for safety I opened a ticket and unfortunately I still have some problems: now the UDP traffic from phone does not pass after a switch HDSL-ADSL-HDSL (on  ASA I have a dual-home configuration) :-(

I'm investigating with the help of the TAC.

73,

Arturo.

0 Helpful

Go to solution
Praveena Shanubhogue
Level 1
Level 1
In response to Arturo Bianchi

‎11-09-2010 03:12 AM

Hi Arturo,

Did you switch to 8.3.2 or the interim release 8.3.2.4?

based on your description it looks like UDP connections are not getting reclassified once the tunnel bounces, after ISP switchover happens.

can you confirm if the problem gets resolved after running the command:

clear local-host

Please have a look at the bug:

CSCth28251

Link: http://tools.cisco.com/squish/d6c74

You might want to move to 8.3.2.4 if you are on 8.3.2.

Let us know how it goes.

regards,

Praveen

0 Helpful

Go to solution
Arturo Bianchi
Level 1
Level 1
In response to Praveena Shanubhogue

‎12-24-2010 06:20 AM

Hi Praveena,

I think (I hope) to have found a solution to the problem, solution in two steps! The first change in the already identified from version 8.3.1 to 8.3.2; the second step, not least, is by adding a nat rule exemption versus backup interface. Without this rule, the traffic coming out of the backup port thanks to a dynamic PAT rule and created a row in the xlate table, this line never expires renewed by the incoming packets from other phones and just disconnect the backup port or through a clear xlate table restore the correct flow of udp packets!

Solution found through the immense patience and meticulous verification of J. Kampanellis, the TAC engineer who has assisted me in the case! Yesterday morning in a lengthy phone/webex marathon we have replicated the problem in a timely manner and found the solution. :-)

Ultimately more than a bug the problem is due to the fact that the UDP protocol is a connection-less and the persistence of cache, routing tables and paths may go beyond the actual presence of a connection. :-(

For scruple I asked him to leave the case open for a few days but I think unless surprises, this problem will not occur again

Merry Christmas

73,
Arturo

0 Helpful
Customers Also Viewed These Support Documents