Solved: Connection denied to reverse path failure.

AlainBensimon4252 · ‎08-26-2020

Hello,

I have an old ASA 5505 and I have configured a remote access VPN to work with Cisco anyconnect.

It was working fine until I wanted to use our VOIP line through the VPN.

My softphone is not connecting and I went to check the firewall logs to find this message.

5

Aug 26 2020

15:26:57

305013

10.69.11.243

55448

192.168.254.22

5060

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src OUTSIDE:10.69.11.243/55448(LOCAL\cayyzalbe) dst INSIDE:192.168.254.22/5060 denied due to NAT reverse path failure

I'm not really good in VPN, I have setup that one using online tutorial.

Any help would be appreciated.

Thank you.

AlainBensimon4252 · ‎08-26-2020

Okay, so what I did is instead of using the object of my whole network, I created a new object (range) with the IP addresses that the VPN assign to clients.

And I did the rule Local_VPN to sbk.

So instead of create a rule OUTSIDE -> INSIDE and INSIDE->OUTSIDE like before, it only create OUTSIDE->INSIDE.

12 (OUTSIDE) to (INSIDE) source static Local_VPN Local_VPN destination static sbk sbk no-proxy-arp
translate_hits = 1, untranslate_hits = 560
Source - Origin: 10.69.11.242-10.69.11.252, Translated: 10.69.11.242-10.69.11.252
Destination - Origin: 192.168.254.22/32, Translated: 192.168.254.22/32

The softphone is connecting now.
I just hope I will not have the DHCP mess like before?

View solution in original post

Rob Ingram · ‎08-26-2020

Hi,
Please provide your full configuration and the output of "show nat detail".

AlainBensimon4252 · ‎08-26-2020

Hi Rob,

Here is the show NAT detail results.

How can I provide you the full configuration?

Thank you

Result of the command: "show nat detail"

Manual NAT Policies (Section 1)
1 (INSIDE) to (any) source static obj-10.69.11.0 obj-10.69.11.0 destination static NET-POLYGON-EVRY NET-POLYGON-EVRY no-proxy-arp route-lookup
translate_hits = 387922, untranslate_hits = 391353
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: 10.32.0.0/14, Translated: 10.32.0.0/14
2 (INSIDE) to (any) source static obj-10.69.11.0 obj-10.69.11.0 destination static NET-POLYGON-NANDOVER NET-POLYGON-NANDOVER no-proxy-arp route-lookup
translate_hits = 152, untranslate_hits = 152
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: VPN_Andover_MA_Network/24, VPN_Andover_MA_Network/24, Translated: VPN_Andover_MA_Network/24, VPN_Andover_MA_Network/24
3 (INSIDE) to (any) source static obj-10.69.11.0 obj-10.69.11.0 destination static VPN_CA_Terrebonne_Network VPN_CA_Terrebonne_Network no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: 10.69.12.0/24, Translated: 10.69.12.0/24
4 (INSIDE) to (any) source static obj-10.69.11.0 obj-10.69.11.0 destination static VPN_CA_Toronto_Network VPN_CA_Toronto_Network no-proxy-arp route-lookup
translate_hits = 10428, untranslate_hits = 10428
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: 10.69.10.0/24, Translated: 10.69.10.0/24
5 (INSIDE) to (any) source static obj-10.69.11.0 obj-10.69.11.0 destination static VPN_CA_Vancouver VPN_CA_Vancouver no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: 10.69.14.0/24, Translated: 10.69.14.0/24
6 (any) to (OUTSIDE) source dynamic NETWORK_OBJ_192.168.100.0_26 interface inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.100.0/26, Translated: 207.96.147.218/30
7 (INSIDE) to (OUTSIDE) source static any any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
translate_hits = 1100, untranslate_hits = 1146
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
8 (INSIDE) to (OUTSIDE) source static NETWORK_OBJ_10.69.11.0_24 NETWORK_OBJ_10.69.11.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
9 (INSIDE) to (OUTSIDE) source static any any destination static NETWORK_OBJ_192.168.100.0_26 NETWORK_OBJ_192.168.100.0_26 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 192.168.100.0/26, Translated: 192.168.100.0/26
10 (INSIDE) to (OUTSIDE) source static any any destination static NETWORK_OBJ_10.69.11.224_28 NETWORK_OBJ_10.69.11.224_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 10.69.11.224/28, Translated: 10.69.11.224/28
11 (OUTSIDE) to (INSIDE) source static NETWORK_OBJ_10.69.11.0_24 NETWORK_OBJ_10.69.11.0_24 destination static NETWORK_OBJ_10.69.11.0_24 NETWORK_OBJ_10.69.11.0_24 no-proxy-arp description VPN -> Local Network (Alain)
translate_hits = 9956, untranslate_hits = 54927
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
12 (OUTSIDE) to (INSIDE) source static NETWORK_OBJ_10.69.11.0_24 NETWORK_OBJ_10.69.11.0_24 destination static sbk sbk inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.69.11.0/24, Translated: 10.69.11.0/24
Destination - Origin: 192.168.254.22/32, Translated: 192.168.254.22/32

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source static Cam_Int Cam_Int service tcp 7000 7000 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.69.11.22/32, Translated: 10.69.11.22/32
Service - Protocol: tcp Real: 7000 Mapped: 7000
2 (INSIDE) to (OUTSIDE) source dynamic obj_any interface
translate_hits = 472772, untranslate_hits = 237237
Source - Origin: 0.0.0.0/0, Translated: 207.96.147.218/30

AlainBensimon4252 · ‎08-26-2020

Just for your information, the rule 12 is disabled.
that's one of the things I have tried, and the phone was connecting, but after a while, my Windows server 2012 R2 DHCP went crazy and started to give BAD ADDRESS to all computers and even the servers that had a fixed IP.
After I disabled the ruel, everything went back to normal.

Rob Ingram · ‎08-26-2020

Try adding "no-proxy-arp" to rule #12, re-enable it and see if that works.

AlainBensimon4252 · ‎08-26-2020

Do you mean here?

Rob Ingram · ‎08-26-2020

Yes

AlainBensimon4252 · ‎08-26-2020

Okay, so what I did is instead of using the object of my whole network, I created a new object (range) with the IP addresses that the VPN assign to clients.

And I did the rule Local_VPN to sbk.

So instead of create a rule OUTSIDE -> INSIDE and INSIDE->OUTSIDE like before, it only create OUTSIDE->INSIDE.

12 (OUTSIDE) to (INSIDE) source static Local_VPN Local_VPN destination static sbk sbk no-proxy-arp
translate_hits = 1, untranslate_hits = 560
Source - Origin: 10.69.11.242-10.69.11.252, Translated: 10.69.11.242-10.69.11.252
Destination - Origin: 192.168.254.22/32, Translated: 192.168.254.22/32

The softphone is connecting now.
I just hope I will not have the DHCP mess like before?

Rob Ingram · ‎08-26-2020

If it hasn't now during your testing, then the "no-proxy-arp" command on your NAT exemption rule resolved it.
If you want to be sure that command resolved the issue, remove it and confirm it breaks it again!!

AlainBensimon4252 · ‎08-26-2020

I'm a little bit afraid to do it, since people are still working, and they will kill me if it breaks again.

I will wait a little bit.

Do you think that this proxy option caused my DHCP go crazy?

Rob Ingram · ‎08-26-2020

If you've applied the change and it's working then the issue is resolved....however if you want to be sure then make the change out of hours so as not to impact other users.

Yes, I think proxy arp was causing the issue.

AlainBensimon4252 · ‎08-26-2020

That's great, thank you so much. Your help has been so precious.

Just one question not related to that issue.

I got a new Meraki MX-64 firewall.

As you can see, I'm not a specialist, is there a way I can export my ASA config to the new Firewall.

I don't even know where to start.

Rob Ingram · ‎08-26-2020

There is no migration tool that I am aware of, you'd have to manually configure the new Merarki firewall. Perhaps it's worth speaking to your meraki partner to see if there is a tool they have to migrate the configuration.

AlainBensimon4252 · ‎08-27-2020

I will do that. Thank you very much for your help.

Rob Ingram · ‎08-26-2020

If you login to the ASA via SSH or console, then run "show run" and copy the contents to a file and upload here.