Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
0
Helpful
6
Replies

ESP traffic through FWSM

ANGELO DE MASI
Level 1
Level 1

‎01-29-2014 05:48 AM

HI,

I've built a site-to-site VPNs between a PIX and an ASA with traffic passing through an FWSM.

This is the architecture:

LAN1---PIX--------(dmz interface)FWSM(otuside interface)--------ASA----LAN2

The VPNs go up regurarly but I am experencing some performance issue so I am trying to look into the logs.

In the FWSM log I can see a lots of these entries regarding esp protocol traffic between end point peer:

6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237602 for outside:x.x.x.x(x.x.x.x) to dmz:y.y.y.y (y.y.y.y)

6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237601 for dmz:x.x.x.x(x.x.x.x) to outside:y.y.y.y (y.y.y.y)

 

x.x.x.x and y.y.y.y are the vpn peers ip addresses, but I am suspecting some strange behaviour because I see x.x.x.x an y.y.y.y respectively at the same time on outiside interface and on dmz interface during the build of ip protocol 50 connection.

Do you think it is a normal behaviour or it means that it's a fault?

Pls any suggestion will be very appreciated.

Thanks

angelo

Labels:
0 Helpful
6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-29-2014 06:56 AM

Speaking for IPsec, remember that two separate SPI will exist - for inbound and outbound traffic, i.e. at header level those two connections will be seen as two separate flows.

0 Helpful

ANGELO DE MASI
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-29-2014 07:20 AM

Hi Marcin, thanks for you reply.

Yes I know, I expected two flows for inbound and outbound, it's correct but I don't understand why the FWSM see the same IP incoming both interfaces, dmz and outside. That seems strange. If x.x.x.x is on dmz and y.y.y.y on outside, what does this entry means? :

6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237602 for outside:x.x.x.x(x.x.x.x) to dmz:y.y.y.y (y.y.y.y).

Hi

angelo

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to ANGELO DE MASI

‎01-29-2014 08:59 AM

Angelo,

Indeed I didn't spot that, looks possibly buggy.

Not having worked with FWSM for last couple of years I would say it's something messy with local-host or you're leaking packets somehowe ... enable unicast RPF, clear those conns and see if it persists, you might be also interested to check:

1) Sniffer trace

2) TAC/BTK.

HTH,

M.

0 Helpful

ANGELO DE MASI
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-30-2014 03:31 AM

Hi Marcin,

I just enabled unicast RPF but din't change anything. FWSM always logs "Built IP protocol 50" and "Teardown IP protocol 50" in the same manner. I don't Know what to do?

Any other suggestion?

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to ANGELO DE MASI

‎02-02-2014 09:50 AM

Possibly due to

https://tools.cisco.com/bugsearch/bug/CSCsy20486/?reffering_site=dumpcr

or similar.

TAC should help you out better :-)

0 Helpful

ANGELO DE MASI
Level 1
Level 1
In response to Marcin Latosiewicz

‎02-03-2014 02:24 AM

Oh many thanks Marcin, The Bug seems to be indeed my case.

I will investigate much more with TAC.

Thank you again.

Bye

angelo

0 Helpful
Customers Also Viewed These Support Documents