05-23-2012 06:50 AM
We are running into a really strange issue. We have a Phoenix Contact MGuard firewall behind a Cisco ASA and it's trying to establish a VPN to another Phoenix MGuard halfway across the world and it's failing. The logs on the MGuards say that the packet is being altered by a device and being discarded. The odd thing is when I route the traffic via some Juniper Firewalls that we have, the same thing is not occuring, no alteration, everything is ok. It seems to be based on the message that a checksum is being edited so the packet makes it to the other end but, the ASA is for some reason altering the packet. I'm not even sure where to start on this one as the traffic is passing... Right now, I'll keep it through the Juniper, just looking for some ideas... The MGuard has a static NAT on the ASA...
05-23-2012 08:51 AM
I took some packet captures before and after the ASA and it would appear that the ASA is altering the responder cookie in the initial ISAKMP packet... Very very odd...
05-25-2012 11:46 AM
I believe we are looking at some sort of odd bug. Have a TAC case open with Cisco... Nadda... It's definitly the ASA however, have rerouted the VPN through a Juniper Firewall and Fortinet, no issues, works without issue every time. I'll keep this updated...
05-25-2012 05:48 PM
Hello Richard,
Weird behavior, please keep us posted.
Regards,
05-25-2012 09:56 PM
What code version?
What kind of inspection is configured?
05-26-2012 08:05 PM
The firewall is running 8.2.5
I turned off the UDP IPSec helper and that helped improve issues, It's not about 7 minutes to a reconnection rather than 10 but, its still altering the reciever ID. Dosn't make any sense. I'm not getting anything back from my TAC case either. Not too worried as I'm more than willing to route around to my Juniper Firewalls but, it's very odd that this behavior is occuring with just the ASA's... I'd like to figure it out.
policy-map global-default
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect icmp error
class class_netbios
inspect netbios
policy-map global_default
class class-default
set connection advanced-options mss-map
set connection decrement-ttl
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide