Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8300
Views
0
Helpful
2
Replies

Flow is a Loopback

laursen.lars
Level 1
Level 1

‎02-25-2011 09:31 AM

Hi

I have 2 ASA 5505, with a site-2-site vpn, I need to reach a server on network A on port 7887 from Network B.


The 2 boxes are both on a public net and has a private net inside.

When initiating a telnet session from a Host on network B, to a ip 172.210.210.56 /24 (which is defined as my remote network in the connection profile)

I can see the trafic arriving on the ASA on network A, but the trafic gets rejected with the following.

01:     Built local-host outside:VPN-TEST_172.210.210.56
02:     VPN-TEST_172.210.210.56    7887    Teardown TCP connection 398765 for outside:VPN-TEST_x.x.x.x/16698 to outside:VPN-TEST_172.210.210.56/7887 duration 0:00:00 bytes 0 Flow is a loopback
03:     Teardown local-host outside:VPN-TEST_172.210.210.56 duration 0:00:00

I'm a newbee with the ASA 5505, and connot figure out why this is a loopback ?

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-25-2011 12:03 PM

Lars,

You're saying this communication is just from an ASA to another through a L2L tunnel correct?

I mean, is not u-turn traffic (traffic that arrives at an interface and should be redirected backout the same interface)?

The reason I ask is because the error you mentioned I think is related to u-turn traffic.

Also, are you able to PING between both hosts? Is just the telnet connection not working?


Federico.

0 Helpful

laursen.lars
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-27-2011 03:45 PM

Hi

I will try to describe my setup more specific.

Site A

     HostA:     192.168.168.111 listening on port 7887

     ASA-A

          Inside:     10.10.9.66 /24

          Outside:     83.x.x.x

          Default inside route:     10.10.9.94 /24

          VPN-Tunnel

               Local:     172.210.210.0 /24

               Remote:     91.x.x.x

               The inside-out NAT 172.210.210.2

               The outside-in 172.210.210.10 to 192.168.168.111

     Firewall

          DMZ:     10.10.9.94 /24

          Inside:     192.168.168.1 /24

Site B

     HostB:     192.168.230.15 /24

     ASA-B

          Inside:     192.168.230.1 /24

          Oustide:     91.x.x.x

          VPN-Tunnel

               Local:     192.168.230.0 /24

               Remote:     172.210.210.0 /24

               The Inside-out NAT 91.x.x.x

When HostB tries to do a telnet to 172.210.210.10 on port 7887, I can se the VPN tunnel getting negotiated and traffic sent.

On Site A I can see the traffic arriving on 172.210.210.10, then I would expect the trafic to get NAT to 192.168.168.111, but the trafic is instead denied with the above text.

So to answear your questions.

This is "just" a VPN between 2 ASA 5505

The trafic is from one ASA to the other, so I can't se that the trafic is sent out and arrived on the same interface (but I do not know what ASA-A does with the trafic, maby it sends it out the wrong interface)

This applies to all trafic, I have tried to telnet to other ports as well.

I think you are right in the assumption that this is u-turn traffic, if this is the case then ASA-A must be sending the trafic out the outside interface after recieving it on the same interface.

Do you know how I can do some more troubleshooting on this issue ?

Regards

Lars

0 Helpful
Customers Also Viewed These Support Documents