ASA doesn't route the packet

Unanswered Question
Dec 11th, 2007
User Badges:

I have an ASA 5500 and it has a gateway of my Lan.

The asa rotates the packets destined to 2 remote nets toward a router cisco,through a chart of static routes.

The problem is that it only passes the ping toward the remote lan, while all the other protocols and sessions are blocked !!!!

Only ICMP packet are forwarding.


I have capture this message into the ASA log:

" 106015 192.168.10.14 192.168.13.13Deny TCP (no connection) from 192.168.10.14/21438 to 192.168.13.13/1720 flags RST on interface LAN.

Best Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 12/11/2007 - 10:14
User Badges:
  • Purple, 4500 points or more

Can you post a diagram with IPs?

husycisco Wed, 12/12/2007 - 00:59
User Badges:
  • Gold, 750 points or more

Michael

IP adresses in diagram and in you post do not match. Can you correct please?

Also please run

sh run access-group

access-group xxxx in interface inside

If you see a line like above, (xxxx is your acl name) please send the output of

sh run access-list xxxx

husycisco Wed, 12/12/2007 - 00:49
User Badges:
  • Gold, 750 points or more

If this was a routing issue, you would have the following log in syslog

No route to host 192.168.13.13


This looks like an ACL issue. Is 192.168.10.14 in your inside network (inside interface)? And where is 192.168.13.13 located? DMZ interface?

michelerossi Wed, 12/12/2007 - 01:37
User Badges:

sorry

but this is the correct message:


106015 172.31.0.14 172.29.0.14 Deny TCP (no connection) from 172.31.0.14/21438 to 172.29.0.14/1720 flags RST on interface LAN.


My first message was correlate to another ASA Log message, where I've the same problem.


husycisco Wed, 12/12/2007 - 01:47
User Badges:
  • Gold, 750 points or more

Thanks

So can you please post the output of following commands

sh run access-group

access-list xxxx in interface LAN

(xxxx is the name of your ACL)

sh run access-list xxxx

husycisco Wed, 12/12/2007 - 02:30
User Badges:
  • Gold, 750 points or more

Thanks. Please post the output of following also


packet-tracer input tcp LAN 172.31.0.14 21438 172.29.0.14 1720 detailed

husycisco Wed, 12/12/2007 - 03:15
User Badges:
  • Gold, 750 points or more

According to packet trace, ASA allows the flow, nothing wrong with ASA. And as I see RST statement in syslog, I suspect the remote client. Maybe restarting the client may work, do you encounter the same issue when you try to reach another client again in that subnet too?

michelerossi Wed, 12/12/2007 - 03:25
User Badges:

I've got the same issue to reach all clients of all remote networks, include the Lan ip address routers.

The ASA version is 8.0.(2).

If I do a traceroute from ASDM Tools from the Lan to the 172.29.0.0 or 172.30.0.0, it function only if I flag "use ICMP" button


Also I've the same problem into another client with the same ASA (version 8.0.(3)).

husycisco Wed, 12/12/2007 - 05:06
User Badges:
  • Gold, 750 points or more

what happens when you temporarily add

access-list LAN_access_in permit ip any any


husycisco Fri, 12/14/2007 - 03:26
User Badges:
  • Gold, 750 points or more

Michel can you please post the following commands output also ?


traceroute 172.29.0.14 use-icmp

and

traceroute 172.29.0.14







lukasdrbo Thu, 12/20/2007 - 09:35
User Badges:

hi michele,


i have same problem as you, do you have solution for it please ?


thx


lukas

fbroussey Tue, 03/18/2008 - 04:20
User Badges:

hi everybody,


I experienced the same issue. My network diagram is similar. Do you find a solution to that problem?


Thanks a lot for your help.

michelcaissie Tue, 03/18/2008 - 08:26
User Badges:

Here, we must understand that the routing capabilities of a ASA is limited compared to a router. Initially a PIX would not allowed a packet to leave an interface on the same

interface that they came in. This was improved by adding the "same-security-traffic permit intra-interface" command, wich i assume you are using. But this does not resolve everything,

because the ASA does not reroute the packet the way a router would , it creates a connection the same way it would if the packet leave the outside interface.Your problem is that

the returning packet doesn't get back to the ASA.


Let see with an example;


(I assume that the PC on the inside have the ASA as the default gateway)


172.31.0.100 make a tcp connection on 172.29.0.100. The SYN hits the ASA wich opens a connection , then route the packet to the MPLS router at 172.31.0.254.

But the returning SYN packet goes directly to the PC 172.31.0.100 because it is Directly Connected to the router. Then the PC sends the ACK to the ASA ( the default gateway)

but it is refused because the ASA never saw the returning SYN . So your TCP connection dies here.


The problem does not occur with icmp because there is no three way handshake and it doesn't matter if the replies doesn't pass through the ASA.


One solution could be to create a sub-interface on the inside interface, configure it on a /22 subnet , put the MPLS router in this subnet and create a static route in the MPLS router for your

inside network. This way it would force all returning traffic to go through the ASA.

Actions

This Discussion