ASA: UDP Flow: Silent Packet Drop after a Week (Bacnet/IP)...

Unanswered Question
Feb 1st, 2008

Here is the setup: Cisco ASA 5510 (Security Plus) 7.2(3) connected in a hub-and-spoke setup in IPSec site-to-site VPN with 5 sites, each one with Cisco 877 routers. The sites have HVAC equipments connected to them talking Bacnet/IP. The central site have a Bacnet/IP "router" behind the Cisco ASA 5510. Bacnet/IP communications are always on UDP/47808 (source and destination).

Everything runs smoothly for about a week. Past 1 week, obscur packet drop occurs. We are not able to understand why. The (temporary) solution is to flush the flow that the UDP communication is using with the command "clear local-host <IP address of Bacnet/IP router>". Once this is done, everything runs smoothly for another week. We do not think it would be related to VPN. Very weird.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
oszkari Fri, 02/01/2008 - 13:04


Have you any UDP flow limit set on the ASA?

How many active udp flows do you have to the Bacnet/IP router in the moment when the problem appears?

benoitbegin0 Fri, 02/01/2008 - 13:09


There is no UDP flow limit configured on this firewall:

asa-hvac# sh local-host router-bacnet

Interface inside: 3 active, 8 maximum active, 0 denied

local host: ,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 2/unlimited


UDP out ctrl-delta-maniwaki:47808 in router-bacnet:47808 idle 0:00:15 flags -

UDP out ctrl-delta-laurentienne:47808 in router-bacnet:47808 idle 0:00:00 flags -

Interface outside: 15 active, 33 maximum active, 0 denied

To answer your second question, when the problem appear, there is the same 2 flows when I issue the "show local-host bacnet-router" command.

oszkari Fri, 02/01/2008 - 17:49


Have you tried ipsec over tcp?

With udp strange things could happen sometimes...

right now i don't have better ideas:)

sam.vandevelde@... Thu, 03/01/2012 - 03:43

Did you ever solve this problem?

I'm experiencing the same problem between a ASA 5510 (8.2) and a ASA 5510 (8.0). Using the command "clear local-host " on the 8.0-version restores the UDP-communication for about a week.


This Discussion