Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2140
Views
0
Helpful
4
Replies

ASA: UDP Flow: Silent Packet Drop after a Week (Bacnet/IP)...

benoitbegin0
Level 1
Level 1

‎02-01-2008 12:32 PM - edited ‎03-11-2019 04:58 AM

Here is the setup: Cisco ASA 5510 (Security Plus) 7.2(3) connected in a hub-and-spoke setup in IPSec site-to-site VPN with 5 sites, each one with Cisco 877 routers. The sites have HVAC equipments connected to them talking Bacnet/IP. The central site have a Bacnet/IP "router" behind the Cisco ASA 5510. Bacnet/IP communications are always on UDP/47808 (source and destination).

Everything runs smoothly for about a week. Past 1 week, obscur packet drop occurs. We are not able to understand why. The (temporary) solution is to flush the flow that the UDP communication is using with the command "clear local-host <IP address of Bacnet/IP router>". Once this is done, everything runs smoothly for another week. We do not think it would be related to VPN. Very weird.

Labels:
0 Helpful
4 Replies 4

oszkari
Level 1
Level 1

‎02-01-2008 01:04 PM

Hi,

Have you any UDP flow limit set on the ASA?

How many active udp flows do you have to the Bacnet/IP router in the moment when the problem appears?

0 Helpful

benoitbegin0
Level 1
Level 1
In response to oszkari

‎02-01-2008 01:09 PM

Hi,

There is no UDP flow limit configured on this firewall:

asa-hvac# sh local-host router-bacnet

Interface inside: 3 active, 8 maximum active, 0 denied

local host: ,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 2/unlimited

Conn:

UDP out ctrl-delta-maniwaki:47808 in router-bacnet:47808 idle 0:00:15 flags -

UDP out ctrl-delta-laurentienne:47808 in router-bacnet:47808 idle 0:00:00 flags -

Interface outside: 15 active, 33 maximum active, 0 denied

To answer your second question, when the problem appear, there is the same 2 flows when I issue the "show local-host bacnet-router" command.

0 Helpful

oszkari
Level 1
Level 1
In response to benoitbegin0

‎02-01-2008 05:49 PM

hmm..

Have you tried ipsec over tcp?

With udp strange things could happen sometimes...

right now i don't have better ideas:)

0 Helpful

sam.vandevelde
Level 1
Level 1

‎03-01-2012 03:43 AM

Did you ever solve this problem?

I'm experiencing the same problem between a ASA 5510 (8.2) and a ASA 5510 (8.0). Using the command "clear local-host " on the 8.0-version restores the UDP-communication for about a week.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card