02-01-2008 12:32 PM - edited 03-11-2019 04:58 AM
Here is the setup: Cisco ASA 5510 (Security Plus) 7.2(3) connected in a hub-and-spoke setup in IPSec site-to-site VPN with 5 sites, each one with Cisco 877 routers. The sites have HVAC equipments connected to them talking Bacnet/IP. The central site have a Bacnet/IP "router" behind the Cisco ASA 5510. Bacnet/IP communications are always on UDP/47808 (source and destination).
Everything runs smoothly for about a week. Past 1 week, obscur packet drop occurs. We are not able to understand why. The (temporary) solution is to flush the flow that the UDP communication is using with the command "clear local-host <IP address of Bacnet/IP router>". Once this is done, everything runs smoothly for another week. We do not think it would be related to VPN. Very weird.
02-01-2008 01:04 PM
Hi,
Have you any UDP flow limit set on the ASA?
How many active udp flows do you have to the Bacnet/IP router in the moment when the problem appears?
02-01-2008 01:09 PM
Hi,
There is no UDP flow limit configured on this firewall:
asa-hvac# sh local-host router-bacnet
Interface inside: 3 active, 8 maximum active, 0 denied
local host:
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 2/unlimited
Conn:
UDP out ctrl-delta-maniwaki:47808 in router-bacnet:47808 idle 0:00:15 flags -
UDP out ctrl-delta-laurentienne:47808 in router-bacnet:47808 idle 0:00:00 flags -
Interface outside: 15 active, 33 maximum active, 0 denied
To answer your second question, when the problem appear, there is the same 2 flows when I issue the "show local-host bacnet-router" command.
02-01-2008 05:49 PM
hmm..
Have you tried ipsec over tcp?
With udp strange things could happen sometimes...
right now i don't have better ideas:)
03-01-2012 03:43 AM
Did you ever solve this problem?
I'm experiencing the same problem between a ASA 5510 (8.2) and a ASA 5510 (8.0). Using the command "clear local-host
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: