I have a Cisco ASA 5520 with a DMZ and an inside interface. The security policy is setup to permit IP ANY from host on DMZ to host on inside. The host on the DMZ is initiating communication on UDP port 2114 which is a challenge response authentication. The ASA does not log it in any of the syslogs or log buffer even under debugging and it drops it. With a CLI capture I see the packet on the DMZ interface but never go out the internal interface. NAT is correctly setup and verified.
If I do a Packet Trace CLI or ASDM, for one host to the other on UDP port 2114 it only shows FLOW-Lookup, says it is using existing FLOW with ID (number). It then gives an end result with ? marks for the exit interface. If I change this to another port it works fine and properly shows access list and route lookup. It can obviously route.
I have an open TAC case but I'm wondering if anyone else has ever seen this issue. A reboot of the ASA didn't help it simply changed the FLOW-LOOKUP number.