SMB over VPN does not work after update to ASA 8.0.4

Unanswered Question
Sep 29th, 2008

This weekend I upgraded our Cisco ASA 5510 to the most recent ASA software 8.0.4 but sinse then I can't reach our servers with smb anymore "\\servername\share\" also http does not work anymore. there simply does not happen anything anymore..

for http I get the following error:

6 Sep 29 2008 10:10:19 106015 10.10.0.2 3966 192.168.0.22 80 Deny TCP (no connection) from 10.10.0.2/3966 to 192.168.0.22/80 flags FIN ACK on interface outside

and for smb

6 Sep 29 2008 09:42:12 106015 192.168.0.22 445 10.10.0.2 3902 Deny TCP (no connection) from 192.168.0.22/445 to 10.10.0.2/3902 flags ACK on interface inside

Before the upgrade everything worked without any trouble!

I there Anything that's changed in the new ASA and what could be the solution?

Thanx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Jaap,

This message is logged when the Firewall discards a TCP packet that has no associated connection in the Firewall unit's connection table. The Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the PIX Firewall discards the packet.

foreignmediagroup Mon, 09/29/2008 - 00:50

Allright.. and any idea why this worked on the 8.0.2 and not on the 8.0.4 anymore?

And what could be the solution?

foreignmediagroup Mon, 09/29/2008 - 01:09

I updated to 8.0.4 because Cisco told me so after having some trouble with crashes and reboots of my ASA.

I'm using the Cisco VPN client.

And I compared the configs but there only ara some changes after updating to 8.0.4

the things that changed are:

1: (added)

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

2: (added after each crypto map)

crypto map outside_map xx set security-association lifetime seconds 28800

crypto map outside_map xx set security-association lifetime kilobytes 4608000

3: (added)

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

LOL - sorry but that is funny, to upgrade to finx crashes and reboots.....if anything you should have downgraded!

The changes you have made would not stop SMB traffic over the VPN. What could be the issue is the DNS.

Are you allowing the client to resolve to your internal network the names of the servers? Have you tried browsing the shares using the IP address of the server instead of the name?

foreignmediagroup Mon, 09/29/2008 - 05:15

DNS is not the problem, RDP does work but also http does not work.

Explorer does not get the actual traffic. Cisco allready called to solve the problem but they can't fix it right away. they had to analyze captured data from whireshark and Asa to look for a solution. Until then I downgraded to 8.0.2 again and now it workes again..

cisco24x7 Mon, 09/29/2008 - 10:11

Basically, you're trading one "ED" code for

another one.

That's what happened when you run "ED" code.

lukasdrbo Wed, 11/05/2008 - 04:49

Hi,

i have same problem with 8.0.4, 8.0.2 is ok with same cfg. Do you have any solutions please ?

Thx,

Lukas

foreignmediagroup Wed, 11/05/2008 - 05:26

It's a Bug in the 8.0.4, after calling Cisco tech support they tried to replicate the error and foud out they also have the same problem with 8.0.4 but not with a newer (internal version) 8.0.4.7. now I got the version from the support team to solve the problem. And that worked. If you also would like this version, you must contact tech support.

I hope this could help you.

lukasdrbo Wed, 11/05/2008 - 05:28

thank you very much, i tried 8.0.4(3), its bad too :-(. i will try tech sup

mcarnahan Sun, 11/09/2008 - 15:10

I had a similar problem after upgradeing to 8.0.4 and found that IP Compression was turned on in the group policy for my VPNs. It was off before the upgrade and was enabled after. Once I turned it off, all the problems went away and it works fine.

Check your Group Policies and look for the following:

ip-comp enable

If you find it enter the following:

no ip-comp

or

ip-comp disable

Actions

This Discussion