DPD packets not traversing through Pix & ASA Firewalls

Unanswered Question
Oct 16th, 2008

We appear to be having issues with DPD packets being dropped by our firewalls.

The set up is as follows:

VPN3005-----pix(6.3)-----ASA(7.0)---Internet----VPN CLients

The concentrator is running 4.7.2.B and the clients is running v4.8.01.0300.

The VPN is created OK and works fine if traffic is being sent in either direction. The clients all sit behind DSL routers and if the DSL routers lose connection to the Internet for a few seconds the VPN drops and won't re-establish.

Doing packet captures on the Pix and the ASA shows that the DPD packets from the concentrator get to the Pix and the DPD packets from the client get to the outside of the ASA.

Since the DPD packets are on tcp port 10000 they should be allowed through on the same rules that allow the VPN. I can't see anything in the inspection rules that should stop this from occurring.

The ASA is a recent addition to the network but prior to that the same issue occurred where the Concentrator sent the packets as far as the Pix inside interface and the Client sent them as far as the outside interface.

There is no NAT happening on either firewall, the concentrator and client are all on routable IP addresses.

Any ideas what may cause this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mel Popple Thu, 10/16/2008 - 04:34

Forgot to add that the ASA is in Transparent mode and only acts as a diode for incoming traffic.


This Discussion