Very odd 5505 behaviour

Unanswered Question
Oct 20th, 2008
User Badges:

I've recently been rolling out some 5505 installs to a number of customer sites recently, one of them is exhibiting very strange behaviour.

When adding a lan-to-lan vpn (between a unlimited user security plus device at the HQ and a 10 user base device at a remote office) the tunnel comes up fine, but when you add a nat exception for the traffic to the HQ device everything goes crazy.

The remote device behaves fine, however the hq device starts to have loopy connection tracking, and randomly start rejecting traffic, sanitied output attached... this was an ASDM refresh...

Local site is and remote is

Seems to be routing traffic to try and connect external traffic via the internal interface (ACLs reject)

Anyone got any ideas - the strange behaviour only starts when you add a nat exception for traffic from the local subnet to the remote?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jontybale Mon, 10/20/2008 - 09:32
User Badges:

Probably not worth it Ray (take me another 30min to sanitise) - just been trawing though release notes and its possible there may be an issue. Config works 100% fine on the Base model using the same software however...

May just look at rolling up to 8 as you suggest - anyone else got any ideas?

jontybale Mon, 10/20/2008 - 13:49
User Badges:

Just as a heads up - found the problem. Was an issue due to the head office network not being in full production - a lot of traffic was exiting the site via another gateway.

The larger number of asymmetric sessions caused the connection tracking to get confused. Added some slightly more specific nat exceptions at the remote site and it now all appears to be working fine.

jontybale Mon, 10/20/2008 - 09:06
User Badges:

Output of show version attached - been running though everything I can think of all day today, including the various bug trackers etc. Just wondered if im doing anything stupid or if there is a known problem...

ray_stone Mon, 10/20/2008 - 09:14
User Badges:

Second option : Just uprade IOS into 8.03 version and i hope it will be solve out.

jontybale Mon, 10/20/2008 - 09:17
User Badges:

Not much help im afraid, been though this and checked the config. Its almost like when the nat exception is added fro the VPN the nat xlations seem to operate in reverse.

3|Oct 20 2008|16:44:11|710003|admin-site|asa-headoffice-outside|TCP access denied by ACL from admin-site/3676 to inside:asa-headoffice-outside/443

admin-site is my remote address, and the asa-headoffice-outside is the "outside" security 0 address of the ASA. For some reason its trying to translate via inside and getting killed by the default ACL.


This Discussion