Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
8
Replies

Very odd 5505 behaviour

jontybale
Level 1
Level 1

‎10-15-2008 01:45 AM - edited ‎03-11-2019 06:57 AM

I've recently been rolling out some 5505 installs to a number of customer sites recently, one of them is exhibiting very strange behaviour.

When adding a lan-to-lan vpn (between a unlimited user security plus device at the HQ and a 10 user base device at a remote office) the tunnel comes up fine, but when you add a nat exception for the traffic to the HQ device everything goes crazy.

The remote device behaves fine, however the hq device starts to have loopy connection tracking, and randomly start rejecting traffic, sanitied output attached... this was an ASDM refresh...

Local site is 192.168.16.0/24 and remote is 192.168.15.0/24.

Seems to be routing traffic to try and connect external traffic via the internal interface (ACLs reject)

Anyone got any ideas - the strange behaviour only starts when you add a nat exception for traffic from the local subnet to the remote?

Jonty

Labels:
Preview file
7 KB
0 Helpful
8 Replies 8

ray_stone
Level 1
Level 1

‎10-15-2008 01:45 AM

Can you post your config here!!!!

0 Helpful

jontybale
Level 1
Level 1
In response to ray_stone

‎10-20-2008 09:32 AM

Probably not worth it Ray (take me another 30min to sanitise) - just been trawing though release notes and its possible there may be an issue. Config works 100% fine on the Base model using the same software however...

May just look at rolling up to 8 as you suggest - anyone else got any ideas?

0 Helpful

jontybale
Level 1
Level 1
In response to jontybale

‎10-20-2008 01:49 PM

Just as a heads up - found the problem. Was an issue due to the head office network not being in full production - a lot of traffic was exiting the site via another gateway.

The larger number of asymmetric sessions caused the connection tracking to get confused. Added some slightly more specific nat exceptions at the remote site and it now all appears to be working fine.

0 Helpful

ray_stone
Level 1
Level 1

‎10-20-2008 09:00 AM

Which of the IOS version are using?

0 Helpful

jontybale
Level 1
Level 1
In response to ray_stone

‎10-20-2008 09:06 AM

Output of show version attached - been running though everything I can think of all day today, including the various bug trackers etc. Just wondered if im doing anything stupid or if there is a known problem...

Preview file
2 KB
0 Helpful

ray_stone
Level 1
Level 1
In response to jontybale

‎10-20-2008 09:11 AM

Click on following link, check it out and respond back.

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3083362

Ray

0 Helpful

ray_stone
Level 1
Level 1
In response to ray_stone

‎10-20-2008 09:14 AM

Second option : Just uprade IOS into 8.03 version and i hope it will be solve out.

0 Helpful

jontybale
Level 1
Level 1
In response to ray_stone

‎10-20-2008 09:17 AM

Not much help im afraid, been though this and checked the config. Its almost like when the nat exception is added fro the VPN the nat xlations seem to operate in reverse.

3|Oct 20 2008|16:44:11|710003|admin-site|asa-headoffice-outside|TCP access denied by ACL from admin-site/3676 to inside:asa-headoffice-outside/443

admin-site is my remote address, and the asa-headoffice-outside is the "outside" security 0 address of the ASA. For some reason its trying to translate via inside and getting killed by the default ACL.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card