10-15-2008 01:45 AM - edited 03-11-2019 06:57 AM
I've recently been rolling out some 5505 installs to a number of customer sites recently, one of them is exhibiting very strange behaviour.
When adding a lan-to-lan vpn (between a unlimited user security plus device at the HQ and a 10 user base device at a remote office) the tunnel comes up fine, but when you add a nat exception for the traffic to the HQ device everything goes crazy.
The remote device behaves fine, however the hq device starts to have loopy connection tracking, and randomly start rejecting traffic, sanitied output attached... this was an ASDM refresh...
Local site is 192.168.16.0/24 and remote is 192.168.15.0/24.
Seems to be routing traffic to try and connect external traffic via the internal interface (ACLs reject)
Anyone got any ideas - the strange behaviour only starts when you add a nat exception for traffic from the local subnet to the remote?
Jonty
10-15-2008 01:45 AM
Can you post your config here!!!!
10-20-2008 09:32 AM
Probably not worth it Ray (take me another 30min to sanitise) - just been trawing though release notes and its possible there may be an issue. Config works 100% fine on the Base model using the same software however...
May just look at rolling up to 8 as you suggest - anyone else got any ideas?
10-20-2008 01:49 PM
Just as a heads up - found the problem. Was an issue due to the head office network not being in full production - a lot of traffic was exiting the site via another gateway.
The larger number of asymmetric sessions caused the connection tracking to get confused. Added some slightly more specific nat exceptions at the remote site and it now all appears to be working fine.
10-20-2008 09:00 AM
Which of the IOS version are using?
10-20-2008 09:06 AM
10-20-2008 09:11 AM
Click on following link, check it out and respond back.
http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp3083362
Ray
10-20-2008 09:14 AM
Second option : Just uprade IOS into 8.03 version and i hope it will be solve out.
10-20-2008 09:17 AM
Not much help im afraid, been though this and checked the config. Its almost like when the nat exception is added fro the VPN the nat xlations seem to operate in reverse.
3|Oct 20 2008|16:44:11|710003|admin-site|asa-headoffice-outside|TCP access denied by ACL from admin-site/3676 to inside:asa-headoffice-outside/443
admin-site is my remote address, and the asa-headoffice-outside is the "outside" security 0 address of the ASA. For some reason its trying to translate via inside and getting killed by the default ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide