asa5510 - problem with routing traffic (i think)

george · ‎07-22-2009

i have an odd problem with routing traffic between two ASAs in two different locations. i have two locations with a site-to-site T1 in between. in both locations i have ASA5510s and on both ASAs i have following interfaces:

outside -> external interface

inside -> LAN

ptp -> interface for site-to-site T1

location A has LAN with subnet 192.168.0.0 /24 and location B has LAN with subnet 10.10.20.0 /24. i'm at location A and i can reach every host at location B. also hosts from location B can reach hosts at location A so i know the routing is working. however at location A i have a host 192.168.0.19 that needs to talk to host 10.10.20.19 at location B on UDP port 50795 and that traffic never gets accross. there are no access lists that would block the traffic. the really odd part is that i can capture packets on inside interface that match the criteria and see that host 192.168.0.19 is sending packets to 10.10.20.19, but when i try and capture packets on the ptp interface i see nothing BUT (!!!) if i try and capture packets on the outside interface i see them!!!

here is my access list that i use to capture traffic:

access-list cap2 line 1 extended permit udp any host 192.168.0.19 eq 50795

access-list cap2 line 2 extended permit udp host 192.168.0.19 eq 50795 any

here is my capture on inside interface (location A):

capture cap2 type raw-data access-list cap2 interface inside real-time

1: 00:57:34.929822 192.168.0.19.50795 > 10.10.20.19.50795: udp 15

2: 00:57:44.929990 192.168.0.19.50795 > 10.10.20.19.50795: udp 15

3: 00:57:54.929868 192.168.0.19.50795 > 10.10.20.19.50795: udp 15

here is my capture on outside interface (location A):

capture cap3 type raw-data access-list cap3 interface outside real-time

1: 00:57:14.929395 192.168.0.19.50795 > 10.10.20.19.50795: udp 15

2: 00:57:24.929502 192.168.0.19.50795 > 10.10.20.19.50795: udp 15

3: 00:57:34.929853 192.168.0.19.50795 > 10.10.20.19.50795: udp 15

the exact same thing is happening on location B. i can see the capture on inside interface and verfy that host 10.10.20.19 is sending packets to host 192.168.0.19 on port 50795 but i don't capture any of these packets on the ptp interface - instead i caputre them on the outside interface! both hosts 192.168.0.19 and 10.10.20.19 and Avaya phone systems so i cannot try sending other type of traffic between two hosts but i can see that there is a lot of UDP traffic between 192.168.0.19 and 10.10.20.18 (which is a voicemail server) so i know that 192.168.0.19 can reach location B but for some reason traffic to 10.10.20.19 is sent to the outside interface.

any help, suggestions or comments and welcomed as i have been working on this for the last two days and i can't get my head around this.

thanks.

John Blakley · ‎07-22-2009

Can you post your route statements and routing table?

sh run route

sh route

*Edit* - Can you also post your static nat statements?

sh run static

HTH,

John

HTH, John *** Please rate all useful posts ***

george · ‎07-22-2009

here is the info:

location A:

# sh route

O 10.1.3.0 255.255.255.252 [110/75] via 10.1.1.2, 28:02:43, ptp

O 10.1.2.0 255.255.255.252 [110/74] via 10.1.1.2, 28:02:43, ptp

C 10.1.1.0 255.255.255.252 is directly connected, ptp

O 10.10.20.0 255.255.255.0 [110/85] via 10.1.1.2, 28:02:43, ptp

C 192.168.0.0 255.255.255.0 is directly connected, inside

C is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via , outside

# sh run route

route outside 0.0.0.0 0.0.0.0 1

# sh run static

location B:

# sh route

C 10.1.3.0 255.255.255.252 is directly connected, ptp

O 10.1.2.0 255.255.255.252 [110/74] via 10.1.3.1, 28:03:28, ptp

O 10.1.1.0 255.255.255.252 [110/75] via 10.1.3.1, 28:03:28, ptp

C 10.10.20.0 255.255.255.0 is directly connected, inside

O 192.168.0.0 255.255.255.0 [110/85] via 10.1.3.1, 28:03:29, ptp

C is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via , outside

# sh run route

route outside 0.0.0.0 0.0.0.0 1

# sh run static

thanks.

John Blakley · ‎07-22-2009

I don't see anything "wrong" with your routing table. I'm assuming that you don't have any static nat statements in place.

You can try to put a host route for that host:

On Router A:

route ptp 10.10.20.19 255.255.255.255

On Router B:

route ptp 192.168.0.19 255.255.255.255

Is there a device between the two ASAs? What's at 10.1.1.2 and 10.1.3.1?

HTH,

John

HTH, John *** Please rate all useful posts ***

george · ‎07-22-2009

there are two routers in between two ASAs used to "terminate" site-to-site T1s on each end. but there is nothing on those routers that would preven traffic from going across. there are no static routes and no access-lists. and since all of my routing is done on subnet basis (no host to host routes) i don't get it why would traffic from 192.168.0.19 to 10.10.20.18 be sent through correct interface and traffic from 192.168.0.19 to 10.10.20.19 be sent somewhere else. to make things worst all this worked until i had power outage at location B....