ASA UDP flows to remote ezVPN hardware client created while tunnel was down lack IPSEC after came up

Unanswered Question
Apr 23rd, 2010

Hello!

I'm running remote access VPN using Cisco ASA 5520 in HQand several remote x8xx ISRs in ezVPN hardware client in NEM mode with reverse route injection on ASA. There is monitoring system in HQ and it send SNMP requests to remote devices every 5 seconds. UDP timeout globaly set to 1 minute in ASA so UDP connections never timeouts and there is no problem. So when UDP connection (flow) created in ASA while IPSEC tunnel is UP we get:

packet-tracer input inside udp 10.10.4.166 1642 10.5.1.1 161 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 437398285, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

and it is OK.

But if connection (flow) is created while IPSEC was DOWN, and then IPSEC comes UP we get:

packet-tracer input inside udp 10.10.4.166 1642 10.5.1.1 161 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 437401391, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

We see that connection lacks snp_fp_encrypt and snp_fp_ipsec_tunnel_flow. And the traffic is not being encrypted and decrypted.

ASA says connection exist and no packets rejected, but as we can see flow goes wrong place.

Is there any ways to resolve that?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion