Udp Routing Problem - ASA

Answered Question
Jul 16th, 2010

Hi all...

Can you please help me solve the following issue please ...

I have strange problem with routing udp packets. Let me explain better:

I have 2 servers with ip address of for an example: 192.168.1.1 and 192.168.0.1 ...  An application installed on them is communicating with UDP packet on ports 1030,1031,1032 and 1033. Communication is bidirectional, in both ways. I have 2 ASA firewalls connecting (between) these 2 servers. I also have a backup IpSec VPN over the internet as a backup link. A do a tracking of the routes for automatic switching of backup. But I have a strange problem, what I mean is that one line on port 1033 from these is ok ,but for other 3 ports (1030,1031,1032, source and destaination ip adreess are the same) One of the 2  ASA's try to put the packets of non working lines in the backup line and I get Deny TCP reverce path check on the other ASA which is normal. I removed the backup line (tracking of interfaces), checked static routes on both firewalls and they are pointing in correct direction but with no sucess. The question is, how is it possible on line from these 4 to work and another 3 not ?

Situation: (The problem is on only one of the 2 firewalls)

1. 192.168.1.1:1030 <----->  192.168.0.1:1030   ---- routed in wrong direction, to the backup line (static route is pointing to correct path)

2  192.168.1.1:1031 <----->  192.168.0.1:1031  ---- routed in wrong direction, to the backup line (static route is  pointing to correct path)

3. 192.168.1.1:1032 <----->  192.168.0.1:1032  ---- routed in wrong direction, to the backup line (static route is  pointing to correct path)

4. 192.168.1.1:1033 <----->  192.168.0.1:1033  ----- working ok,routing is where it should be.

????  

How is these possible, one udp flow is routed correctly and the other ones not?

Please help

Regards

Correct Answer by Panos Kampanakis about 6 years 7 months ago

"clear local 192.168.1.1" will clear all connections the 192.168.1.1 host has through the ASA.

PK

Correct Answer by Panos Kampanakis about 6 years 7 months ago

For the broken flows please check how they were built. If the ASA saw a udp packet inbound on its backup interface for these ports it will built a flow and subsequent packets will follow these flows.

Try clearing the connections and re-establish the from the inside host.

Let us know if it works.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Panos Kampanakis Fri, 07/16/2010 - 06:48

For the broken flows please check how they were built. If the ASA saw a udp packet inbound on its backup interface for these ports it will built a flow and subsequent packets will follow these flows.

Try clearing the connections and re-establish the from the inside host.

Let us know if it works.

PK

nikolag21 Fri, 07/16/2010 - 06:54

Thank you for your quick answer.

Can you please tell me how can i clear connections, maybe I can clear just these couple udp connection? And please tell me the impact of clearing connections because these are production firewalls...

Waiting for your reply,

Correct Answer
Panos Kampanakis Fri, 07/16/2010 - 06:57

"clear local 192.168.1.1" will clear all connections the 192.168.1.1 host has through the ASA.

PK

nikolag21 Fri, 07/16/2010 - 09:31

Thank you very very much, problem solved, now all 4 connections seem ok.

But what will happen in the future, I will again set route tracing and bring internet VPN connection as a backup solution again?

What if main serial link fails and current udp flow need to be rerouted automaticaly to backup link ?

Please notice that current aplication send a lot of udp packets, several every secound.... Will it work ok ?

I mean, if main serial link fail and route trace automaticaly add backup "floating" route as active, will the current UDP flow and and create another on over the backup VPN ? I don't want this to happen again and it's very important to me that this aplication is ok with all 4 connections between these 2 servers regardless of which phisical connections is up,either serial or backup VPN over the internet,so can you please expain the logic beside ?

Best Regards

Nagaraja Thanthry Fri, 07/16/2010 - 06:57

Hello,

Can you check to see if you have misconfigured Static NAT translations on one of the firewalls?

static (VPN interface,inside) tcp 1031 1031 netmask 255.255.255.255

If you have configured something like above, then the traffic will be routed to the VPN interface (where you are terminating your VPN) irrespective of your static route.You need to remove that line for it to work properly.

Hope this helps.

Regards,

NT

nikolag21 Fri, 07/16/2010 - 09:50

Thank you for your effort, but this is not this case.

Best Regards

Actions

This Discussion