cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2342
Views
0
Helpful
6
Replies

Udp Routing Problem - ASA

nikolag21
Level 1
Level 1

Hi all...

Can you please help me solve the following issue please ...

I have strange problem with routing udp packets. Let me explain better:

I have 2 servers with ip address of for an example: 192.168.1.1 and 192.168.0.1 ...  An application installed on them is communicating with UDP packet on ports 1030,1031,1032 and 1033. Communication is bidirectional, in both ways. I have 2 ASA firewalls connecting (between) these 2 servers. I also have a backup IpSec VPN over the internet as a backup link. A do a tracking of the routes for automatic switching of backup. But I have a strange problem, what I mean is that one line on port 1033 from these is ok ,but for other 3 ports (1030,1031,1032, source and destaination ip adreess are the same) One of the 2  ASA's try to put the packets of non working lines in the backup line and I get Deny TCP reverce path check on the other ASA which is normal. I removed the backup line (tracking of interfaces), checked static routes on both firewalls and they are pointing in correct direction but with no sucess. The question is, how is it possible on line from these 4 to work and another 3 not ?

Situation: (The problem is on only one of the 2 firewalls)

1. 192.168.1.1:1030 <----->  192.168.0.1:1030   ---- routed in wrong direction, to the backup line (static route is pointing to correct path)

2  192.168.1.1:1031 <----->  192.168.0.1:1031  ---- routed in wrong direction, to the backup line (static route is  pointing to correct path)

3. 192.168.1.1:1032 <----->  192.168.0.1:1032  ---- routed in wrong direction, to the backup line (static route is  pointing to correct path)

4. 192.168.1.1:1033 <----->  192.168.0.1:1033  ----- working ok,routing is where it should be.

????  

How is these possible, one udp flow is routed correctly and the other ones not?

Please help

Regards

2 Accepted Solutions

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

For the broken flows please check how they were built. If the ASA saw a udp packet inbound on its backup interface for these ports it will built a flow and subsequent packets will follow these flows.

Try clearing the connections and re-establish the from the inside host.

Let us know if it works.

PK

View solution in original post

"clear local 192.168.1.1" will clear all connections the 192.168.1.1 host has through the ASA.

PK

View solution in original post

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

For the broken flows please check how they were built. If the ASA saw a udp packet inbound on its backup interface for these ports it will built a flow and subsequent packets will follow these flows.

Try clearing the connections and re-establish the from the inside host.

Let us know if it works.

PK

Thank you for your quick answer.

Can you please tell me how can i clear connections, maybe I can clear just these couple udp connection? And please tell me the impact of clearing connections because these are production firewalls...

Waiting for your reply,

"clear local 192.168.1.1" will clear all connections the 192.168.1.1 host has through the ASA.

PK

Thank you very very much, problem solved, now all 4 connections seem ok.

But what will happen in the future, I will again set route tracing and bring internet VPN connection as a backup solution again?

What if main serial link fails and current udp flow need to be rerouted automaticaly to backup link ?

Please notice that current aplication send a lot of udp packets, several every secound.... Will it work ok ?

I mean, if main serial link fail and route trace automaticaly add backup "floating" route as active, will the current UDP flow and and create another on over the backup VPN ? I don't want this to happen again and it's very important to me that this aplication is ok with all 4 connections between these 2 servers regardless of which phisical connections is up,either serial or backup VPN over the internet,so can you please expain the logic beside ?

Best Regards

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Can you check to see if you have misconfigured Static NAT translations on one of the firewalls?

static (VPN interface,inside) tcp 1031 1031 netmask 255.255.255.255

If you have configured something like above, then the traffic will be routed to the VPN interface (where you are terminating your VPN) irrespective of your static route.You need to remove that line for it to work properly.

Hope this helps.

Regards,

NT

Thank you for your effort, but this is not this case.

Best Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: