4GE SSM - FP L2 rule drop

Unanswered Question
Nov 11th, 2011

ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.

Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future.  So we upgraded the firmware and no are at an impasse.

We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server.  Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.

I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.  To be honest its a case of if it aint broke don't fix it so I need some expert help in resolving the problem.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mayrojas Fri, 11/11/2011 - 10:13

Hey,

Can you paste your packet tracer output? And also, would you please put a capture of ASP drop send some traffic and then send the output of the show cap?

capture asp type asp drop-all

Send some traffic and then do a show cap asp

Mike

dyehouse1 Mon, 11/14/2011 - 00:54

Sorry for the delay, weekends and firewalls don't mix

The packet trace output is as follows:

packet-tracer input dmz2 tcp 192.168.4.100 80 212.58.244.68 80

(192.168.4.100 being my test laptop and 212..... being www.bbc.co.uk)

Result of the command: "packet-tracer input dmz2 tcp 192.168.4.100 80 212.58.244.68 80 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xad802ac0, priority=0, domain=permit, deny=true
hits=5983, user_data=0x0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dmz2, output_ifc=any

Result:
input-interface: dmz2
input-status: up
input-line-status: up
Action: drop
Drop-reason: (l2_acl) FP L2 rule drop

Capture to follow....thanks for assisting.

dyehouse1 Mon, 11/14/2011 - 01:36

Here is the capture, lots of DNS to Google public servers 8.8.8.8 and 8.8.4.4 which are the settings on the laptop:

210: 09:23:12.233584 192.168.4.100.58858 > 8.8.8.8.53:  udp 32

215: 09:23:13.220981 192.168.4.100.58858 > 8.8.4.4.53:  udp 32

223: 09:23:14.221012 192.168.4.100.58858 > 8.8.8.8.53:  udp 32

228: 09:23:16.221134 192.168.4.100.58858 > 8.8.8.8.53:  udp 32
229: 09:23:16.221271 192.168.4.100.58858 > 8.8.4.4.53:  udp 32
230: 09:23:16.274598 192.168.4.100.55913 > 8.8.8.8.53:  udp 29

232: 09:23:17.268052 192.168.4.100.55913 > 8.8.4.4.53:  udp 29

235: 09:23:17.770513 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
236: 09:23:18.268022 192.168.4.100.55913 > 8.8.8.8.53:  udp 29

240: 09:23:18.768179 192.168.4.100.55829 > 8.8.4.4.53:  udp 29
247: 09:23:19.768041 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
252: 09:23:20.221210 192.168.4.100.58858 > 8.8.8.8.53:  udp 32
253: 09:23:20.221363 192.168.4.100.58858 > 8.8.4.4.53:  udp 32
255: 09:23:20.268113 192.168.4.100.55913 > 8.8.8.8.53:  udp 29
256: 09:23:20.268266 192.168.4.100.55913 > 8.8.4.4.53:  udp 29

259: 09:23:20.910963 192.168.4.100.50101 > 8.8.8.8.53:  udp 31

265: 09:23:21.768148 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
266: 09:23:21.768301 192.168.4.100.55829 > 8.8.4.4.53:  udp 29
267: 09:23:21.908735 192.168.4.100.50101 > 8.8.4.4.53:  udp 31

273: 09:23:22.835146 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
274: 09:23:22.908827 192.168.4.100.50101 > 8.8.8.8.53:  udp 31

276: 09:23:23.830660 192.168.4.100.59271 > 8.8.4.4.53:  udp 31
277: 09:23:24.268327 192.168.4.100.55913 > 8.8.8.8.53:  udp 29
278: 09:23:24.268495 192.168.4.100.55913 > 8.8.4.4.53:  udp 29

281: 09:23:24.830721 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
282: 09:23:24.908796 192.168.4.100.50101 > 8.8.8.8.53:  udp 31
283: 09:23:24.908888 192.168.4.100.50101 > 8.8.4.4.53:  udp 31

287: 09:23:25.768316 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
288: 09:23:25.768408 192.168.4.100.55829 > 8.8.4.4.53:  udp 29

290: 09:23:26.830782 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
291: 09:23:26.830920 192.168.4.100.59271 > 8.8.4.4.53:  udp 31
292: 09:23:27.222980 192.168.4.100.137 > 192.168.4.255.137:  udp 50

294: 09:23:27.328291 192.168.4.100.56653 > 8.8.8.8.53:  udp 31

296: 09:23:27.971339 192.168.4.100.137 > 192.168.4.255.137:  udp 50

310: 09:23:28.315215 192.168.4.100.56653 > 8.8.4.4.53:  udp 31

313: 09:23:28.721382 192.168.4.100.137 > 192.168.4.255.137:  udp 50
314: 09:23:28.908888 192.168.4.100.50101 > 8.8.8.8.53:  udp 31
315: 09:23:28.908995 192.168.4.100.50101 > 8.8.4.4.53:  udp 31

318: 09:23:29.315291 192.168.4.100.56653 > 8.8.8.8.53:  udp 31

322: 09:23:30.830889 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
323: 09:23:30.831026 192.168.4.100.59271 > 8.8.4.4.53:  udp 31

325: 09:23:31.269914 192.168.4.100.137 > 192.168.4.255.137:  udp 50

327: 09:23:31.315337 192.168.4.100.56653 > 8.8.8.8.53:  udp 31
328: 09:23:31.315489 192.168.4.100.56653 > 8.8.4.4.53:  udp 31

330: 09:23:32.018752 192.168.4.100.137 > 192.168.4.255.137:  udp 50

335: 09:23:32.768438 192.168.4.100.137 > 192.168.4.255.137:  udp 50
336: 09:23:32.770117 192.168.4.100.137 > 192.168.4.255.137:  udp 50

340: 09:23:33.518482 192.168.4.100.137 > 192.168.4.255.137:  udp 50

343: 09:23:34.268479 192.168.4.100.137 > 192.168.4.255.137:  udp 50

348: 09:23:35.315291 192.168.4.100.56653 > 8.8.8.8.53:  udp 31
349: 09:23:35.315398 192.168.4.100.56653 > 8.8.4.4.53:  udp 31

353: 09:23:35.909910 192.168.4.100.137 > 192.168.4.255.137:  udp 50

357: 09:23:36.659160 192.168.4.100.137 > 192.168.4.255.137:  udp 50

360: 09:23:37.409204 192.168.4.100.137 > 192.168.4.255.137:  udp 50

362: 09:23:37.832812 192.168.4.100.137 > 192.168.4.255.137:  udp 50

364: 09:23:38.581085 192.168.4.100.137 > 192.168.4.255.137:  udp 50

366: 09:23:39.331129 192.168.4.100.137 > 192.168.4.255.137:  udp 50

374: 09:23:42.317091 192.168.4.100.137 > 192.168.4.255.137:  udp 50

376: 09:23:43.065624 192.168.4.100.137 > 192.168.4.255.137:  udp 50

379: 09:23:43.815631 192.168.4.100.137 > 192.168.4.255.137:  udp 50

dyehouse1 Mon, 11/14/2011 - 01:47

Packet trace for the DNS lookup:

Result of the command: "packet-tracer input dmz2 udp 192.168.4.100 53 8.8.8.8 53 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xad802ac0, priority=0, domain=permit, deny=true
hits=6523, user_data=0x0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dmz2, output_ifc=any

Result:
input-interface: dmz2
input-status: up
input-line-status: up
Action: drop
Drop-reason: (l2_acl) FP L2 rule drop

dyehouse1 Mon, 11/14/2011 - 05:21

The interface is configured as follows:

interface GigabitEthernet1/0

nameif dmz2

security-level 60

ip address 192.168.4.1 255.255.255.0

ospf cost 10

It is attempting to get external access (security level 0).  Currently there is no ACE/ACL configured on this interface and the ADSM says that there is only the 'implicit rule: Permit all traffic to less secure networks'.

NAT is set as follows:

object network obj-192.168.4.0

nat (dmz2,external) dynamic 2XX.1XX.1XX.4X

This is configured the same as the other ports already in the ASA this is just a 4GE-SSM port, I have tried all the ports and they are behave the same.

By default is there an implicit deny on SSM ports?

mayrojas Mon, 11/14/2011 - 11:20

Hey,

Do you have any kind of ethertype ACLs? Is the firewall in transparent or Router mode?

Mike

dyehouse1 Mon, 11/14/2011 - 11:58

The firewall is in router mode, there are no ACLs on this interface at all.  I have setup NAT (dmz2,external) and thats about it.  The existing 4 ports are configured in a similar manner worked with just NAT out of the box, the 4 ports on the 4GE-SSM are not.

Where can I look up ethertype ACLs?  Do they appear in the same place as normal ACLs?  If they do then I have no I only have the 'implicit: access to less secure' message. 

I have configured them as standard ports not using any VLAN functionality.  Its a little odd really, do you think I have a duff unit?  I can see the traffic light flickering when I attempt a connection and the links go up/down as I disconnect.  The only other odd thing I have noticed is when I do a tracer using the ADSM the external link is marked as ? rather than up or down.

I am struggling here ....HELP!

mayrojas Mon, 11/14/2011 - 12:05

Can you do a show interface and check what is the status of them on the CLI? Also, would you be able to do a show run access-group and see if any ACL is applied?

If you move it to an ASA port rather than an SSM one, does it work?

Mike

dyehouse1 Mon, 11/14/2011 - 12:09

I can do anything you like with it in the morning as its driving me nuts!

Would a full config help (with the IPs removed and what not)?

I have moved it to the ASA port and all works fine....its really weird, there isnt a license requirement for the SSM?

mayrojas Mon, 11/14/2011 - 12:12

Nope, It may be a faulty SSM module :S

I would definetly Like to see the show module 1 detail and show interfaces to see what is the status of the SSM. Where are you located?

Mike

dyehouse1 Mon, 11/14/2011 - 12:17

I am in the UK, I can post up any CLI responses tomorrow.

Just:

show interface

and

show module 1 detail

????

mayrojas Mon, 11/14/2011 - 12:21

Yup that will be it for now. You can try tomorrow to swap out and then put the module back in... that often helps.

Mike.

dyehouse1 Mon, 11/14/2011 - 12:23

OK will post back the results tomorrow....Battlefield 3 time now

Thx for the help!

dyehouse1 Tue, 11/15/2011 - 00:43

OK here goes, I have powered down the ASA and reseated the card but still no success.  Here is the result of 'show interface'.

Result of the command: "show interface"

Interface Ethernet0/0 "external", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f58, MTU 1500
IP address 2XX.1XX.1XX.XXX, subnet mask 255.255.255.240
50599 packets input, 43869014 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40389 packets output, 11509330 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/244)
output queue (blocks free curr/low): hardware (255/235)
  Traffic Statistics for "external":
50599 packets input, 42920030 bytes
40389 packets output, 10636033 bytes
656 packets dropped
      1 minute input rate 78 pkts/sec,  78310 bytes/sec
      1 minute output rate 59 pkts/sec,  8896 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 68 pkts/sec,  64069 bytes/sec
      5 minute output rate 55 pkts/sec,  14343 bytes/sec
      5 minute drop rate, 1 pkts/sec
Interface Ethernet0/1 "dmz1", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f59, MTU 1500
IP address 192.168.2.1, subnet mask 255.255.255.0
10626 packets input, 5136754 bytes, 0 no buffer
Received 85 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
14826 packets output, 15929354 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
14 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/246)
output queue (blocks free curr/low): hardware (255/246)
  Traffic Statistics for "dmz1":
10612 packets input, 4910710 bytes
14826 packets output, 15652088 bytes
63 packets dropped
      1 minute input rate 1 pkts/sec,  516 bytes/sec
      1 minute output rate 1 pkts/sec,  494 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 7 pkts/sec,  6167 bytes/sec
      5 minute output rate 6 pkts/sec,  2384 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet0/2 "internal", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f5a, MTU 1500
IP address , subnet mask
59265 packets input, 23635653 bytes, 0 no buffer
Received 9823 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
55517 packets output, 44176321 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
167 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/230)
  Traffic Statistics for "internal":
59098 packets input, 22407185 bytes
55517 packets output, 43110583 bytes
3447 packets dropped
      1 minute input rate 80 pkts/sec,  10312 bytes/sec
      1 minute output rate 88 pkts/sec,  80758 bytes/sec
      1 minute drop rate, 6 pkts/sec
      5 minute input rate 65 pkts/sec,  11128 bytes/sec
      5 minute output rate 64 pkts/sec,  62661 bytes/sec
      5 minute drop rate, 4 pkts/sec
Interface Ethernet0/3 "cdmdmz", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0018.199e.7f5b, MTU 1500
IP address 192.168.3.1, subnet mask 255.255.255.0
106 packets input, 18378 bytes, 0 no buffer
Received 57 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
49 packets output, 17150 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
11 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/249)
output queue (blocks free curr/low): hardware (255/251)
  Traffic Statistics for "cdmdmz":
95 packets input, 15728 bytes
49 packets output, 16178 bytes
42 packets dropped
      1 minute input rate 0 pkts/sec,  23 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  18 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Management0/0 "management", is down, line protocol is down
  Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
MAC address 0018.199e.7f57, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "management":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets

Interface GigabitEthernet1/0 "dmz2", is up, line protocol is up
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
MAC address 0172.10a1.21db, MTU 1500
IP address 192.168.4.1, subnet mask 255.255.255.0
234 packets input, 21658 bytes, 0 no buffer
Received 59 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
3 packets output, 192 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
  Traffic Statistics for "dmz2":
231 packets input, 17276 bytes
3 packets output, 84 bytes
229 packets dropped
      1 minute input rate 0 pkts/sec,  5 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  19 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/1 "dmz3", is down, line protocol is down
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
MAC address 0172.10a1.21dc, MTU 1500
IP address 192.168.5.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
  Traffic Statistics for "dmz3":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet1/2 "", is administratively down, line protocol is down
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
Available but not configured via nameif
MAC address 0172.10a1.21dd, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Interface GigabitEthernet1/3 "", is administratively down, line protocol is down
  Hardware is VCS7380 rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Media-type configured as RJ45 connector
Available but not configured via nameif
MAC address 0172.10a1.21de, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)

dyehouse1 Tue, 11/15/2011 - 00:46

Show module command says its up!  Firmware 1.0 never really fills me with confidence though....

Result of the command: "show module 1 detail"

Cisco 4-Port Gigabit Ethernet Module
Model:              SSM-4GE
Hardware version:   1.0
Serial Number:      JAF1327APHP
Firmware version:   1.0(0)8
Software version:   1.0(0)10
MAC Address Range:  0172.10a1.21db to 0172.10a1.21de
Data plane Status:  Up
Status:             Up

dyehouse1 Tue, 11/15/2011 - 00:57

The only ACLs are:

external_access_in for incoming mail/www/usual services.

dmz1_access_in for dmz1 to internal mail traffic.

The NAT for dmz2:

object network obj-192.168.4.0

nat (dmz2,external) dynamic 2XX.1XX.1XX.XX

2XX.1XX.1XX.XX is the external IP used for all browsing from any interface.

dyehouse1 Tue, 11/15/2011 - 06:56

I have setup remote access to the firewall ADSM so if you need more information please reply to this thread and I should be able to post any results of commands and config info.  This has me stumped it all looks right

Bill

mayrojas Tue, 11/15/2011 - 20:03

Hi Bill,

I did not went to work, and my alerts are getting there. Sorry for not replying.... well this is weird indeed. Weird, you say you have version 8.0.3, but the commands you attached are from 8.3 or higher...What version are you currently on?

Mike

dyehouse1 Wed, 11/16/2011 - 02:17

Sorry I told you a lie there, the version is 8.4(2)8, I was looking at an old config sheet.

Here is the output from a tracer, I have an implicit drop and odd question marks on the output interface when doing a tracer from dmz2 to external. 

From the ports on the ASA....

an implicit allow, scrolling down...

No question marks on the outside interface...

This is of course using the integrated ports on the ASA rather than the ports on the 4GE-SSM.  It looks as though their are different implicit rules on the ports.  I am not sure what else I can test other than a new card.  Would the full config by PM help at all?

mayrojas Wed, 11/16/2011 - 22:04

Hi,

Well, then lets get deep on this troubleshooting. Can you go to Monitoring--->logging-->enable logging and then try to pass real data and see what the logs say? Also, please do the following:

capture drop type asp-drop all

Send some data and then do a show cap drop

Mike

dyehouse1 Thu, 11/17/2011 - 02:28

Please find attached a capture of failed attempts to get to various websites.

The IP of the computer attempting is 192.168.4.100

The IP of the interface port on the ASA is 192.168.4.1

The IPs of the DNS servers on the computer are 8.8.8.8 and 8.8.4.4

The attempts to hit the DNS servers on port 53 can be seen in the log but no reply can be seen coming back.

dyehouse1 Thu, 11/17/2011 - 02:59

As for the logging on the ADSM I cannot see any connections from 192.168.4.100 being 'built','teardown' or even failing.  Its almost as if it never gets as far as being in the log at all.

mayrojas Thu, 11/17/2011 - 15:52

Hi,

Only if it is possible, can you downgrade to a version that is not 8.4? Also, can you download the captures from the ASA on pcap format?

Mike

dyehouse1 Mon, 11/21/2011 - 09:36

I have downgraded to 8.3.2 and still no joy.  I can put wireshark on the laptop and capture packets leaving for the firewall if you think it will help, the light on the firewall is flashing when I attempt to open a website so data is hitting it and as the laptop is the only thing plugged in I would say its leaving to the correct place.

Any ideas before I start looking for a different unit?

Actions

Login or Register to take actions

This Discussion

Posted November 11, 2011 at 9:50 AM
Stats:
Replies:28 Avg. Rating:
Views:2507 Votes:0
Shares:0
Tags: asa_8.x, asa, ssm, asa_5510, 4ge
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446