11-11-2011 09:50 AM - edited 03-11-2019 02:49 PM
ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future. So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server. Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me. To be honest its a case of if it aint broke don't fix it so I need some expert help in resolving the problem.
11-11-2011 10:13 AM
Hey,
Can you paste your packet tracer output? And also, would you please put a capture of ASP drop send some traffic and then send the output of the show cap?
capture asp type asp drop-all
Send some traffic and then do a show cap asp
Mike
11-14-2011 12:54 AM
Sorry for the delay, weekends and firewalls don't mix
The packet trace output is as follows:
packet-tracer input dmz2 tcp 192.168.4.100 80 212.58.244.68 80
(192.168.4.100 being my test laptop and 212..... being www.bbc.co.uk)
Result of the command: "packet-tracer input dmz2 tcp 192.168.4.100 80 212.58.244.68 80 detailed"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad802ac0, priority=0, domain=permit, deny=true
hits=5983, user_data=0x0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dmz2, output_ifc=any
Result:
input-interface: dmz2
input-status: up
input-line-status: up
Action: drop
Drop-reason: (l2_acl) FP L2 rule drop
Capture to follow....thanks for assisting.
11-14-2011 01:36 AM
Here is the capture, lots of DNS to Google public servers 8.8.8.8 and 8.8.4.4 which are the settings on the laptop:
210: 09:23:12.233584 192.168.4.100.58858 > 8.8.8.8.53: udp 32
215: 09:23:13.220981 192.168.4.100.58858 > 8.8.4.4.53: udp 32
223: 09:23:14.221012 192.168.4.100.58858 > 8.8.8.8.53: udp 32
228: 09:23:16.221134 192.168.4.100.58858 > 8.8.8.8.53: udp 32
229: 09:23:16.221271 192.168.4.100.58858 > 8.8.4.4.53: udp 32
230: 09:23:16.274598 192.168.4.100.55913 > 8.8.8.8.53: udp 29
232: 09:23:17.268052 192.168.4.100.55913 > 8.8.4.4.53: udp 29
235: 09:23:17.770513 192.168.4.100.55829 > 8.8.8.8.53: udp 29
236: 09:23:18.268022 192.168.4.100.55913 > 8.8.8.8.53: udp 29
240: 09:23:18.768179 192.168.4.100.55829 > 8.8.4.4.53: udp 29
247: 09:23:19.768041 192.168.4.100.55829 > 8.8.8.8.53: udp 29
252: 09:23:20.221210 192.168.4.100.58858 > 8.8.8.8.53: udp 32
253: 09:23:20.221363 192.168.4.100.58858 > 8.8.4.4.53: udp 32
255: 09:23:20.268113 192.168.4.100.55913 > 8.8.8.8.53: udp 29
256: 09:23:20.268266 192.168.4.100.55913 > 8.8.4.4.53: udp 29
259: 09:23:20.910963 192.168.4.100.50101 > 8.8.8.8.53: udp 31
265: 09:23:21.768148 192.168.4.100.55829 > 8.8.8.8.53: udp 29
266: 09:23:21.768301 192.168.4.100.55829 > 8.8.4.4.53: udp 29
267: 09:23:21.908735 192.168.4.100.50101 > 8.8.4.4.53: udp 31
273: 09:23:22.835146 192.168.4.100.59271 > 8.8.8.8.53: udp 31
274: 09:23:22.908827 192.168.4.100.50101 > 8.8.8.8.53: udp 31
276: 09:23:23.830660 192.168.4.100.59271 > 8.8.4.4.53: udp 31
277: 09:23:24.268327 192.168.4.100.55913 > 8.8.8.8.53: udp 29
278: 09:23:24.268495 192.168.4.100.55913 > 8.8.4.4.53: udp 29
281: 09:23:24.830721 192.168.4.100.59271 > 8.8.8.8.53: udp 31
282: 09:23:24.908796 192.168.4.100.50101 > 8.8.8.8.53: udp 31
283: 09:23:24.908888 192.168.4.100.50101 > 8.8.4.4.53: udp 31
287: 09:23:25.768316 192.168.4.100.55829 > 8.8.8.8.53: udp 29
288: 09:23:25.768408 192.168.4.100.55829 > 8.8.4.4.53: udp 29
290: 09:23:26.830782 192.168.4.100.59271 > 8.8.8.8.53: udp 31
291: 09:23:26.830920 192.168.4.100.59271 > 8.8.4.4.53: udp 31
292: 09:23:27.222980 192.168.4.100.137 > 192.168.4.255.137: udp 50
294: 09:23:27.328291 192.168.4.100.56653 > 8.8.8.8.53: udp 31
296: 09:23:27.971339 192.168.4.100.137 > 192.168.4.255.137: udp 50
310: 09:23:28.315215 192.168.4.100.56653 > 8.8.4.4.53: udp 31
313: 09:23:28.721382 192.168.4.100.137 > 192.168.4.255.137: udp 50
314: 09:23:28.908888 192.168.4.100.50101 > 8.8.8.8.53: udp 31
315: 09:23:28.908995 192.168.4.100.50101 > 8.8.4.4.53: udp 31
318: 09:23:29.315291 192.168.4.100.56653 > 8.8.8.8.53: udp 31
322: 09:23:30.830889 192.168.4.100.59271 > 8.8.8.8.53: udp 31
323: 09:23:30.831026 192.168.4.100.59271 > 8.8.4.4.53: udp 31
325: 09:23:31.269914 192.168.4.100.137 > 192.168.4.255.137: udp 50
327: 09:23:31.315337 192.168.4.100.56653 > 8.8.8.8.53: udp 31
328: 09:23:31.315489 192.168.4.100.56653 > 8.8.4.4.53: udp 31
330: 09:23:32.018752 192.168.4.100.137 > 192.168.4.255.137: udp 50
335: 09:23:32.768438 192.168.4.100.137 > 192.168.4.255.137: udp 50
336: 09:23:32.770117 192.168.4.100.137 > 192.168.4.255.137: udp 50
340: 09:23:33.518482 192.168.4.100.137 > 192.168.4.255.137: udp 50
343: 09:23:34.268479 192.168.4.100.137 > 192.168.4.255.137: udp 50
348: 09:23:35.315291 192.168.4.100.56653 > 8.8.8.8.53: udp 31
349: 09:23:35.315398 192.168.4.100.56653 > 8.8.4.4.53: udp 31
353: 09:23:35.909910 192.168.4.100.137 > 192.168.4.255.137: udp 50
357: 09:23:36.659160 192.168.4.100.137 > 192.168.4.255.137: udp 50
360: 09:23:37.409204 192.168.4.100.137 > 192.168.4.255.137: udp 50
362: 09:23:37.832812 192.168.4.100.137 > 192.168.4.255.137: udp 50
364: 09:23:38.581085 192.168.4.100.137 > 192.168.4.255.137: udp 50
366: 09:23:39.331129 192.168.4.100.137 > 192.168.4.255.137: udp 50
374: 09:23:42.317091 192.168.4.100.137 > 192.168.4.255.137: udp 50
376: 09:23:43.065624 192.168.4.100.137 > 192.168.4.255.137: udp 50
379: 09:23:43.815631 192.168.4.100.137 > 192.168.4.255.137: udp 50
11-14-2011 01:47 AM
Packet trace for the DNS lookup:
Result of the command: "packet-tracer input dmz2 udp 192.168.4.100 53 8.8.8.8 53 detailed"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad802ac0, priority=0, domain=permit, deny=true
hits=6523, user_data=0x0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dmz2, output_ifc=any
Result:
input-interface: dmz2
input-status: up
input-line-status: up
Action: drop
Drop-reason: (l2_acl) FP L2 rule drop
11-14-2011 03:12 AM
this might be an ACL configuration issue.
Check this link
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s2_711.html
HTH.
11-14-2011 05:21 AM
The interface is configured as follows:
interface GigabitEthernet1/0
nameif dmz2
security-level 60
ip address 192.168.4.1 255.255.255.0
ospf cost 10
It is attempting to get external access (security level 0). Currently there is no ACE/ACL configured on this interface and the ADSM says that there is only the 'implicit rule: Permit all traffic to less secure networks'.
NAT is set as follows:
object network obj-192.168.4.0
nat (dmz2,external) dynamic 2XX.1XX.1XX.4X
This is configured the same as the other ports already in the ASA this is just a 4GE-SSM port, I have tried all the ports and they are behave the same.
By default is there an implicit deny on SSM ports?
11-14-2011 11:20 AM
Hey,
Do you have any kind of ethertype ACLs? Is the firewall in transparent or Router mode?
Mike
11-14-2011 11:58 AM
The firewall is in router mode, there are no ACLs on this interface at all. I have setup NAT (dmz2,external) and thats about it. The existing 4 ports are configured in a similar manner worked with just NAT out of the box, the 4 ports on the 4GE-SSM are not.
Where can I look up ethertype ACLs? Do they appear in the same place as normal ACLs? If they do then I have no I only have the 'implicit: access to less secure' message.
I have configured them as standard ports not using any VLAN functionality. Its a little odd really, do you think I have a duff unit? I can see the traffic light flickering when I attempt a connection and the links go up/down as I disconnect. The only other odd thing I have noticed is when I do a tracer using the ADSM the external link is marked as ? rather than up or down.
I am struggling here ....HELP!
11-14-2011 12:05 PM
Can you do a show interface and check what is the status of them on the CLI? Also, would you be able to do a show run access-group and see if any ACL is applied?
If you move it to an ASA port rather than an SSM one, does it work?
Mike
11-14-2011 12:09 PM
I can do anything you like with it in the morning as its driving me nuts!
Would a full config help (with the IPs removed and what not)?
I have moved it to the ASA port and all works fine....its really weird, there isnt a license requirement for the SSM?
11-14-2011 12:12 PM
Nope, It may be a faulty SSM module :S
I would definetly Like to see the show module 1 detail and show interfaces to see what is the status of the SSM. Where are you located?
Mike
11-14-2011 12:17 PM
I am in the UK, I can post up any CLI responses tomorrow.
Just:
show interface
and
show module 1 detail
????
11-14-2011 12:21 PM
Yup that will be it for now. You can try tomorrow to swap out and then put the module back in... that often helps.
Mike.
11-14-2011 12:23 PM
OK will post back the results tomorrow....Battlefield 3 time now
Thx for the help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: