cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8331
Views
0
Helpful
28
Replies

4GE SSM - FP L2 rule drop

ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.

Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future.  So we upgraded the firmware and no are at an impasse.

We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server.  Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.

I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.  To be honest its a case of if it aint broke don't fix it so I need some expert help in resolving the problem.

28 Replies 28

Maykol Rojas
Cisco Employee
Cisco Employee

Hey,

Can you paste your packet tracer output? And also, would you please put a capture of ASP drop send some traffic and then send the output of the show cap?

capture asp type asp drop-all

Send some traffic and then do a show cap asp

Mike

Mike

Sorry for the delay, weekends and firewalls don't mix

The packet trace output is as follows:

packet-tracer input dmz2 tcp 192.168.4.100 80 212.58.244.68 80

(192.168.4.100 being my test laptop and 212..... being www.bbc.co.uk)

Result of the command: "packet-tracer input dmz2 tcp 192.168.4.100 80 212.58.244.68 80 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xad802ac0, priority=0, domain=permit, deny=true
hits=5983, user_data=0x0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dmz2, output_ifc=any

Result:
input-interface: dmz2
input-status: up
input-line-status: up
Action: drop
Drop-reason: (l2_acl) FP L2 rule drop

Capture to follow....thanks for assisting.

Here is the capture, lots of DNS to Google public servers 8.8.8.8 and 8.8.4.4 which are the settings on the laptop:

210: 09:23:12.233584 192.168.4.100.58858 > 8.8.8.8.53:  udp 32

215: 09:23:13.220981 192.168.4.100.58858 > 8.8.4.4.53:  udp 32

223: 09:23:14.221012 192.168.4.100.58858 > 8.8.8.8.53:  udp 32

228: 09:23:16.221134 192.168.4.100.58858 > 8.8.8.8.53:  udp 32
229: 09:23:16.221271 192.168.4.100.58858 > 8.8.4.4.53:  udp 32
230: 09:23:16.274598 192.168.4.100.55913 > 8.8.8.8.53:  udp 29

232: 09:23:17.268052 192.168.4.100.55913 > 8.8.4.4.53:  udp 29

235: 09:23:17.770513 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
236: 09:23:18.268022 192.168.4.100.55913 > 8.8.8.8.53:  udp 29

240: 09:23:18.768179 192.168.4.100.55829 > 8.8.4.4.53:  udp 29
247: 09:23:19.768041 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
252: 09:23:20.221210 192.168.4.100.58858 > 8.8.8.8.53:  udp 32
253: 09:23:20.221363 192.168.4.100.58858 > 8.8.4.4.53:  udp 32
255: 09:23:20.268113 192.168.4.100.55913 > 8.8.8.8.53:  udp 29
256: 09:23:20.268266 192.168.4.100.55913 > 8.8.4.4.53:  udp 29

259: 09:23:20.910963 192.168.4.100.50101 > 8.8.8.8.53:  udp 31

265: 09:23:21.768148 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
266: 09:23:21.768301 192.168.4.100.55829 > 8.8.4.4.53:  udp 29
267: 09:23:21.908735 192.168.4.100.50101 > 8.8.4.4.53:  udp 31

273: 09:23:22.835146 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
274: 09:23:22.908827 192.168.4.100.50101 > 8.8.8.8.53:  udp 31

276: 09:23:23.830660 192.168.4.100.59271 > 8.8.4.4.53:  udp 31
277: 09:23:24.268327 192.168.4.100.55913 > 8.8.8.8.53:  udp 29
278: 09:23:24.268495 192.168.4.100.55913 > 8.8.4.4.53:  udp 29

281: 09:23:24.830721 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
282: 09:23:24.908796 192.168.4.100.50101 > 8.8.8.8.53:  udp 31
283: 09:23:24.908888 192.168.4.100.50101 > 8.8.4.4.53:  udp 31

287: 09:23:25.768316 192.168.4.100.55829 > 8.8.8.8.53:  udp 29
288: 09:23:25.768408 192.168.4.100.55829 > 8.8.4.4.53:  udp 29

290: 09:23:26.830782 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
291: 09:23:26.830920 192.168.4.100.59271 > 8.8.4.4.53:  udp 31
292: 09:23:27.222980 192.168.4.100.137 > 192.168.4.255.137:  udp 50

294: 09:23:27.328291 192.168.4.100.56653 > 8.8.8.8.53:  udp 31

296: 09:23:27.971339 192.168.4.100.137 > 192.168.4.255.137:  udp 50

310: 09:23:28.315215 192.168.4.100.56653 > 8.8.4.4.53:  udp 31

313: 09:23:28.721382 192.168.4.100.137 > 192.168.4.255.137:  udp 50
314: 09:23:28.908888 192.168.4.100.50101 > 8.8.8.8.53:  udp 31
315: 09:23:28.908995 192.168.4.100.50101 > 8.8.4.4.53:  udp 31

318: 09:23:29.315291 192.168.4.100.56653 > 8.8.8.8.53:  udp 31

322: 09:23:30.830889 192.168.4.100.59271 > 8.8.8.8.53:  udp 31
323: 09:23:30.831026 192.168.4.100.59271 > 8.8.4.4.53:  udp 31

325: 09:23:31.269914 192.168.4.100.137 > 192.168.4.255.137:  udp 50

327: 09:23:31.315337 192.168.4.100.56653 > 8.8.8.8.53:  udp 31
328: 09:23:31.315489 192.168.4.100.56653 > 8.8.4.4.53:  udp 31

330: 09:23:32.018752 192.168.4.100.137 > 192.168.4.255.137:  udp 50

335: 09:23:32.768438 192.168.4.100.137 > 192.168.4.255.137:  udp 50
336: 09:23:32.770117 192.168.4.100.137 > 192.168.4.255.137:  udp 50

340: 09:23:33.518482 192.168.4.100.137 > 192.168.4.255.137:  udp 50

343: 09:23:34.268479 192.168.4.100.137 > 192.168.4.255.137:  udp 50

348: 09:23:35.315291 192.168.4.100.56653 > 8.8.8.8.53:  udp 31
349: 09:23:35.315398 192.168.4.100.56653 > 8.8.4.4.53:  udp 31

353: 09:23:35.909910 192.168.4.100.137 > 192.168.4.255.137:  udp 50

357: 09:23:36.659160 192.168.4.100.137 > 192.168.4.255.137:  udp 50

360: 09:23:37.409204 192.168.4.100.137 > 192.168.4.255.137:  udp 50

362: 09:23:37.832812 192.168.4.100.137 > 192.168.4.255.137:  udp 50

364: 09:23:38.581085 192.168.4.100.137 > 192.168.4.255.137:  udp 50

366: 09:23:39.331129 192.168.4.100.137 > 192.168.4.255.137:  udp 50

374: 09:23:42.317091 192.168.4.100.137 > 192.168.4.255.137:  udp 50

376: 09:23:43.065624 192.168.4.100.137 > 192.168.4.255.137:  udp 50

379: 09:23:43.815631 192.168.4.100.137 > 192.168.4.255.137:  udp 50

Packet trace for the DNS lookup:

Result of the command: "packet-tracer input dmz2 udp 192.168.4.100 53 8.8.8.8 53 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xad802ac0, priority=0, domain=permit, deny=true
hits=6523, user_data=0x0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=dmz2, output_ifc=any

Result:
input-interface: dmz2
input-status: up
input-line-status: up
Action: drop
Drop-reason: (l2_acl) FP L2 rule drop

this might be an ACL configuration issue.

Check this link

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/s2_711.html

HTH.

The interface is configured as follows:

interface GigabitEthernet1/0

nameif dmz2

security-level 60

ip address 192.168.4.1 255.255.255.0

ospf cost 10

It is attempting to get external access (security level 0).  Currently there is no ACE/ACL configured on this interface and the ADSM says that there is only the 'implicit rule: Permit all traffic to less secure networks'.

NAT is set as follows:

object network obj-192.168.4.0

nat (dmz2,external) dynamic 2XX.1XX.1XX.4X

This is configured the same as the other ports already in the ASA this is just a 4GE-SSM port, I have tried all the ports and they are behave the same.

By default is there an implicit deny on SSM ports?

Hey,

Do you have any kind of ethertype ACLs? Is the firewall in transparent or Router mode?

Mike

Mike

The firewall is in router mode, there are no ACLs on this interface at all.  I have setup NAT (dmz2,external) and thats about it.  The existing 4 ports are configured in a similar manner worked with just NAT out of the box, the 4 ports on the 4GE-SSM are not.

Where can I look up ethertype ACLs?  Do they appear in the same place as normal ACLs?  If they do then I have no I only have the 'implicit: access to less secure' message. 

I have configured them as standard ports not using any VLAN functionality.  Its a little odd really, do you think I have a duff unit?  I can see the traffic light flickering when I attempt a connection and the links go up/down as I disconnect.  The only other odd thing I have noticed is when I do a tracer using the ADSM the external link is marked as ? rather than up or down.

I am struggling here ....HELP!

Can you do a show interface and check what is the status of them on the CLI? Also, would you be able to do a show run access-group and see if any ACL is applied?

If you move it to an ASA port rather than an SSM one, does it work?

Mike

Mike

I can do anything you like with it in the morning as its driving me nuts!

Would a full config help (with the IPs removed and what not)?

I have moved it to the ASA port and all works fine....its really weird, there isnt a license requirement for the SSM?

Nope, It may be a faulty SSM module :S

I would definetly Like to see the show module 1 detail and show interfaces to see what is the status of the SSM. Where are you located?

Mike

Mike

I am in the UK, I can post up any CLI responses tomorrow.

Just:

show interface

and

show module 1 detail

????

Yup that will be it for now. You can try tomorrow to swap out and then put the module back in... that often helps.

Mike.

Mike

OK will post back the results tomorrow....Battlefield 3 time now

Thx for the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: