cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
0
Helpful
2
Replies

ASA blocks RPC TCP port 135 for intra-interface communication

Justin Westover
Level 1
Level 1

I understand the fix to this problem with the "same-security-traffic permit intra-interface" command but I'm curious if anyone knows the reason behind by RPC on tcp/135 would need to consult the ASA for a host on the same subnet? The ASA is the gateway for hosts on this subnet but a host should not have to consult the ASA unless it is attempting to communicate with another node on a different subnet. I also understand that the ASA would receive the flooding of a broadcast when the host doesn't know the MAC of a host on the same subnet. But in this case, the ASA is denying traffic from host 172.18.3.212:49450 on interface inside4 to host 172.18.3.211:135 on interface inside4. Proxy arp is also disabled on the ASA. Thoughts on why this would occur?

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

It sounds like some oddness at the host level. Have you done an analysis (arp cache review, etc.) or packet capture on either of the endpoints to see why they might be sending packets to one another via the ASA?

Even if the ASA were - against all expectation - in the path it should allow the traffic given the "same-security-traffic permit intra-interface" command. The only simple reason (assuming there are no access-lists at play) I can think it would block it is due to an inspection service-policy. 

Yeah I could turn the same-security-traffic permit intra-interface command on and I'm sure it would work. I'm just curious why I would run into this problem in the first place. In this case the two servers are MS SQL servers and they are testing failover. I could run some captures on the servers to see what they are doing specifically I was just curious if anyone else has run into this issue...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: