Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASA 5510 - UDP packets bouncing to the wrong interface

Hello folks,

Looking for some help on a problem we are having on a Cisco 5510 running 8.0(5) that we have on a remote site.  We have three interfaces configured on the device. Inside as 172.19.19.*, Outside as 172.16.34.* and the voice interface 10.253.253.*.  The voice interface is there for our IPT solution.  Under normal usage there is UDP traffic coming from the inside interface and being routed to the voice interface as per the RIP routing table which we know is correct.  However if there voice interface goes down we start to see the the firewall routing UDP packets out the Outside interface.  Once the voice interface comes back up the traffic continues to be pushed out the Outside interface and so the IPT equipment never recovers as the traffic is being pushed out the wrong interface.  The Sh Conn output shows that the UDP traffic is indeed being directed out the outside interface.  Issuing the Clear Conn command gets everything working again as it should but is not ideal.

What am i missing so that the UDP stream never jumps to the outside interface for traffic destined for the Voice interface?

21 REPLIES

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Hi,

It sounds like there's a route to the Voice device via both the voice and the outside interfaces on the ASA?

It uses the voice first because the route is better, but if something happens it switches to use the outside....

Then when the voice recovers (since there's no tracking mechanism configured), the ASA continues to use the outside until you manually tell it to switch back to the voice interface...

This is what it seems... so... question...

Is the voice device directly connected or there's a route to reach it? and if so... is there's also a route via the outside interface?

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Federico,

We have rip routing on the voice interface that gives that interface a route back to the core ipt equipment.  We can see this in the routing table on the Voice interface.  The outside interface just has the one static round configured on it and that is a 0.0.0.0 0.0.0.0 172.16.34.* back to the core firewall.  When the voice interface comes back we do see NTP traffic being passed to the voice interface but the UDP stays going through the outside.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

You're right...

But... if those UDP packets are going through the outside interface is because they build a conn to the outside (meaning they went through a NAT rule permitting the traffic and a route).

If you send a PING packet when this happen... the PING packet continues to use the voice interface and never uses the outside correct?

If you can post the relevant part of the configuration that might help.

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

You are spot on.

When the interface comes back then i can indeed ping out that voice interface susccessfully even though the UDP packets are still heading out the wrong one.  What config would you like a copy off?  Our rule base is massive so posting the whole config is a bit much.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Just before getting the config could you check something else...

If those UDP packets are indeed sent to the outside it's because there's an XLATE or they went through a NAT rule (and if they did, they also match a valid route).

The output of the ''sh conn'' that shows the UDP packets sent to the outside... please check the destination IP.

We need to check which route are those packets matching and which NAT rule are they using to create that connection.

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Here is the output from the sh conn:

fw-cnes-harbourview# sh conn

342 in use, 1019 most used

UDP voice 10.255.0.126:123 inside 10.255.19.254:1832, idle 0:00:09, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1831, idle 0:00:12, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1830, idle 0:00:15, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1829, idle 0:00:18, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1828, idle 0:00:32, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1827, idle 0:00:35, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1826, idle 0:00:38, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1825, idle 0:00:41, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1824, idle 0:00:55, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1823, idle 0:00:58, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1822, idle 0:01:01, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1821, idle 0:01:04, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1820, idle 0:01:18, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1819, idle 0:01:21, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1818, idle 0:01:24, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1817, idle 0:01:27, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1816, idle 0:01:41, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1815, idle 0:01:44, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1814, idle 0:01:47, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1813, idle 0:01:50, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1812, idle 0:02:04, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1811, idle 0:02:07, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1810, idle 0:02:10, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1809, idle 0:02:13, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1808, idle 0:02:27, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1807, idle 0:02:30, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1806, idle 0:02:33, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1805, idle 0:02:36, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1804, idle 0:02:50, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1803, idle 0:02:53, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1802, idle 0:02:56, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1801, idle 0:02:59, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1800, idle 0:03:13, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1799, idle 0:03:16, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1798, idle 0:03:19, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1797, idle 0:03:22, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1796, idle 0:03:36, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1795, idle 0:03:39, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1794, idle 0:03:42, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1793, idle 0:03:45, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1792, idle 0:03:59, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1791, idle 0:04:02, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1790, idle 0:04:05, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1789, idle 0:04:08, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1788, idle 0:04:22, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1787, idle 0:04:25, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1786, idle 0:04:28, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1785, idle 0:04:31, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1784, idle 0:04:45, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1783, idle 0:04:48, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1782, idle 0:04:51, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1781, idle 0:04:54, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1780, idle 0:05:08, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1779, idle 0:05:11, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1778, idle 0:05:14, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1777, idle 0:05:17, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1776, idle 0:05:31, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1775, idle 0:05:34, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1774, idle 0:05:37, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1773, idle 0:05:40, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1772, idle 0:05:54, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1771, idle 0:05:57, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1770, idle 0:06:00, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1769, idle 0:06:03, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1768, idle 0:06:17, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1767, idle 0:06:20, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1766, idle 0:06:23, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1765, idle 0:06:26, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1764, idle 0:06:40, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1763, idle 0:06:43, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1762, idle 0:06:46, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1761, idle 0:06:49, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1760, idle 0:07:03, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1759, idle 0:07:06, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1758, idle 0:07:09, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1757, idle 0:07:12, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1756, idle 0:07:26, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1755, idle 0:07:29, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1754, idle 0:07:32, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1753, idle 0:07:35, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1752, idle 0:07:49, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1751, idle 0:07:52, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1750, idle 0:07:55, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1749, idle 0:07:58, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1748, idle 0:08:13, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1747, idle 0:08:16, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1746, idle 0:08:19, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1745, idle 0:08:22, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1744, idle 0:08:36, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1743, idle 0:08:39, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1742, idle 0:08:42, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1741, idle 0:08:45, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1740, idle 0:08:59, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1739, idle 0:09:02, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1738, idle 0:09:05, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1737, idle 0:09:08, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1736, idle 0:09:22, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1735, idle 0:09:25, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1734, idle 0:09:28, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1733, idle 0:09:31, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1732, idle 0:09:45, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1731, idle 0:09:48, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1730, idle 0:09:51, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1729, idle 0:09:54, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1728, idle 0:10:08, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1727, idle 0:10:11, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1726, idle 0:10:14, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1725, idle 0:10:17, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1724, idle 0:10:31, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1723, idle 0:10:34, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1722, idle 0:10:37, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1721, idle 0:10:40, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1720, idle 0:10:54, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1719, idle 0:10:57, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1718, idle 0:11:00, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1717, idle 0:11:03, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1716, idle 0:11:17, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1715, idle 0:11:20, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1714, idle 0:11:23, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1713, idle 0:11:26, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1712, idle 0:11:40, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1711, idle 0:11:43, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1710, idle 0:11:46, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1709, idle 0:11:49, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1708, idle 0:12:03, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1707, idle 0:12:06, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1706, idle 0:12:09, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1705, idle 0:12:12, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1704, idle 0:12:26, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1703, idle 0:12:29, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1702, idle 0:12:32, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1701, idle 0:12:35, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1700, idle 0:12:49, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1699, idle 0:12:52, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1698, idle 0:12:55, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1697, idle 0:12:58, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1696, idle 0:13:12, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1695, idle 0:13:15, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1694, idle 0:13:18, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1693, idle 0:13:21, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1692, idle 0:13:35, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1691, idle 0:13:38, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1690, idle 0:13:41, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1689, idle 0:13:44, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1688, idle 0:13:58, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1687, idle 0:14:01, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1686, idle 0:14:04, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1685, idle 0:14:07, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1684, idle 0:14:21, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1683, idle 0:14:24, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1682, idle 0:14:27, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1681, idle 0:14:30, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1680, idle 0:14:44, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1679, idle 0:14:47, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1678, idle 0:14:50, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1677, idle 0:14:53, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1676, idle 0:15:07, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1675, idle 0:15:10, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1674, idle 0:15:13, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1673, idle 0:15:16, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1672, idle 0:15:30, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1671, idle 0:15:33, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1670, idle 0:15:36, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1669, idle 0:15:39, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1668, idle 0:15:53, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1667, idle 0:15:56, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1666, idle 0:15:59, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1665, idle 0:16:02, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1664, idle 0:16:16, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1663, idle 0:16:19, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1662, idle 0:16:22, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1661, idle 0:16:25, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1660, idle 0:16:40, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1659, idle 0:16:43, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1658, idle 0:16:46, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1657, idle 0:16:49, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1656, idle 0:17:03, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1655, idle 0:17:06, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1654, idle 0:17:09, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1653, idle 0:17:12, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1652, idle 0:17:26, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1651, idle 0:17:29, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1650, idle 0:17:32, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1649, idle 0:17:35, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1648, idle 0:17:49, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1647, idle 0:17:52, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1646, idle 0:17:55, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1645, idle 0:17:58, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1644, idle 0:18:12, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1643, idle 0:18:15, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1642, idle 0:18:18, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1641, idle 0:18:21, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1640, idle 0:18:35, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1639, idle 0:18:38, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1638, idle 0:18:41, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1637, idle 0:18:44, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1636, idle 0:18:58, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1635, idle 0:19:01, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1634, idle 0:19:04, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1633, idle 0:19:07, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1632, idle 0:19:21, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1631, idle 0:19:24, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1630, idle 0:19:27, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1629, idle 0:19:30, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1628, idle 0:19:44, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1627, idle 0:19:47, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1626, idle 0:19:50, bytes 48, flags -

UDP voice 10.255.0.126:123 inside 10.255.19.254:1625, idle 0:19:53, bytes 48, flags -

UDP voice 10.10.0.13:5100 inside 10.20.19.12:5000, idle 0:00:02, bytes 32724, flags -

UDP voice 10.10.0.13:5100 inside 10.20.19.10:5000, idle 0:00:03, bytes 132648, flags -

UDP voice 10.10.0.16:5100 inside 10.20.19.15:5000, idle 0:00:00, bytes 29182, flags -

UDP voice 10.10.0.11:5100 inside 10.20.19.11:5000, idle 0:00:02, bytes 28688, flags -

UDP voice 10.10.0.11:5100 inside 10.20.19.13:5000, idle 0:00:01, bytes 112874, flags -

ICMP outside 187.187.1.45:0 inside 172.20.177.100:13626, idle 0:00:02, bytes 0

UDP outside 187.187.1.15:500 inside 172.20.177.100:500, idle 0:07:24, bytes 35360, flags -

UDP outside 187.187.1.7:15277 inside 172.20.177.4:1192, idle 0:07:35, bytes 8, flags -

UDP outside 187.187.1.7:15275 inside 172.20.177.4:1192, idle 0:07:35, bytes 8, flags -

UDP outside 187.187.1.7:15258 inside 172.20.177.4:1192, idle 0:08:36, bytes 8, flags -

UDP outside 187.187.1.7:15256 inside 172.20.177.4:1192, idle 0:08:36, bytes 8, flags -

UDP outside 187.187.1.7:15235 inside 172.20.177.4:1192, idle 0:09:37, bytes 8, flags -

UDP outside 187.187.1.7:15233 inside 172.20.177.4:1192, idle 0:09:37, bytes 8, flags -

UDP outside 187.187.1.7:15220 inside 172.20.177.4:1192, idle 0:10:38, bytes 8, flags -

UDP outside 187.187.1.7:15218 inside 172.20.177.4:1192, idle 0:10:38, bytes 8, flags -

UDP outside 187.187.1.7:15167 inside 172.20.177.4:1192, idle 0:11:39, bytes 8, flags -

UDP outside 187.187.1.7:15165 inside 172.20.177.4:1192, idle 0:11:39, bytes 8, flags -

UDP outside 187.187.1.7:15127 inside 172.20.177.4:1192, idle 0:12:40, bytes 8, flags -

UDP outside 187.187.1.7:15125 inside 172.20.177.4:1192, idle 0:12:40, bytes 8, flags -

UDP outside 187.187.1.7:15097 inside 172.20.177.4:1192, idle 0:13:41, bytes 8, flags -

UDP outside 187.187.1.7:15094 inside 172.20.177.4:1192, idle 0:13:41, bytes 8, flags -

UDP outside 187.187.1.7:15071 inside 172.20.177.4:1192, idle 0:14:42, bytes 8, flags -

UDP outside 187.187.1.7:15069 inside 172.20.177.4:1192, idle 0:14:42, bytes 8, flags -

UDP outside 187.187.1.7:15047 inside 172.20.177.4:1192, idle 0:15:43, bytes 8, flags -

UDP outside 187.187.1.7:15045 inside 172.20.177.4:1192, idle 0:15:43, bytes 8, flags -

UDP outside 187.187.1.7:15019 inside 172.20.177.4:1192, idle 0:16:44, bytes 8, flags -

UDP outside 187.187.1.7:15017 inside 172.20.177.4:1192, idle 0:16:44, bytes 8, flags -

UDP outside 187.187.1.7:14999 inside 172.20.177.4:1192, idle 0:17:45, bytes 8, flags -

UDP outside 187.187.1.7:14997 inside 172.20.177.4:1192, idle 0:17:45, bytes 8, flags -

UDP outside 187.187.1.7:14968 inside 172.20.177.4:1192, idle 0:18:46, bytes 8, flags -

UDP outside 187.187.1.7:14966 inside 172.20.177.4:1192, idle 0:18:46, bytes 8, flags -

UDP outside 187.187.1.15:18687 inside 172.20.177.4:1192, idle 0:19:03, bytes 8, flags -

UDP outside 187.187.1.7:14949 inside 172.20.177.4:1192, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.7:14948 inside 172.20.177.4:1192, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.7:14947 inside 172.20.177.4:1192, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.7:14944 inside 172.20.177.4:1192, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.15:18646 inside 172.20.177.4:1192, idle 0:20:01, bytes 8, flags -

UDP outside 187.187.1.15:500 inside 172.20.177.4:500, idle 0:04:24, bytes 60112, flags -

UDP outside 187.187.1.7:14945 inside 172.20.177.26:1093, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.15:500 inside 172.20.177.26:500, idle 0:02:54, bytes 67184, flags -

UDP outside 187.187.1.7:15276 inside 172.20.177.24:4253, idle 0:07:35, bytes 8, flags -

UDP outside 187.187.1.7:15274 inside 172.20.177.24:4253, idle 0:07:35, bytes 8, flags -

UDP outside 187.187.1.7:15257 inside 172.20.177.24:4253, idle 0:08:36, bytes 8, flags -

UDP outside 187.187.1.7:15255 inside 172.20.177.24:4253, idle 0:08:36, bytes 8, flags -

UDP outside 187.187.1.7:15234 inside 172.20.177.24:4253, idle 0:09:37, bytes 8, flags -

UDP outside 187.187.1.7:15232 inside 172.20.177.24:4253, idle 0:09:37, bytes 8, flags -

UDP outside 187.187.1.7:15219 inside 172.20.177.24:4253, idle 0:10:38, bytes 8, flags -

UDP outside 187.187.1.7:15217 inside 172.20.177.24:4253, idle 0:10:38, bytes 8, flags -

UDP outside 187.187.1.7:15166 inside 172.20.177.24:4253, idle 0:11:39, bytes 8, flags -

UDP outside 187.187.1.7:15164 inside 172.20.177.24:4253, idle 0:11:39, bytes 8, flags -

UDP outside 187.187.1.7:15126 inside 172.20.177.24:4253, idle 0:12:40, bytes 8, flags -

UDP outside 187.187.1.7:15124 inside 172.20.177.24:4253, idle 0:12:40, bytes 8, flags -

UDP outside 187.187.1.7:15096 inside 172.20.177.24:4253, idle 0:13:41, bytes 8, flags -

UDP outside 187.187.1.7:15093 inside 172.20.177.24:4253, idle 0:13:41, bytes 8, flags -

UDP outside 187.187.1.7:15070 inside 172.20.177.24:4253, idle 0:14:42, bytes 8, flags -

UDP outside 187.187.1.7:15068 inside 172.20.177.24:4253, idle 0:14:42, bytes 8, flags -

UDP outside 187.187.1.7:15046 inside 172.20.177.24:4253, idle 0:15:43, bytes 8, flags -

UDP outside 187.187.1.7:15044 inside 172.20.177.24:4253, idle 0:15:43, bytes 8, flags -

UDP outside 187.187.1.7:15018 inside 172.20.177.24:4253, idle 0:16:44, bytes 8, flags -

UDP outside 187.187.1.7:15016 inside 172.20.177.24:4253, idle 0:16:44, bytes 8, flags -

UDP outside 187.187.1.7:14998 inside 172.20.177.24:4253, idle 0:17:45, bytes 8, flags -

UDP outside 187.187.1.7:14996 inside 172.20.177.24:4253, idle 0:17:45, bytes 8, flags -

UDP outside 187.187.1.7:14967 inside 172.20.177.24:4253, idle 0:18:46, bytes 8, flags -

UDP outside 187.187.1.7:14965 inside 172.20.177.24:4253, idle 0:18:46, bytes 8, flags -

UDP outside 187.187.1.7:14964 inside 172.20.177.24:4253, idle 0:18:46, bytes 8, flags -

UDP outside 187.187.1.7:14963 inside 172.20.177.24:4253, idle 0:18:46, bytes 8, flags -

UDP outside 187.187.1.7:14946 inside 172.20.177.24:4253, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.7:14943 inside 172.20.177.24:4253, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.7:14942 inside 172.20.177.24:4253, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.7:14941 inside 172.20.177.24:4253, idle 0:19:47, bytes 8, flags -

UDP outside 187.187.1.15:500 inside 172.20.177.24:500, idle 0:03:39, bytes 42432, flags -

UDP outside 187.187.1.15:19022 inside 172.20.177.3:1430, idle 0:08:53, bytes 8, flags -

UDP outside 187.187.1.15:19018 inside 172.20.177.3:1430, idle 0:08:53, bytes 8, flags -

UDP outside 187.187.1.15:18988 inside 172.20.177.3:1430, idle 0:09:54, bytes 8, flags -

UDP outside 187.187.1.15:18985 inside 172.20.177.3:1430, idle 0:09:54, bytes 8, flags -

UDP outside 187.187.1.15:18948 inside 172.20.177.3:1430, idle 0:10:55, bytes 8, flags -

UDP outside 187.187.1.15:18945 inside 172.20.177.3:1430, idle 0:10:55, bytes 8, flags -

UDP outside 187.187.1.15:18898 inside 172.20.177.3:1430, idle 0:11:56, bytes 8, flags -

UDP outside 187.187.1.15:18895 inside 172.20.177.3:1430, idle 0:11:56, bytes 8, flags -

UDP outside 187.187.1.15:18876 inside 172.20.177.3:1430, idle 0:12:57, bytes 8, flags -

UDP outside 187.187.1.15:18873 inside 172.20.177.3:1430, idle 0:12:57, bytes 8, flags -

UDP outside 187.187.1.15:18840 inside 172.20.177.3:1430, idle 0:13:55, bytes 8, flags -

UDP outside 187.187.1.15:18807 inside 172.20.177.3:1430, idle 0:14:59, bytes 8, flags -

UDP outside 187.187.1.15:18804 inside 172.20.177.3:1430, idle 0:14:59, bytes 8, flags -

UDP outside 187.187.1.15:18769 inside 172.20.177.3:1430, idle 0:16:00, bytes 8, flags -

UDP outside 187.187.1.15:18765 inside 172.20.177.3:1430, idle 0:16:00, bytes 8, flags -

UDP outside 187.187.1.15:18742 inside 172.20.177.3:1430, idle 0:17:01, bytes 8, flags -

UDP outside 187.187.1.15:18739 inside 172.20.177.3:1430, idle 0:17:01, bytes 8, flags -

UDP outside 187.187.1.15:18714 inside 172.20.177.3:1430, idle 0:18:02, bytes 8, flags -

UDP outside 187.187.1.15:18710 inside 172.20.177.3:1430, idle 0:18:02, bytes 8, flags -

UDP outside 187.187.1.15:18682 inside 172.20.177.3:1430, idle 0:19:03, bytes 8, flags -

UDP outside 187.187.1.15:18678 inside 172.20.177.3:1430, idle 0:19:03, bytes 8, flags -

UDP outside 187.187.1.15:18644 inside 172.20.177.3:1430, idle 0:20:01, bytes 8, flags -

UDP outside 187.187.1.15:500 inside 172.20.177.3:500, idle 0:07:00, bytes 70776, flags -

UDP outside 187.187.1.15:500 inside 172.20.177.31:500, idle 0:00:52, bytes 38896, flags -

TCP outside 187.187.1.48:445 inside 172.20.177.24:1529, idle 0:00:22, bytes 16102571, flags UIO

TCP outside 187.187.1.62:8194 inside 172.20.177.24:1655, idle 0:06:23, bytes 6868, flags UIO

TCP outside 187.187.1.62:8194 inside 172.20.177.100:1542, idle 0:05:42, bytes 6914, flags UIO

TCP outside 187.187.1.62:8194 inside 172.20.177.26:1318, idle 0:19:04, bytes 6554, flags UIO

TCP outside 187.187.1.62:8194 inside 172.20.177.31:56424, idle 0:04:12, bytes 7174, flags UIO

UDP outside 187.187.1.15:137 inside 172.20.177.100:137, idle 0:08:23, bytes 2740, flags -

UDP outside 187.187.1.15:137 inside 172.20.177.31:137, idle 0:01:52, bytes 3126, flags -

UDP outside 187.187.1.15:137 inside 172.20.177.26:137, idle 0:02:44, bytes 10254, flags -

UDP outside 187.187.1.15:137 inside 172.20.177.24:137, idle 0:04:30, bytes 3028, flags -

ICMP outside 187.187.1.45:0 inside 172.20.177.100:13626, idle 0:00:02, bytes 0

UDP outside 187.187.1.56:88 inside 172.20.177.100:1901, idle 0:08:23, bytes 2744, flags -

UDP outside 187.187.1.56:88 inside 172.20.177.100:1900, idle 0:08:23, bytes 2694, flags -

UDP outside 187.187.1.56:88 inside 172.20.177.26:1582, idle 0:11:09, bytes 2686, flags -

UDP outside 187.187.1.56:389 inside 172.20.177.26:1581, idle 0:11:09, bytes 379, flags -

UDP outside 187.187.1.56:88 inside 172.20.177.100:1871, idle 0:15:17, bytes 2744, flags -

UDP outside 187.187.1.56:389 inside 172.20.177.100:1870, idle 0:15:17, bytes 383, flags -

UDP outside 187.187.1.56:138 inside 172.20.177.100:138, idle 0:08:23, bytes 1810, flags -

UDP outside 187.187.1.56:138 inside 172.20.177.31:138, idle 0:01:52, bytes 1991, flags -

UDP outside 187.187.1.7:137 inside 172.20.177.26:137, idle 0:03:49, bytes 7738, flags -

UDP outside 187.187.1.7:137 inside 172.20.177.24:137, idle 0:04:33, bytes 2574, flags -

UDP outside 10.10.0.2:5060 inside 10.10.19.2:5060, idle 0:00:00, bytes 789807, flags T

UDP outside 187.187.5.50:161 inside 172.20.177.26:1099, idle 0:03:47, bytes 5334, flags -

fw-cnes-harbourview#

As you can see the traffic from 10.10.19.2 which is the IPT hardware is trying to get to 10.10.0.2 which is in the HQ which it should be going through the voice interface for.
Here is the Nat rule:
fw-cnes-harbourview# sh nat
NAT policies on Interface inside:
  match ip inside any outside any
    NAT exempt
    translate_hits = 16972, untranslate_hits = 8422
  match ip inside any inside any
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any voice any
    NAT exempt
    translate_hits = 12506, untranslate_hits = 16
fw-cnes-harbourview# sh run | grep nat
description UDP Ports Sourse 50000 to 50999, Destination Ports 52000 to 52999
access-list CSM_nat0_inside extended permit ip any any
nat (inside) 0 access-list CSM_nat0_inside

Re: ASA 5510 - UDP packets bouncing to the wrong interface

UDP outside 10.10.0.2:5060 inside 10.10.19.2:5060, idle 0:00:00, bytes 789807, flags T

SIP connection from inside to outside...

Can you post the ''sh route | i 10.10.0.2''

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

1st thanks for all your help with this.  When i do a sh route | i 10.0.0.2 it gives me no output at all.  just back to command prompt.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

My mistake.  Here is the output:

fw-cnes-harbourview# sh route | i 10.10.0.2

fw-cnes-harbourview# sh route | i 10.10.0.2

fw-cnes-harbourview# sh route i 10.10.0.2

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 172.16.34.1 to network 0.0.0.0

S    10.20.19.0 255.255.255.0 [1/0] via 10.255.19.254, inside

S    10.10.19.0 255.255.255.0 [1/0] via 10.255.19.254, inside

C    10.255.19.252 255.255.255.252 is directly connected, inside

S    10.255.19.0 255.255.255.128 [1/0] via 10.255.3.254, inside

fw-cnes-harbourview#

Re: ASA 5510 - UDP packets bouncing to the wrong interface

No problem.... let's hope I can help you with this one :-)

Is it the routing table too long?

I just want to check which route the ASA is using to reach 10.0.0.2

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

fw-cnes-harbourview# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 172.16.34.1 to network 0.0.0.0

R    187.187.0.0 255.255.0.0 [120/1] via 172.16.34.1, 0:00:16, outside

C    172.16.34.0 255.255.254.0 is directly connected, outside

S    172.20.176.0 255.255.240.0 [1/0] via 10.255.19.254, inside

R    10.11.1.0 255.255.255.0 [120/1] via 10.253.253.7, 0:00:05, voice

R    10.10.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

R    10.10.1.0 255.255.255.0 [120/1] via 10.253.253.7, 0:00:05, voice

R    10.11.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

R    10.10.2.0 255.255.255.0 [120/1] via 10.253.253.5, 0:00:05, voice

R    10.255.11.252 255.255.255.252 [120/1] via 10.253.253.49, 0:00:04, voice

R    10.11.3.0 255.255.255.0 [120/1] via 10.253.253.4, 0:00:20, voice

R    10.11.2.0 255.255.255.0 [120/1] via 10.253.253.5, 0:00:05, voice

R    10.10.3.0 255.255.255.0 [120/1] via 10.253.253.4, 0:00:20, voice

R    10.12.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

R    10.255.1.252 255.255.255.252 [120/1] via 10.253.253.7, 0:00:05, voice

R    10.255.3.252 255.255.255.252 [120/1] via 10.253.253.4, 0:00:20, voice

C    10.253.253.0 255.255.255.0 is directly connected, voice

R    10.255.2.252 255.255.255.252 [120/1] via 10.253.253.5, 0:00:05, voice

R    10.10.11.0 255.255.255.0 [120/1] via 10.253.253.49, 0:00:04, voice

R    10.255.0.248 255.255.255.248 [120/1] via 10.253.253.1, 0:00:16, voice

S    10.20.19.0 255.255.255.0 [1/0] via 10.255.19.254, inside

S    10.10.19.0 255.255.255.0 [1/0] via 10.255.19.254, inside

R    10.20.11.0 255.255.255.0 [120/1] via 10.253.253.49, 0:00:04, voice

C    10.255.19.252 255.255.255.252 is directly connected, inside

R    10.20.2.0 255.255.255.0 [120/1] via 10.253.253.5, 0:00:05, voice

R    10.22.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

R    10.20.3.0 255.255.255.0 [120/1] via 10.253.253.4, 0:00:20, voice

R    10.20.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

R    10.20.1.0 255.255.255.0 [120/1] via 10.253.253.7, 0:00:05, voice

R    10.21.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

R    10.20.60.0 255.255.255.0 [120/1] via 10.253.253.43, 0:00:09, voice

R    10.255.60.252 255.255.255.252 [120/1] via 10.253.253.43, 0:00:09, voice

R    10.20.92.0 255.255.255.0 [120/1] via 10.253.253.6, 0:00:19, voice

R    10.10.66.0 255.255.255.0 [120/1] via 10.253.253.47, 0:00:23, voice

R    10.255.78.248 255.255.255.248 [120/1] via 10.253.253.48, 0:00:14, voice

R    10.20.91.0 255.255.255.0 [120/1] via 10.253.253.74, 0:00:11, voice

R    10.255.75.248 255.255.255.248 [120/1] via 10.253.253.65, 0:00:18, voice

R    10.20.88.0 255.255.255.0 [120/1] via 10.253.253.45, 0:00:06, voice

R    10.10.75.0 255.255.255.0 [120/1] via 10.253.253.65, 0:00:18, voice

R    10.255.66.252 255.255.255.252 [120/1] via 10.253.253.47, 0:00:23, voice

R    10.10.78.0 255.255.255.0 [120/1] via 10.253.253.48, 0:00:14, voice

R    10.20.78.0 255.255.255.0 [120/1] via 10.253.253.48, 0:00:14, voice

R    10.255.88.252 255.255.255.252 [120/1] via 10.253.253.45, 0:00:06, voice

R    10.255.91.252 255.255.255.252 [120/1] via 10.253.253.74, 0:00:11, voice

R    10.255.92.252 255.255.255.252 [120/1] via 10.253.253.6, 0:00:19, voice

R    10.20.75.0 255.255.255.0 [120/1] via 10.253.253.65, 0:00:18, voice

R    10.10.88.0 255.255.255.0 [120/1] via 10.253.253.45, 0:00:06, voice

R    10.20.66.0 255.255.255.0 [120/1] via 10.253.253.47, 0:00:23, voice

R    10.10.97.0 255.255.255.0 [120/1] via 10.253.253.46, 0:00:03, voice

R    10.255.97.252 255.255.255.252 [120/1] via 10.253.253.46, 0:00:03, voice

R    10.20.97.0 255.255.255.0 [120/1] via 10.253.253.46, 0:00:03, voice

R    10.255.97.0 255.255.255.128 [120/1] via 10.253.253.46, 0:00:03, voice

R    10.255.92.0 255.255.255.128 [120/1] via 10.253.253.6, 0:00:19, voice

R    10.255.88.0 255.255.255.128 [120/1] via 10.253.253.45, 0:00:06, voice

R    10.255.66.0 255.255.255.128 [120/1] via 10.253.253.47, 0:00:23, voice

R    10.255.78.0 255.255.255.128 [120/1] via 10.253.253.48, 0:00:14, voice

R    10.255.75.0 255.255.255.128 [120/1] via 10.253.253.65, 0:00:18, voice

R    10.255.60.0 255.255.255.128 [120/1] via 10.253.253.43, 0:00:09, voice

S    10.255.19.0 255.255.255.128 [1/0] via 10.255.3.254, inside

R    10.255.1.0 255.255.255.128 [120/1] via 10.253.253.7, 0:00:05, voice

R    10.255.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

R    10.255.3.0 255.255.255.128 [120/1] via 10.253.253.4, 0:00:20, voice

R    10.255.2.0 255.255.255.128 [120/1] via 10.253.253.5, 0:00:05, voice

R    10.255.11.0 255.255.255.128 [120/1] via 10.253.253.49, 0:00:04, voice

S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.34.1, outside

fw-cnes-harbourview#

Re: ASA 5510 - UDP packets bouncing to the wrong interface

I don't see a RIP route that points to 10.0.0.2 via the voice interface.

According to the routing table it should use the default gateway and it will make sense to use the outside interface then...

You say that 10.0.0.2 is the HW on the voice interface (but that's not what it seems from the output of the routing table).

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Fredrico,

The output from the sh conn showed the address is trying to get to as 10.10.0.2 and not 10.0.0.2.  Thir route should be covered by:

R    10.10.0.0 255.255.255.0 [120/1] via 10.253.253.1, 0:00:16, voice

Re: ASA 5510 - UDP packets bouncing to the wrong interface

You're right sorry :-)

Try this:

packet-tracer input inside udp 10.10.19.2 1024 10.10.0.2 5060 det

And post the output please.

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

fw-cnes-harbourview# packet-tracer input inside udp 10.10.19.2 1024 10.10.0.2 $

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6786bb0, priority=1, domain=permit, deny=false

        hits=792305, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_inside in interface inside

access-list CSM_FW_ACL_inside extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6a839c0, priority=12, domain=permit, deny=false

        hits=13753, user_data=0xd6a83980, cs_id=0x0, flags=0x0, protocol=0

        src ip=10.0.0.0, mask=255.0.0.0, port=0

        dst ip=10.0.0.0, mask=255.0.0.0, port=0, dscp=0x0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6788d50, priority=0, domain=permit-ip-option, deny=true

        hits=34924, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: INSPECT

Subtype: inspect-sip

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect sip

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd72770e0, priority=70, domain=inspect-sip, deny=false

        hits=14, user_data=0xd7274d08, cs_id=0x0, use_real_addr, flags=0x0, protocol=17

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=5060, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside any outside any

    NAT exempt

    translate_hits = 18073, untranslate_hits = 8690

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6ac3dd0, priority=6, domain=nat-exempt, deny=false

        hits=18087, user_data=0xd6ac3d30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd67472a0, priority=0, domain=permit-ip-option, deny=true

        hits=21921, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 40151, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_punt

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_punt

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 10

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.34.1 using egress ifc outside

adjacency Active

next-hop mac address 0002.b3cd.9874 hits 304

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

fw-cnes-harbourview#

Re: ASA 5510 - UDP packets bouncing to the wrong interface

It's clearly using the GW of the ASA via the outside interface.

The question is:

Why is it choosing this route when it has the RIP route?

Can you add a static route and run the test again?

route voice 10.10.0.2 255.255.255.255 10.253.253.1

Federico.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Hi Guys,

This is a very interesting discussion going on , so  I wanted to join in as well. I did some research and found out that there was BUG in code CSCso42904 which has been fixed in the release that you are running. So, now as it appears the traffic shifts back for Ping etc but the flow is never cleared for the UDP VOICE traffic which is also subjected to the Inspection engine.

so, If Federico can answer ( since is far more experienced then me ) that  could there be any reason for the flow not being dropped for inspected traffic ?

Manish

Cisco Employee

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Wow ! you guys have done an amzing job in this thread. Pls. read this defect CSCsy19222. This is still not resolved yet.

Symptom:
If a routing table entry is removed from the ASA's routing table and there are no routes out an interface to reach a destination, connections built through the firewall with that foreign destination will be deleted by the ASA, so that they can be built again using a different interface with routing entries for the destination present. However, if more-specific routes are added back to the table, the connections will not be updated to use the new, more specific routes, and will continue to use the less-optimal interface.

For example, consider that the firewall has two interfaces that face the internet, "outside" and "backup". These two routes exist in the ASA's configuration:

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
route backup 0.0.0.0 0.0.0.0 10.0.0.1 254

If both the outside and backup interfaces are "up", then connections built outbound through the firewall will use the outside interface, as it has the preferred metric of 1. If the outside interface is shutdown (or the cable unplugged) connections using the outside interface would be torn down, and re-built using the backup interface, as the backup interface is the only interface with a route to the destination.

The problem appears if the outside interface is brought back up; the connections will continue to exist on the ASA and traverse the backup interface, and NOT be deleted and recreated on the outside interface with the more-preferred metric,  because the backup default route still exists in the backup interface's routing table. This might cause problems for long-lived connections, such as external SIP registrations or other UDP connections.

Conditions:
This issue can be encountered when the ASA has two egress interfaces that have routes to a destination subnet, and the preferred route to the destination is removed for some time, then re-added. This can occur due to route SLA tracking, network topology changes, and routing changes due to routing protocol re-convergence.
  
Workaround:
none

-KS


Re: ASA 5510 - UDP packets bouncing to the wrong interface

Federico,

That's me back at work so i will give this a try with the static route.  I think the posts after yours are very interesting about the known bug as that looks like what exactly is happening as the routing for both TCP and UDP work perfectly before the Voice interface connection is lost.

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Everyone,

Is there a way to stop the traffic trying to exit using the other interface at all? So in the event of the voice interface not getting RIP updates and being down the TCP\UDP traffic does not try to get out using the outside interface through the static route of 0.0.0.0 0.0.0.0 on that interface.

Cisco Employee

Re: ASA 5510 - UDP packets bouncing to the wrong interface

Until the defect gets resolved. The only way now is to "clear local x.x.x.x" for the IP address in question.

-KS

1036
Views
0
Helpful
21
Replies