Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1713
Views
0
Helpful
0
Replies

ASA 8.2(1) sends TTL exceeded to VPN client when sending to UDP/33435

4bbeck
Level 1
Level 1

‎12-07-2009 08:33 AM - edited ‎03-11-2019 09:46 AM

Hi All!

I've got an ASA running 8.2(1) supporting 30-40 Avaya VPNremote phones.  These phones emulate Cisco VPN client.

They connect without event, and can place/receive calls with no problem - most of the time.

Periodically they will reboot without apparant cause.

A capture on the ASA reveals that the ASA sends an ICMP TTL-exceeded to the phone in response to certain packets sent by the phone. 

ie. phone is at 192.168.78.133, Avaya system is on the inside at 192.168.201.X.  ASA Inside interface is 172.25.2.1.

See below - phone sends packet to Avaya on UDP/33435, then ASA decides to send a TTL-exceeded back to the phone (192.168.78.133).

I saw this problem prior to disabling inspect h323.

Any ideas?  I do see that UDP/33435 is the default port that UNIX traceroute will send to.

Here's my inspect config:

policy-map global_policy
class inspection_default
  inspect ftp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp error
  inspect mgcp
  inspect pptp
  inspect ctiqbe
  inspect snmp
  inspect icmp
  inspect ils
  inspect dns
!

Here's the capture:

335: 10:18:40.032346 192.168.78.133.5749 > 192.168.201.15.1720: . ack 4194325055 win 8140 <nop,nop,timestamp 118171 32938776>
336: 10:18:40.033628 192.168.201.15.1720 > 192.168.78.133.5749: P 4194325055:4194325381(326) ack 2907638830 win 8192 <nop,nop,timestamp 32938776 118171>
337: 10:18:40.151695 192.168.78.133.5749 > 192.168.201.15.1720: . ack 4194325381 win 7870 <nop,nop,timestamp 118171 32938776>
338: 10:18:47.290497 192.168.78.133.3587 > 192.168.201.32.2497:  udp 92
339: 10:18:50.070156 192.168.78.133.3587 > 192.168.201.32.2497:  udp 92
340: 10:18:50.221042 192.168.78.133.56176 > 192.168.201.32.33435:  udp 8
341: 10:18:50.221424 172.25.2.1 > 192.168.78.133: icmp: time exceeded in-transit
342: 10:18:50.337003 192.168.78.133.56176 > 192.168.201.32.33436:  udp 8
343: 10:18:50.337171 172.25.2.1 > 192.168.78.133: icmp: time exceeded in-transit
344: 10:18:50.452475 192.168.78.133.56176 > 192.168.201.32.33437:  udp 8
345: 10:18:50.452765 172.25.2.1 > 192.168.78.133: icmp: time exceeded in-transit
346: 10:18:50.568345 192.168.78.133.56176 > 192.168.201.32.33438:  udp 8
347: 10:18:50.573243 192.168.201.32 > 192.168.78.133: icmp: 192.168.201.32 udp port 33438 unreachable
348: 10:18:50.688700 192.168.78.133.56176 > 192.168.201.32.33439:  udp 8
349: 10:18:50.692362 192.168.201.32 > 192.168.78.133: icmp: 192.168.201.32 udp port 33439 unreachable
350: 10:18:50.807850 192.168.78.133.56176 > 192.168.201.32.33440:  udp 8
351: 10:18:50.811267 192.168.201.32 > 192.168.78.133: icmp: 192.168.201.32 udp port 33440 unreachable
352: 10:18:56.959270 192.168.78.133.3587 > 192.168.201.32.2497:  udp 92
353: 10:18:59.717827 192.168.78.133.5749 > 192.168.201.15.1720: . ack 4194325381 win 8192
354: 10:18:59.718743 192.168.201.15.1720 > 192.168.78.133.5749: . ack 2907638830 win 8192 <nop,nop,timestamp 32938815 118171>
355: 10:19:03.768408 192.168.78.133.3587 > 192.168.201.32.2497:  udp 92
356: 10:19:03.946377 192.168.201.15.1720 > 192.168.78.133.5749: P 4194325381:4194325438(57) ack 2907638830 win 8192 <nop,nop,timestamp 32938824 118171>

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card