Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DCE/RPC through ASA5510+ issues

Hi Everybody,

We are working on an Automation System from Honywell, there is a server called eSERVER and this one should take information form other server in the Control side.

The issue is: When all the device are within the same LAN network the system works perfect. But when I put the eSERVER behind an ASA something happens and the system does not work properly.

I opened all the ports described on Honywell deployment guide but it did not work. Then I open all the IP traffic through the ASA and mad a packet capture to identify any issue with the communication.

I found a lot of packet with this description:

source               destination          protocol          Info

172.17.20.14      192.168.1.1         DCERPC        Request: call_id: 524 opnum: 8 ctx_id: 0

192.168.1.1        172.17.20.14       DCERPC        Response: call_id: 524 ctx_id: 0

I don't know much about RPC protocol and i tried con configure the Packet inspection with the port 135/TCP but it did not work.

Could you please give me a headlight in this issue I need to know if the problem is with the ASA or with the servers and protocols when the devices are in different IP segments.

BTW I'm attaching the packet captures that I made with the ASA if you want to check them.

Thanks and Regards

Jose

1 REPLY
Gold

DCE/RPC through ASA5510+ issues

Hi Jose,

I would recommend opening a TAC case to have this investigated further. The ASA has limited support for certain DCERPC calls, so its possible that Honeywell's implementation uses UUIDs that are not supported by the inspection engine. If you have opened all ports through the ACL, you should disable the DCERPC inspection to prevent any interoperability issues.

If you leave the inspection enabled and decide to open a TAC case, you'll need to get the following:

1. Captures on the inside and outside interfaces of the ASA

2. Syslogs from the ASA during a failed connection

3. Output of the following ASA debugs:

       debug dcerpc error

       debug dcerpc event

       debug dcerpc packet

-Mike

575
Views
0
Helpful
1
Replies