Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DPD packets not traversing through Pix & ASA Firewalls

We appear to be having issues with DPD packets being dropped by our firewalls.

The set up is as follows:

VPN3005-----pix(6.3)-----ASA(7.0)---Internet----VPN CLients

The concentrator is running 4.7.2.B and the clients is running v4.8.01.0300.

The VPN is created OK and works fine if traffic is being sent in either direction. The clients all sit behind DSL routers and if the DSL routers lose connection to the Internet for a few seconds the VPN drops and won't re-establish.

Doing packet captures on the Pix and the ASA shows that the DPD packets from the concentrator get to the Pix and the DPD packets from the client get to the outside of the ASA.

Since the DPD packets are on tcp port 10000 they should be allowed through on the same rules that allow the VPN. I can't see anything in the inspection rules that should stop this from occurring.

The ASA is a recent addition to the network but prior to that the same issue occurred where the Concentrator sent the packets as far as the Pix inside interface and the Client sent them as far as the outside interface.

There is no NAT happening on either firewall, the concentrator and client are all on routable IP addresses.

Any ideas what may cause this?

Community Member

Re: DPD packets not traversing through Pix & ASA Firewalls

Forgot to add that the ASA is in Transparent mode and only acts as a diode for incoming traffic.

CreatePlease to create content