Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Drop Packet Issue - ASA 5520 7.2

I have a Cisco ASA 5520 with a DMZ and an inside interface. The security policy is setup to permit IP ANY from host on DMZ to host on inside. The host on the DMZ is initiating communication on UDP port 2114 which is a challenge response authentication. The ASA does not log it in any of the syslogs or log buffer even under debugging and it drops it. With a CLI capture I see the packet on the DMZ interface but never go out the internal interface. NAT is correctly setup and verified.

If I do a Packet Trace CLI or ASDM, for one host to the other on UDP port 2114 it only shows FLOW-Lookup, says it is using existing FLOW with ID (number). It then gives an end result with ? marks for the exit interface. If I change this to another port it works fine and properly shows access list and route lookup. It can obviously route.

I have an open TAC case but I'm wondering if anyone else has ever seen this issue. A reboot of the ASA didn't help it simply changed the FLOW-LOOKUP number.




Re: Drop Packet Issue - ASA 5520 7.2

To my knowledge, the most common of these are TCP and UDP ports which are used to exchange data between computers on the Internet. Port 2114 uses the tcp/udp protocol for service type newheights.