today I am going to ask for an urgent help. The issue started with something and ended up into another. I have updated a firewall image from 8.2 to 8.4.5 and after that the traffic (http, ftp, pop3) was not passing through CSC for the clients behind the ASA. So we are asked from Cisco TAC to upgrade the CSC version 6.3 to 6.6 (reimage and with 6.6 hotfix). But it didn't solve the problem. Later on from global policy we remove the rule to pass through CSC and unfortunately the problem isn't solved and additionally we are not able to connect with ASDM but ssh was working to connect on ASA.
What I found until now that that there is a lot of tcp dup packet drop. I have done the packet capture on both direction (in and out) and see there is very less packet comes in and no payload. anyway I have attached those files.
One important thing to tell I have already shutdown the CSC module and now the traffic goes from client->proxy->ASA->router->internet. I have seen the packet on the router and there is no issue on internet or the router. Because there is no packet drop on icmp and there is no special rule on the router except NAT.
thanks for your answer. I downgraded the ASA to 8.2 and it didn't solve the issue. Later on I have found the switch between router and firewall makes that issue. After removing the switch everything works fine again except the traffic is passing through CSC module. We will do that test on next week. Because that it is a remote location where the problem appear and the people don't want any test further until this week.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...