I have a questiong regarding how ASA handles udp flow...
I have 2 applications that are communicating via udp. These 2 applications are between 2 ASA firewalls. These 2 ASA's are connected with DLL link as a primary line and VPN IPSec over the internet as a backup.I have tracking of routes set up so if the primary DLL link fails then the traffic is rerouted to the backup VPN IpSec over the internet.
The question is, what will happen with udp flow if main DLL link fails, will current flow be terminated and reestablished over the backup line and vice versa when the mail DLL will come back again?
Reason why I''m asking this is because we had this problem once ,udp flow between these 2 aplications was not rerouted to the backup line...
The behavior seems to be normal if you were using NAT for communicating with the end hosts. When the firewall fails over to the secondary ISP, the NAT address it uses will also change. This changes the source address of the packet. So, the application might reject newer packets as the source is different and terminate the connection.
On the other hand, if you are not using NAT (nat excemption or identiry NAT), then the failover should be transparent. Only thing to check in that scenario would be the delay in failing over. If you have configured the probe interval to about 30 seconds on the firewall, the firewall will not detect the failure of the primary link until that time. So, you might want to tune that value to your needs.
Hm, I didn't know this. No,with TCP everything is ok, the problem is only with UDP pakcet flow's. Actually, on one side is PIX 515E with 8.0.(4) and on the other side I just upgraded my ASA to 8.0.(5). Any suggestions ?
If you can get that person it would be very helpful.
Regarding 8.0(5) version, I've updated before couple of days and I havent tryed yet, because this is very important production application,first I wish to gather as much as information as possible so you are helping me allot. Let say it is corrected in 8.0(5) , but what will I do with my other PIX 515E with 8.0(4) beeng the latest version?
In 8.0.5 we introduce a code change per bug CSCso42904. Basically, when the route changes from one interface to another, we detect this change and drop the flow/conn. As a result, new packets force a new conn to be created following the new routing information. So... In thoery... 8.0.5 should take of this issue. Now you bring up a good point: What about PIX? Well, unfortunately we do not have anything we can do for the PIX platform at this point. THe product as yuou know has reach End of Life and there will be no new code builds beyond 8.0.4.x.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...