Zone Based Firewall dropping SYN from inside to DMVPN? (config attached)
I'm having a problem with ZBFW appearing to cause retransmits when connecting from an inside host to a host on the remote side of the DMVPN. ICMP appears to work fine, but RDP ends up with two sessions: one established and one half-open. When the half-open session times out, the connection dies.
What's interesting is that initiating a connection from a DMVPN host to an internal host, the connection gets established and I can stay connected all day with no problem. The router in question is a 7206vxr running 15.1(4)M7, and it serves as an internet edge router. All routes are present (EIGRP over DMVPN) and internet access is fine.
If I move the tunnel interfaces into the LAN security zone, no problem. Traffic flows from inside to outside. It's just when I have them into a separate zone, things get strange. I'm posting a sanitized config in case there's some glaring issue I've missed.
Output from 'sh policy-map type inspect zone-pair LAN-to-DMVPN sessions' when initiating an RDP session:
Zone Based Firewall dropping SYN from inside to DMVPN? (config a
I tested with the change to the ACL, but no luck. There isn't a problem from the DMVPN-to-LAN side - this works as expected, and the ACL shows hits either way it's configured.
The problem persists with LAN-to-DMVPN - one established and one half-open, and the connection dies when the half-open resets due to not receiving ACK SYN (but the established connection obviously completed 3-way handshake) - it's like something in the firewall config is causing the initial SYN to be retransmitted.
I've also tried with 15.2(4)M5 with no luck. Any other ideas?
Re: Zone Based Firewall dropping SYN from inside to DMVPN? (conf
Still no dice. Didn't think it would affect the return traffic, but gave it a shot anyway. It's just baffling that ZBF is working as expected from DMVPN to LAN but the LAN to DMVPN traffic gets screwy. It's not just on RDP sessions, either - any interactive session I attempt to open dies out. I'm starting to wonder if it's got to do with NAT - that's the only difference in ingress traffic from the LAN side. I can probably simplify it by replacing the route-map with an ACL - there were initially two ISPs terminating on the router so the route-map was larger to identify different traffic sources
In the meantime - anything else you can think of? Anyone?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...