Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Packets being stripped by asa5500???

I have posted this problem in the AAA forum as originally I though this must be a triple A issue.

I am trying to replicate two ACS servers across an ASA5500. If I take the ASA out of the configuration, the two ACS servers will replicate with no problem. Once the ASA is back in, replication fails.

Comparing the sniffer traces of the working or not working topology, I can see that after the usual TCP handshaking, A packet is sent from ASA1 to ASA2 with 20 bytes of data. ASA 2 sends an akc for this packet and a next sequence value. In the version that won’t work, the ASA1 only receives the ack, NOT the next sequence value.

Could it be that the ASA is somehow stripping the next sequence bit of the packet?

ACS1-----------20byte data----Ack 233 ----- > ACS2

ACS1 < -------Ack 233 next seq 244 -------- ACS2

ACS1 -------- works okay


ACS1-----------20byte data----Ack 233 ----- > ACS2

ACS1 < -------Ack 233 ------------------------ ACS2

ACS1 < -------Ack 233 ------------------------ ACS2

ACS1 < -------Ack 233 ------------------------ ACS2

--------------times out--------------------------------

The ASA is configured with the Interfaces set at security level 50 and

No rules enabled.

Any suggestions gratefully received.



Re: Packets being stripped by asa5500???

according to the post, acs1 initiated the replication with ack 233. acs2 received the packet, sent an ack, and waiting for the next packet. now, for some unknown reason, the acs1 seems not receiving the response from acs2.

you mentioned that the interfaces security level are set to 50. just wondering if you mean the one connected to the acs servers. if so, verify whether the command "same-security-traffic permit inter-interface" is enabled.

Community Member

Re: Packets being stripped by asa5500???

Thanks Jackko,

Yup the interfaces are set to same security permit…. They are both subinterfaces and are both set to 50

I have now put a sniffer on the other side of this setup (ACS2 side) and see just 3 packets. A syn from ACS1, a syn ack from ACS2 and an Ack from ACS1.

To me this seems as if the packets I was getting on my sniffer when it was on the ACS1 side, are being produced by the ASA!!!!! Why would an ASA spoof packets?

This doesn’t make any sense to me at all. I have raised it on the “ask the experts forum but no reply as yet.

--------------------------------sniffer on ACS1 side-----------------

ACS1 ---sniffer—ASA -----ACS2

ACS1 initiates replication and full handshake takes place, followed by several TCP packets either way. ACS1 gets an Ack from (supposedly) ACS2 but no “next sequence” packet. The process now hangs as ACS1 is waiting for the next sequence it should send.

--------------------------------sniffer on ACS2 side-----------------

ACS2 ---sniffer—ASA -----ACS1

Now it gets weird….I again initiate a replication from ACS1 and see a SYN from ACS1, this is SYN ACKed by ACS2 and an ACK comes back from ACS2.

That is it….nothing else. Where are the packets that I see on the other side coming from?

CreatePlease to create content