Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
2
Replies

Packets being stripped by asa5500???

timdeadman
Level 1
Level 1

‎01-23-2006 05:41 AM - edited ‎03-09-2019 01:42 PM

I have posted this problem in the AAA forum as originally I though this must be a triple A issue.

I am trying to replicate two ACS servers across an ASA5500. If I take the ASA out of the configuration, the two ACS servers will replicate with no problem. Once the ASA is back in, replication fails.

Comparing the sniffer traces of the working or not working topology, I can see that after the usual TCP handshaking, A packet is sent from ASA1 to ASA2 with 20 bytes of data. ASA 2 sends an akc for this packet and a next sequence value. In the version that won’t work, the ASA1 only receives the ack, NOT the next sequence value.

Could it be that the ASA is somehow stripping the next sequence bit of the packet?

ACS1-----------20byte data----Ack 233 ----- > ACS2

ACS1 < -------Ack 233 next seq 244 -------- ACS2

ACS1 -------- works okay

-----------------------------------------------------------------

ACS1-----------20byte data----Ack 233 ----- > ACS2

ACS1 < -------Ack 233 ------------------------ ACS2

ACS1 < -------Ack 233 ------------------------ ACS2

ACS1 < -------Ack 233 ------------------------ ACS2

--------------times out--------------------------------

The ASA is configured with the Interfaces set at security level 50 and

No rules enabled.

Any suggestions gratefully received.

Tim

Labels:
0 Helpful
2 Replies 2

jackko
Level 7
Level 7

‎01-23-2006 04:05 PM

according to the post, acs1 initiated the replication with ack 233. acs2 received the packet, sent an ack, and waiting for the next packet. now, for some unknown reason, the acs1 seems not receiving the response from acs2.

you mentioned that the interfaces security level are set to 50. just wondering if you mean the one connected to the acs servers. if so, verify whether the command "same-security-traffic permit inter-interface" is enabled.

0 Helpful

timdeadman
Level 1
Level 1
In response to jackko

‎01-24-2006 01:36 AM

Thanks Jackko,

Yup the interfaces are set to same security permit…. They are both subinterfaces and are both set to 50

I have now put a sniffer on the other side of this setup (ACS2 side) and see just 3 packets. A syn from ACS1, a syn ack from ACS2 and an Ack from ACS1.

To me this seems as if the packets I was getting on my sniffer when it was on the ACS1 side, are being produced by the ASA!!!!! Why would an ASA spoof packets?

This doesn’t make any sense to me at all. I have raised it on the “ask the experts forum but no reply as yet.

--------------------------------sniffer on ACS1 side-----------------

ACS1 ---sniffer—ASA -----ACS2

ACS1 initiates replication and full handshake takes place, followed by several TCP packets either way. ACS1 gets an Ack from (supposedly) ACS2 but no “next sequence” packet. The process now hangs as ACS1 is waiting for the next sequence it should send.

--------------------------------sniffer on ACS2 side-----------------

ACS2 ---sniffer—ASA -----ACS1

Now it gets weird….I again initiate a replication from ACS1 and see a SYN from ACS1, this is SYN ACKed by ACS2 and an ACK comes back from ACS2.

That is it….nothing else. Where are the packets that I see on the other side coming from?

0 Helpful
Customers Also Viewed These Support Documents