ASA UDP flows to remote ezVPN hardware client created while tunnel was down lack IPSEC after came up
I'm running remote access VPN using Cisco ASA 5520 in HQand several remote x8xx ISRs in ezVPN hardware client in NEM mode with reverse route injection on ASA. There is monitoring system in HQ and it send SNMP requests to remote devices every 5 seconds. UDP timeout globaly set to 1 minute in ASA so UDP connections never timeouts and there is no problem. So when UDP connection (flow) created in ASA while IPSEC tunnel is UP we get:
Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 437398285, using existing flow Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_adjacency snp_fp_encrypt snp_fp_fragment snp_ifc_stat
Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_ipsec_tunnel_flow snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat
and it is OK.
But if connection (flow) is created while IPSEC was DOWN, and then IPSEC comes UP we get:
Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 437401391, using existing flow Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat
Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat
We see that connection lacks snp_fp_encrypt and snp_fp_ipsec_tunnel_flow. And the traffic is not being encrypted and decrypted.
ASA says connection exist and no packets rejected, but as we can see flow goes wrong place.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...