Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall Behind ASA trying to establish a VPN - Not Working - Packets Altered

                   We are running into a really strange issue.  We have a Phoenix Contact MGuard firewall behind a Cisco ASA and it's trying to establish a VPN to another Phoenix MGuard halfway across the world and it's failing.  The logs on the MGuards say that the packet is being altered by a device and being discarded.  The odd thing is when I route the traffic via some Juniper Firewalls that we have, the same thing is not occuring, no alteration, everything is ok.  It seems to be based on the message that a checksum is being edited so the packet makes it to the other end but, the ASA is for some reason altering the packet.  I'm not even sure where to start on this one as the traffic is passing...  Right now, I'll keep it through the Juniper, just looking for some ideas...  The MGuard has a static NAT on the ASA...

5 REPLIES
New Member

Firewall Behind ASA trying to establish a VPN - Not Working - Pa

I took some packet captures before and after the ASA and it would appear that the ASA is altering the responder cookie in the initial ISAKMP packet...  Very very odd...

New Member

Firewall Behind ASA trying to establish a VPN - Not Working - Pa

I believe we are looking at some sort of odd bug. Have a TAC case open with Cisco...  Nadda...  It's definitly the ASA however, have rerouted the VPN through a Juniper Firewall and Fortinet, no issues, works without issue every time.  I'll keep this updated...

Firewall Behind ASA trying to establish a VPN - Not Working - Pa

Hello Richard,

Weird behavior, please keep us posted.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Bronze

Firewall Behind ASA trying to establish a VPN - Not Working - Pa

What code version?

What kind of inspection is configured?

New Member

Firewall Behind ASA trying to establish a VPN - Not Working - Pa

The firewall is running 8.2.5

I turned off the UDP IPSec helper and that helped improve issues, It's not about 7 minutes to a reconnection rather than 10 but, its still altering the reciever ID. Dosn't make any sense.  I'm not getting anything back from my TAC case either.  Not too worried as I'm more than willing to route around to my Juniper Firewalls but, it's very odd that this behavior is occuring with just the ASA's...  I'd like to figure it out.

policy-map global-default
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect icmp error
class class_netbios
  inspect netbios
policy-map global_default
class class-default
  set connection advanced-options mss-map
  set connection decrement-ttl
!

737
Views
0
Helpful
5
Replies
CreatePlease to create content