Guest

Preview Tool

Cisco Bug: CSCuj51637 - ASA: Non-TCP management-access traffic fails over VPN w/ recursive route

Last Modified

Feb 22, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.0(2)

Description (partial)

Symptom:
Topology:

(inside)ASA1(outside)===VPN===(outside)ASA2(inside)---remote_subnets

When a remote subnet tries to access ASA1's management-access interface, or the ASA tries to source traffic from the management-access interface to be sent to a remote subnet, non-TCP traffic may be silently dropped by ASA1 if the route it matches for the remote subnet is recursive (i.e. the next hop is not in the directly connected subnet of the interface where the VPN tunnel terminates).

For example:

ASA1 outside subnet = 10.83.83.0/24
ASA2 outside subnet = 10.84.84.0/24
Remote subnet = 192.168.1.0/24

If ASA1's route for 192.168.1.0/24 has a next hop of 10.84.84.1 this issue will be seen.

The following traffic is affected:

-Ping from remote subnet to ASA
-UDP syslogs from ASA to remote subnet
-NTP from ASA to remote subnet
-SNMP polls from remote subnet to ASA

The following traffic is not affected:

-SSH from remote subnet to ASA
-Telnet from remote subnet to ASA
-ASDM from remote subnet to ASA
-TCP syslogs from ASA to remote subnet

Conditions:
This issue affects ASAs running 8.4(3) or higher (including 9.x versions).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.