Cisco Bug: CSCuj51637 - ASA: Non-TCP management-access traffic fails over VPN w/ recursive route
Feb 22, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: Topology: (inside)ASA1(outside)===VPN===(outside)ASA2(inside)---remote_subnets When a remote subnet tries to access ASA1's management-access interface, or the ASA tries to source traffic from the management-access interface to be sent to a remote subnet, non-TCP traffic may be silently dropped by ASA1 if the route it matches for the remote subnet is recursive (i.e. the next hop is not in the directly connected subnet of the interface where the VPN tunnel terminates). For example: ASA1 outside subnet = 10.83.83.0/24 ASA2 outside subnet = 10.84.84.0/24 Remote subnet = 192.168.1.0/24 If ASA1's route for 192.168.1.0/24 has a next hop of 10.84.84.1 this issue will be seen. The following traffic is affected: -Ping from remote subnet to ASA -UDP syslogs from ASA to remote subnet -NTP from ASA to remote subnet -SNMP polls from remote subnet to ASA The following traffic is not affected: -SSH from remote subnet to ASA -Telnet from remote subnet to ASA -ASDM from remote subnet to ASA -TCP syslogs from ASA to remote subnet Conditions: This issue affects ASAs running 8.4(3) or higher (including 9.x versions).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases