Guest

Preview Tool

Cisco Bug: CSCuw36853 - ASA: ICMP error loop on cluster CCL with Interface PAT

Last Modified

Feb 27, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.4(1.3) 9.5(1)

Description (partial)

Symptom:
Elevated CPU may be observed on 2 or more units of an ASA cluster. Packet captures on the cluster control link will show ICMP error packets looping continuously between the units displaying high CPU conditions.

Conditions:
1. ASA in Layer-2 cluster mode.
2. PAT configured.
3. ICMP error packet is received on a unit where that unit is the directory for embedded payload flow.
4. Embedded payload of the ICMP error packet matches an existing xlate entry but doesn't match any connections. The owner of the PAT address of the xlate is a different unit than the one where the packet is received.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.