Guest

Preview Tool

Cisco Bug: CSCuw55535 - Port-security on switch is causing ASA module to set DNL/DIL bit

Last Modified

Jun 06, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.4

Description (partial)

Symptom:
Unable to reach destination when packets are routed via ASA.

When ASA module dose the routing and sends the packet back to supervise the CPU is placing the packet back to original VLAN. For example:
1. Packet enters port Gi2/1/1 VLAN 33 that has port-security configured.
2. Packet is forwarding to ASA module inside Cat6k switch
3. ASA module performs routing to VLAN 38 and sends the packet back to Sup2T.
4. Sup2T doesn't have destination MAC present in mac address table, insteady flooding the packet to VLAN 38 packet is sent to the supervisor CPU.
5. CPU is receiving packet from VLAN 38, decreases TTL, overwrites the L2 information and places it back in VLAN 33. Destination MAC is again ASA MAC in VLAN 33. And this creating the loop until TTL will expire for particular packet. (NetDR example below)


F340.07.02-6500-1# debug netdr capture destination-ip-address 2.2.2.2
F340.07.02-6500-1# show netdr captured-packets 

------- dump of incoming inband packet -------
l2idb Te1/2/3, l3idb NULL, routine inband_process_rx_packet, timestamp 14:14:17.967
dbus info: src_vlan 0x26(38), src_indx 0x42(66), len 0x76(118)
  bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x5FA9(24489), CoS 0
  cap1 0, cap2 0
  580200C0 00260000 00420000 76000000 0001046C 0E000004 00000010 5FA9683F 
destmac 00.18.BA.88.5F.C1, srcmac E8.B7.48.29.34.2C, ethertype 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 100, identifier 3727
  df 0, mf 0, fo 0, ttl 255, src 1.1.1.1, dst 2.2.2.2
    icmp type 8, code 0

------- dump of outgoing inband packet -------
l2idb NULL, l3idb Vl32, routine etsec_tx_pak, timestamp 14:14:17.967
dbus info: src_vlan 0x20(32), src_indx 0x380(896), len 0x82(130)
  bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x0(0), CoS 0
  cap1 0, cap2 0
  00020000 0020A800 03800000 82000000 00000000 00000000 00000000 00000000 
destmac E8.B7.48.29.34.2C, srcmac 00.17.0F.9D.2C.00, shim ethertype CCF0
earl 8 shim header IS present:
  version 0, control 0(0x0), lif 16391(0x4007), mark_enable 0,
  feature_index 0, group_id 0(0x0), acos 0(0x0),
  ttl 15, dti 0, dti_value 540704(0x84020)
  000800E0 0003C008 4020
ethertype 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 100, identifier 3727
  df 0, mf 0, fo 0, ttl 254, src 1.1.1.1, dst 2.2.2.2
    icmp type 8, code 0

Conditions:
For this bug to trigger port-security needs to be configured in interface via which packets are entering the switch. Port-security on outgoing interfaces dosen't change much here.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.