Guest

Preview Tool

Cisco Bug: CSCvi96442 - Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master

Last Modified

Jun 13, 2018

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.6(4.5) 9.8(2.26)

Description (partial)

Symptom:
In case incoming UDP/500 and/or IPSec packets during a Site-to-site VPN is hashed and lands on a Slave member, instead of packet gets redirected to Master (Site-to-Site is a centralized feature) packets are dropped by Slave with following reason:

Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool)



FW-01:*********************************************************

6 packets captured

   1: 14:48:30.808490       802.1Q vlan#900 P0 64.X.Y.133.500 > 64.X.Y.132.500:  udp 585 
Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule 
Additional Information:
MAC Access list
              
Phase: 3      
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 64.X.Y.132 using egress ifc  identity

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate   <<<<


S2S VPN works fine if UDP/500 and IPSec packets are received by Master.

Conditions:
Spanned-Etherchannel Cluster with Site-to-site VPN
Cluster running releases equal or lower than 9.6.4.5 and 9.8.2.26.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.