Preview Tool

Cisco Bug: CSCvs24254 - L2 cluster unit rejoin/leave causes FTD/LINA to send a TCP RESET.

Last Modified

Apr 14, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

101.5(1.37) 9.12(2.212)

Description (partial)

4 unit FTD cluster.
  Client (north 210.x.x.x) >>>>>Capture point——>(123) L3 switch >>>>>(124)ASR9K edge >>>>L2 FIREWALL CLUSTER>>>>>>>(125)AS9K Core>>>>>(126)ASR9K DC————>(127)L3 SWITCH>>>>>>>>SERVER (110.X.X.X)    (128) 
Above is rough topology and FW's are in L2 transparent mode.
Client is Avalanche on ecom-north interface and Server is Avalanche on other side on ecom-south.
Whenever unit leave the cluster due to interface failure , chassis shut down, out of 500 or 1000 connections we see few TCP resets.
We captured the below reason:
Nov 22 2019 14:12:50: %FTD-6-302014: Teardown TCP connection 4603106 for ecom-north: to ecom-south: duration 0:02:43 bytes 38774 TCP Reset-O from ecom-north
But this packet shows TTL of 253 and is sent to client. All other packets shows 123 which means that packet originated from server and passed those hops. That's why you see 128, 127, 126 etc in bracket.
Also, this packet doesn't show up in capture on ECOM-SOUTH interface, only on ECOM-NORTH. This indicates that it either originated from FTD or ASR9K Core but customer is adamant it cannot be ASR9K Core.
Trace has a limitation and not working on these packets. The traffic is high and by the time we receive capture buffers are heavily loaded already.
The above log you see is , when RST PACKET of TTL 253 is received on client, client sends RST ACK of its own and we see it on ecom-north as well as ecom-south.

firepower# cluster exec show capture ecom-north | inc R

500: 15:06:02.996240 802.1Q vlan#126 P0 > R 2042236519:2042236519(0) ack 2301831690 win 32768


69: 15:05:43.936886 802.1Q vlan#126 P0 > R 2301833070:2301833070(0) ack 2042236519 win 32768 >>>>>RESET WITH TTL 255, screenshot attached.
74: 15:05:44.285187 802.1Q vlan#126 P0 > R 2078313984:2078313984(0) ack 1856952795 win 32768

4 unit FTD 9300 cluster, When a unit rejoins or leave the cluster, TCP reset is seen coming from FW.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.