Guest

Preview Tool

Cisco Bug: CSCvv49092 - DOC: Packet tracer may not correctly trace the lifespan of a packet in datapath

Last Modified

Sep 23, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(3) 9.12(4) 9.14(1) 9.8(4)

Description (partial)

Symptom:
There are certain cases when the trace of the lifespan of an injected (virtual) packet in a datapath does not match the actual behavior of the datapath when processing a physical packet.

Consider the follow scenario:

For host 198.51.100.1 there are 2 NAT definitions: 1 dynamic NAT in the manual NAT section and 1 object NAT in the auto NAT section:

# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic host-198.51.100.1 host-192.0.2.200
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 198.51.100.1/32, Translated: 192.0.2.200/32

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static host-198.51.100.1 host-192.0.2.100
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 198.51.100.1/32, Translated: 192.0.2.100/32

ICMP error inspection is enabled:

# show run policy-map   | i icmp
  inspect icmp
  inspect icmp error
  
Assume that a host located on the outside network tries to access the host 192.0.2.200 using its mapped IP address 192.0.2.100 and port 443 which is not bound to any service. In this case, the host`s operating system typically returns ICMP Type 3 Code 3 Port Unreachable message to the source host.

ASA1# show capture  capi

2 packets captured

   1: 15:59:55.431175       192.0.2.1.50927 > 198.51.100.1.1234:  udp 1
   2: 15:59:55.431404       198.51.100.1 > 192.0.2.1 icmp: 198.51.100.1 udp port 1234 unreachable <----- ICMP Type 3 Code 3 
2 packets shown
KSEC-ASA5585-60-1# show capture  capo

2 packets captured

   1: 15:59:55.431023       802.1Q vlan#203 P0 192.0.2.1.50927 > 192.0.2.100.1234:  udp 1
   2: 15:59:55.431511       802.1Q vlan#203 P0 192.0.2.100 > 192.0.2.1 icmp: 192.0.2.100 udp port 1234 unreachable <----- ICMP Type 3 Code 3 with translated IP addresses according to the object NAT in the auto NAT section.
2 packets shown

Trace of the forward flow 192.0.2.1.50927 > 198.51.100.1.1234 (only NAT phase is shown):

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network host-198.51.100.1
 nat (inside,outside) static host-192.0.2.100
Additional Information:
NAT divert to egress interface inside
Untranslate 192.0.2.100/1234 to 198.51.100.1/1234

Trace of the reverse flow 198.51.100.1 > 192.0.2.1 icmp: 198.51.100.1 udp port 1234 unreachable (only NAT phase is shown):

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic host-198.51.100.1 host-192.0.2.200
Additional Information:

As seen above, for the reverse flow the matching NAT entry is the dynamic entry, while actually the IP addresses of the ICMP packets were translated according to the object NAT rule in the auto NAT section.

Conditions:
There are no specific conditions as the behavior of the packet-tracer depends on the software version, configuration, and type of injected virtual packets.

The conditions for the case described in the Symptoms section are:

- There are at least  2 NAT statements for the same host.

- Forward and reverse flows of a connection have different protocols. For example, forward flow is UDP or TCP, reverse flow is ICMP.

- ICMP error inspection is enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.