Issue
Traffic is sent out from the ASA unencrypted.Cause
This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host.There are 2 commands which shows this behaviour. They are,
fw-asa(config)# show ipsec stat | grep Missing SA failures
fw-asa(config)# show asp table classify crypto
Below shows an example of the output of 'show asp table classify crypto'. Here you can see that there a 2 duplicate entries.fw-asa(config)# show asp table classify crypto
Interface outside:
!
out id=0xd616fff0, priority=70, domain=encrypt, deny=false
hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
out id=0xd1592dd0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x4bed13c, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
Note : Details of this bug can also be viewed
within CSCsd48512 (Duplicate ASP crypto table entry causes firewall to
not encrypt traffic)!
out id=0xd616fff0, priority=70, domain=encrypt, deny=false
hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
out id=0xd1592dd0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x4bed13c, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
Solution
There are 2 solutions to this issue,- Reboot the firewall.
- Upgrade the firewall to a version 7.0(4.13), 7.2(0.46), 7.1(2.1), 7.0(5), 7.2(1) or 8.0(0.1).
No comments:
Post a Comment