Cisco Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption 문제 해결 가이드
UDP Traffic through ASA Fails after Primary ISP
Link Comes Back Online in a Dual ISP Setup
Link Comes Back Online in a Dual ISP Setup
Document ID: 113592
Contributed by Sundar Sreenivasan, Cisco TAC Engineer.
Jul 05, 2012
Jul 05, 2012
Contents
Introduction
Before You Begin
Requirements
Components Used
Conventions
Problem
Solution
Related Information
Before You Begin
Requirements
Components Used
Conventions
Problem
Solution
Related Information
Introduction
If an Adaptive Security Appliance (ASA) has two egress interfaces per destination subnet and the preferred
route to a destination is removed from the routing table for some time, User Datagram Protocol (UDP)
connections can fail when the preferred route gets re−added to the routing table. TCP connections might also
be affected by the problem, but since TCP detects packet loss, these connections are torn down automatically
by the endpoints, and re−built using the more optimal routes after the routes change.
route to a destination is removed from the routing table for some time, User Datagram Protocol (UDP)
connections can fail when the preferred route gets re−added to the routing table. TCP connections might also
be affected by the problem, but since TCP detects packet loss, these connections are torn down automatically
by the endpoints, and re−built using the more optimal routes after the routes change.
This problem can also be seen if a routing protocol is used and a topology change triggers a change in the
routing table on the ASA.
routing table on the ASA.
Before You Begin
Requirements
In order to encounter this problem, the ASA's routing table must change. This is common with dual ISP links
in a redundant fashion or when the ASA is learning routes via an IGP (OSPF, EIGRP, RIP).
in a redundant fashion or when the ASA is learning routes via an IGP (OSPF, EIGRP, RIP).
This issue occurs when the primary ISP link comes back online or the said IGP sees a reconvergence due to
which a less preferred route that was being used by the ASA is replaced with the preferred
lower−metric−route. You would then see long−lived connections, such as UDP SIP registrations, GRE, etc,
failing once the primary or preferred route is re−installed into the ASA's routing table.
which a less preferred route that was being used by the ASA is replaced with the preferred
lower−metric−route. You would then see long−lived connections, such as UDP SIP registrations, GRE, etc,
failing once the primary or preferred route is re−installed into the ASA's routing table.
Components Used
The information in this document is based on these hardware and software versions:
Any Cisco ASA 5500 Series Adaptive Security Appliance
•
ASA versions 8.2(5), 8.3(2)12, 8.4(1)1, 8.5(1) and later
•