Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Packets through the cascading contexts in the Adaptive Security Appliance (ASA) software are dropped in the gateway context due to incorrect MAC address rewrite. In the following example, there are 2 contexts c1 and c2 with inside and outside interfaces in each. The context c2 is the gateway context where the inside interface IP address is the default route for the the c1 context: Network------inside [context c1] outside ----inside [context c2] outside------Network asa/c1# show ip System IP Addresses: Interface Name IP address Subnet mask Method Ethernet1/2 inside 192.0.2.55 255.255.255.0 CONFIG Ethernet1/3 outside 203.0.113.55 255.255.255.0 CONFIG .. asa/c1# show route route outside 0.0.0.0 0.0.0.0 203.0.113.254 1 <---- INSIDE IP in context c2 asa/c2# show ip System IP Addresses: Interface Name IP address Subnet mask Method Ethernet1/3 inside 203.0.113.254 255.255.255.0 CONFIG Ethernet1/4 outside 198.51.100.55 255.255.255.0 CONFIG ... asa/c2# show route route outside 0.0.0.0 0.0.0.0 198.51.100.254 1 In this case, the ICMP traffic was generated through the ASA. When the packets of the return flow are received on the outside interface of the gateway context c2, they are dropped and syslog message 106014 is generated: Nov 19 2022 21:24:43: %ASA-6-302020: Built outbound ICMP connection for faddr 198.51.100.100/0 gaddr 192.0.2.100/21 laddr 192.0.2.100/21 type 8 code 0 Nov 19 2022 21:24:43: %ASA-3-106014: Deny inbound icmp src inside:198.51.100.100 dst inside:192.0.2.100 (type 0, code 0) The trace of the packet (some parts are skipped for brevity): asa/c2(config)# show cap capo packet-number 2 trace 10 packets captured 2: 21:24:43.047315 198.51.100.100 > 192.0.2.100 icmp: echo reply ... Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Elapsed time: 2440 ns Config: Additional Information: Found flow with id 207, using existing flow ... Phase: 6 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Elapsed time: 4880 ns Config: Additional Information: Found next-hop 203.0.113.55 using egress ifc inside Phase: 7 Type: ACCESS-LIST Subtype: Result: DROP Elapsed time: 2765 ns Config: Implicit Rule Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Time Taken: 37413 ns Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055884b1e2a9e flow (NA)/NA Although the packet is dropped in the Accelerated Security Path (ASP), it is visible in the inside interface captures but with incorrect MAC addresses: asa/c2(config)# show cap capi detail packet-number 1 10 packets captured 1: 21:24:43.046796 a21f.0000.000a a21f.0000.0016 0x0800 Length: 98 <------- ICMP ECHO SMAC=c1 outside MAC, DMAC=c2 inside MAC 192.0.2.100 > 198.51.100.100 icmp: echo request (DF) (ttl 64, id 47065) 1 packet shown asa/c2(config)# show cap capi detail packet-number 2 10 packets captured 2: 21:24:43.047360 0050.569d.e750 a21f.0000.0014 0x0800 Length: 98 <------- ICMP REPLY With SMAC=server MAC, DMAC=c2 outside MAC This is incorrect, should be: SMAC=c2 inside MAC, DMAC=c1 outside MAC 198.51.100.100 > 192.0.2.100 icmp: echo reply (ttl 64, id 12451) 1 packet shown
All conditions must match: 1. ASA in multi-context mode with cascading contexts in routed mode. 2. Software upgrade to version 9.18.x or later.
None.
Symptoms of this defect are not observed in versions 9.17.x or earlier.