Symptom

FTD/ASA dropping GRE traffic from WSA with a NAT failure After applying an ASP drop capture in the FTD/ASA, we confirmed next WSA drops: ftd# show cap ASP | i x.x.x.x 1: 17:49:15.395441 x.x.x.x > y.y.y.y: gre: gre-proto-0x883E Drop-reason: (nat-xlate-failed) NAT failed, Drop-location: frame 0x00005634e47db0d5 flow (NA)/NA 3: 17:49:15.496220 x.x.x.x > y.y.y.y: gre: gre-proto-0x883E Drop-reason: (nat-xlate-failed) NAT failed, Drop-location: frame 0x00005634e47db0d5 flow (NA)/NA 7: 17:49:16.127617 x.x.x.x > y.y.y.y: gre: gre-proto-0x883E Drop-reason: (nat-xlate-failed) NAT failed, Drop-location: frame 0x00005634e47db0d5 flow (NA)/NA After applying a capture in the inside interface of the ASA/FTD with trace, we confirmed next drop: ftd# show cap capin 259 packets captured 1: 18:21:21.484151 y.y.y.y > x.x.x.x: gre: gre-proto-0x883E 2: 18:21:21.484212 x.x.x.x > y.y.y.y: gre: gre-proto-0x883E ftd# show cap cap in trace packet-number 2 detail 528 packets captured 2: 18:21:21.484212 cc7f.7651.da1f f80f.6fa7.89ee 0x0800 Length: 94 x.x.x.x > y.y.y.y: gre: gre-proto-0x883E (ttl 29, id 59236) Phase: 4 Type: WCCP-REDIRECT Subtype: Result: ALLOW Elapsed time: 3191 ns Config: Additional Information: Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Elapsed time: 3191 ns Config: class-map class-default match any policy-map global policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Elapsed time: 3191 ns Config: object network IPv4-Private-10.0.0.0-8 nat (inside,outside) dynamic interface Additional Information: Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Elapsed time: 3191 ns Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Elapsed time: 3191 ns Config: Additional Information: Result: input-interface: inside(vrfid:0) input-status: up input-line-status: up Action: drop Time Taken: 26150 ns Drop-reason: (nat-xlate-failed) NAT failed, Drop-location: frame 0x00005634e47db0d5 flow (NA)/NA Where x.x.x.x is the IP address of the WSA and y.y.y.y is the IP address of the outside interface of the FTD taken as Router ID for the WCCP service.

Conditions

FTD v7.2.4 configure with WCCP and the WSA with bypassed filter traffic in place

Workaround

1. Remove the affected flows from the WSA bypass filter list. OR 2. Configure a no-nat rule in the FTD/ASA for matching the GRE-affected flows as follows: nat (inside,outside) source static x.x.x.x x.x.x.x destination static y.y.y.y y.y.y.y no-proxy-arp route-lookup NOTE: Where x.x.x.x corresponds to the IP address of the WSA/WCCP appliance and y.y.y.y corresponds to the IP address of the WCCP router ID (Which is the highest IP address configured in the FTD/ASA - this IP address is typically the public IP address assigned to the outside interface in the firewall). OR 3. Remove the WCCP configuration from the FTD/ASA as follows: a) For ASA setups, just negate the wccp service ID command lines applied to the inside ASA interface as follows: no wccp interface inside x redirect in b) For FTD setups, modify the flex-config object used for applying the WCCP configuration in the FTD and negate just the wccp service ID applied to the FTD inside interface as follows. NOTE 1: Be sure the flex-config object is changed from deploy 'every time' to just 'once', this is HIGHLY required for avoiding subsequent policy deployment failures to the FTD in question. NOTE 2: Negate just the WCCP service ID command applied to the inside FTD interface, otherwise the policy deployment could fail to the FTD, this is due to the attempt to remove some objects before the WCCP ACLs in question. Example: - Original WCCP configuration in place: wccp x redirect-list wccp-traffic group-list wccp-server password ***** wccp interface inside x redirect in - WCCP flex-config configuration change suggested for disabling WCCP: wccp 10 redirect-list wccp-traffic group-list wccp-server password ***** no wccp interface inside x redirect in - After successful flex-config deployment to the FTD: wccp x redirect-list wccp-traffic group-list wccp-server password ***** NOTE 3: This option 3 workaround will disable the WCCP service in the FTD/ASA.

Further Problem Description