Symptom
- Firewall is directing traffic to the inside interface despite the intended outside route.
- This anomaly is causing communication issues.
- Only the DCE/RPC and FTP traffic are affected.
In evaluating the pcap of this we see:
* The sequence of packets demonstrates that the initial packet follows the correct path but gets dropped because it's not a SYN packet.
* Subsequently, a reset packet from the outside terminates the prior communication.
* However, the subsequent SYN packet (to restart the connection) shows a suboptimal lookup, indicating that it was sent to the inside instead of the outside, contradicting the listed output interface in the FMC.
* Despite the correct source and destination MAC addresses in the third packet,
* The fourth packet, with identical flags and ports, has reversed MAC addresses, confirming the firewall is routing the traffic through the inside interface.
Conditions
- Firewall is directing traffic to the inside interface despite the intended outside route.
- communication issues.
- DCE/RPC traffic
- FTD 7.2.4
Workaround
Workaround 1:
- Remove the destination network from the route pointing to the same interface where the traffic originated.
For example, if the destination host is 10.30.0.12 found in the outside interface, instead of having the following route, which includes it
route INSIDE 10.16.0.0 255.240.0.0 172.16.253.1 1
You would have to configure the following routes to exclude it so it gets routed accordingly towards the proper interface:
route INSIDE 10.16.0.0 255.248.0.0 172.16.253.1 1
route INSIDE 10.24.0.0 255.252.0.0 172.16.253.1 1
route INSIDE 10.28.0.0 255.254.0.0 172.16.253.1 1
route INSIDE 10.31.0.0 255.254.0.0 172.16.253.1 1
This way, traffic will be routed toward the outside using the proper route:
route OUTSIDE 10.30.0.0 255.255.255.0 172.16.1.1 1
Workaround 2:
Remove the "route-lookup" configuration from the associated NAT statement
