OPERATIONAL DEFECT DATABASE
...
...
After the software upgrade on Adaptive Security Appliance, SSH, and SNMP connections the non-admin connections fail. Interface packet captures show only packets in the ingress direction with no response from the firewall: # show capture capture CAPI type raw-data trace interface inside [Capturing - 540 bytes] match tcp any any match udp any any capture NLPCAP type raw-data interface nlp_int_tap [Capturing - 1508 bytes] # show cap CAPI 7 packets captured 1: 17:55:43.202199 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 2: 17:55:44.232135 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 3: 17:55:46.248125 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 4: 17:55:50.344159 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 <mss 1460,sackOK,timestamp 1888533499 0,nop,wscal Data interface packet capture traces show that packets are allowed via the internal egress interface nlp_int_tap: # show cap CAPI trace 4 packets captured 1: 17:55:43.202199 192.0.2.1.45918 > 192.0.2.2.22: S 2476878983:2476878983(0) win 64240 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Elapsed time: 12544 ns Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Elapsed time: 12544 ns Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Elapsed time: 19456 ns Config: nat (nlp_int_tap,inside) source static nlp_server__ssh_0.0.0.0_intf131075 interface destination static 2_0.0.0.0_4 2_0.0.0.0_4 Additional Information: NAT divert to egress interface nlp_int_tap Untranslate 192.0.2.2/22 to 169.254.2.3/4122 Phase: 4 Type: ACCESS-LIST Subtype: Result: ALLOW Elapsed time: 6348 ns Config: Implicit Rule Additional Information: Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Elapsed time: 6348 ns Config: Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Elapsed time: 6348 ns Config: nat (nlp_int_tap,inside) source static nlp_server__ssh_0.0.0.0_intf131075 interface destination static 2_0.0.0.0_4 2_0.0.0.0_4 Additional Information: Static translate 192.0.2.1/45918 to 192.0.2.1/45918 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Elapsed time: 6348 ns Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Elapsed time: 6348 ns Config: Additional Information: Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Elapsed time: 47616 ns Config: nat (nlp_int_tap,inside) source static nlp_server__ssh_0.0.0.0_intf131075 interface destination static 2_0.0.0.0_4 2_0.0.0.0_4 Additional Information: Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Elapsed time: 24064 ns Config: Additional Information: Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Elapsed time: 25088 ns Config: Additional Information: New flow created with id 37, packet dispatched to next module Phase: 12 Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP Subtype: Resolve Preferred Egress interface Result: ALLOW Elapsed time: 23040 ns Config: Additional Information: Found next-hop 169.254.2.3 using egress ifc nlp_int_tap Result: input-interface: inside input-status: up input-line-status: up output-interface: nlp_int_tap output-status: up output-line-status: up Action: allow Time Taken: 196092 ns The nlp_int_tap interface packet capture shows ARP requests for the internal IP address, but not ARP replies: # show cap NLPCAP 12 packets captured 1: 17:55:43.202534 arp who-has 169.254.2.3 tell 169.254.2.1 2: 17:55:43.202610 arp who-has 169.254.2.3 tell 169.254.2.1 3: 17:55:44.511143 arp who-has 169.254.2.3 tell 169.254.2.1 4: 17:55:44.511204 arp who-has 169.254.2.3 tell 169.254.2.1 5: 17:55:45.511127 arp who-has 169.254.2.3 tell 169.254.2.1
First seen after software upgrade from ASA version 9.14.4.x in multi-context mode, with active SSH or SNMP configuration in non-admin contexts. Other software versions may also be affected. This issue is not applicable on FPR4100 running 9.18.x
SSH only - if accessible, connect to the admin context and change to user contexts.
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
