LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Blogs > Musings on technology, philosophy, and life in the corporate world
User Name
Password

Notices


Hi. I'm a Unix Administrator, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: Unix.
Rate this Entry

Another funny network "problem"

Posted 04-23-2016 at 02:33 PM by rocket357

I work on the network devices support team at AWS. We provide troubleshooting support for various network-related devices, such as Cisco ISR/ASR/ASA, Juniper SSG/ISG, Fortigate, etc... most of the troubleshooting revolves around AWS Direct Connect and IPSec.

We have a few network labs at AWS that contain many of the devices we support, however, I've always been more of a "hands-on" kind of guy, so I recently purchased a Cisco ISR and a Cisco ASA (2801 and 5505, respectively). In total, I spent under $200 (ebay!).

I've always liked Cisco ISRs. The 2801 is an older system, but it has more than reasonable performance for home IPSec/BGP connections. It's a great little box. The ASA, however...

I've never been fond of ASAs. I don't know why. Perhaps it is because the IPSec engine is strictly policy based (whereas the ISR allows either policy or route based). Perhaps it is the additional "helpful" security checks the ASA performs in the background? I don't know. I've always been a bit skeptical of ASAs.

So here I am with my first real hands-on experience with an ASA. Sure, I've set them up in the labs at work, but they've always had the "base" configuration in place already (interfaces, routes, etc...). To really understand a system, I've found it best to just dive in and configure it (note: this implies you are in a lab setting and not "learning" a production firewall as you roll it out into production...my ISR and ASA are both behind an OpenBSD firewall, simply because I know OpenBSD pf/relayd/etc... much better than iOS).

So, first things first, my home network is heavily vlan'd. I updated the 3560 to put two ports in test vlans and started modifying the ASA. After a bit, I was ready to test. I pinged the ASA from my workstation. Success, and the latency is incredibly low. I ping the workstation from the ASA. No bueno.

Hrmmm. That's...odd.

I checked the Windows firewall on my workstation (this is my "hypervisor" machine that runs VirtualBox, GNS3, a few Android emulators, etc... and I use it for games). There is an ICMP allow any rule in place. Hrmmm.

I check routes on the ASA. Since my workstation's vlan is configured on the inside interface of the ASA, I shouldn't need a route. Add one anyways, no joy. I perform a packet capture while pinging. The Windows machine happily pings the ASA (as confirmed by Wireshark). It even receives the pings from the ASA and responds! What the @#$#% is this silly ASA doing?!?

I read up on packet captures on ASAs (something I've not needed before) and setup a pcap. While its running, I ping from the Windows machine.

The ASA sees no traffic, and yet, the Windows machine is getting responses.

Remember when I said the latency was really low? I got distracted by the ping failures on the ASA, so I didn't really put much thought into it. Turns out, the latency was *too* low. Something was responding, but it wasn't the ASA.

As it turns out, I'd configured a GNS3 "cloud" device on the Windows machine some months ago. I happened to have set that up with the next available IP on the vlan. When I setup the ASA, I happened to configure the "next available" IP on the vlan, which was also configured on the GNS3 cloud device. I could "ping the ASA" because the GNS3 device would respond to Windows, but I couldn't ping the Windows box from the ASA because the Windows machine would route responses to the GNS3 cloud device.

Sigh...one of these days I'll quit wasting my time on silly problems like this =)
Posted in Uncategorized
Views 608 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 06:54 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration