|
Author
|
Topic: IP header verification
|
igor123
Member
Member # 30071
Rate Member
|
posted May 18, 2012 02:35 AM
Hi all,
This is not a lab issue but something from real environment.
I have ASA 5520 with 8.2(5) code that is internet firewall. Behind this ASA there is Checkpoint firewall terminating IPSec VPNs. It seems, that this Checkpoint is sending out packets with invalid IP header checksum. These packets are dropped on my ASA.
I can't find a fix for this odd Checkpoint behavior, so my question is: Can I somehow (policy-map) instruct ASA to ignore bad IP checksum/header in specific traffic?
I know there is TCP-State-Bypass feature since 8.2, but my traffic is ESP.
I disabled basic thread detection, but no joy.
I am going to open a TAC case on Checkpoint, but I don't expect much from them.
So I am looking for a quick dirty fix on ASA.
Here is capture made on ASA:
afw01# show capture invalid-ip-header detail
32 packets captured
1: 10:36:10.199620 110: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 76 (ttl 255, id 59734, bad cksum a393!)
2: 10:36:12.761069 110: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 76 (ttl 255, id 59737, bad cksum a390!) Drop-reason: (invalid-ip-header) Invalid IP header
3: 10:36:18.768026 0x0800 110: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 76 (ttl 255, id 59742, bad cksum a38b!) Drop-reason: (invalid-ip-header) Invalid IP header
4: 10:37:19.487737 0x0800 158: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 124 [tos 0xc0] (ttl 255, id 59776, bad cksum a279!) Drop-reason: (invalid-ip-header) Invalid IP header
5: 10:37:24.123910 0x0800 158: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 124 [tos 0xc0] (ttl 255, id 59777, bad cksum a278!) Drop-reason: (invalid-ip-header) Invalid IP header
6: 10:37:29.131157 0x0800 158: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 124 [tos 0xc0] (ttl 255, id 59778, bad cksum a277!)
7: 10:37:34.128441 0x0800 158: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 124 [tos 0xc0] (ttl 255, id 59779, bad cksum a276!) Drop-reason: (invalid-ip-header) Invalid IP header
8: 10:40:51.494115 0x0800 150: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 116 [tos 0xc0] (ttl 255, id 59798, bad cksum a26b!)
9: 10:40:54.497303 0x0800 150: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 116 [tos 0xc0] (ttl 255, id 59799, bad cksum a26a!)
10: 10:41:00.494527 0x0800 142: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 108 [tos 0xc0] (ttl 255, id 59800, bad cksum a271!)
11: 10:41:23.096750 0x0800 150: 10.xx.xx.244 > xx.35.xx.94: ip-proto-50, length 116 [tos 0xc0] (ttl 255, id 59801, bad cksum a268!) Drop-reason: (invalid-ip-header) Invalid IP header
Posts: 23 | From: Slovakia | Registered: Aug 2010
| IP: Logged
|
|
faizanbaiguet
Jr Member
Member # 32387
Rate Member
|
posted May 18, 2012 04:57 AM
I can be due to bad cable. Have you noticed CRCs between ASA and checkpoint? Do check L2 properties of interface at both ends.
Posts: 11 | From: Pakistan | Registered: May 2012
| IP: Logged
|
|
igor123
Member
Member # 30071
Rate Member
|
posted May 18, 2012 06:15 AM
I don't think this is the case. This bad checksum only appears when I configure link selection on Checkpoint. This is because I need to terminate IPSec VPN on 2 different interfaces.
Anyway, it seems that this check can not be turned off on ASA. Or?
Posts: 23 | From: Slovakia | Registered: Aug 2010
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted May 21, 2012 06:05 AM
have you checked for bugs on the asa? could be a bug, i would grab one of the offending packets and check that the checksum is incorrect (wireshark should help you here).
cheers
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
igor123
Member
Member # 30071
Rate Member
|
posted May 21, 2012 06:15 AM
I actually forgot to mention that Wireshark also says the checksum is wrong. As I wrote, it is a clearly a Checkpoint bug.
Posts: 23 | From: Slovakia | Registered: Aug 2010
| IP: Logged
|
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic