BugZero | Cisco BugID CSCvo88762 - FTD inline/transparent sends packets back through ...

Cisco - Defect ID: CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

Cisco - Defect ID: CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

Last updated on 8/28/2024

Overall: 6.26.2

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 66.0

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 6.26.2

Severity: 6.46.4

Lifecycle: 9.19.1

Popularity: 66.0

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

Packets received by one side of an inline set are sent back out through the same interface. If an adjacent L2 device is sensitive to MAC flaps through different interfaces, such as ACI fabrics, it could trigger a MAC loop policy, generate a message like the following and shut down the interface that receives the packet. Error: epmc_loop_detect_action:1937:E] Disabling learn on vlan 10 mac 0050.56b3.d3d3 due to loop between 0x18010004 and 0x16000001 ts 01:45:55.632572 Similar behavior can be detected on Cisco Switches logs: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.56b3.d3d3 in vlan 102 is flapping between port Te1/1/4 and port Te1/1/2

Conditions

FTD on transparent mode with Inline set enabled Traffic is hair-pinned of a Layer 3 device and traverses the FTD twice. If packets have no change on Source/Destination IP, Source/Destination Port, and VLAN the second time the packet hits the firewall on the other interface from the same inline set, this problem can be faced for segmented packets from the first time the packet reached the firewall being inspected by the detection engine. This scenario can occur if multiple subnets are being shared on the same VLAN such as Routers with Secondary IP working as gateways on a router-on-a-stick setup or ACI environments where multiple subnets can live on the same domain. Offloaded traffic is not affected. The problem does not occur when the interfaces are in "tap" mode. Flows from one VLAN to another aren't affected. If Syslogs are enabled on Platform settings, the following message is logged. %ASA-6-110004: Egress interface changed from Inside to Outside on tcp connection 364 for INLINE_PAIR/Outside:10.17.15.204/58081 (10.17.15.204/58081) to INLINE_PAIR/Inside:10.16.100.224/80 (10.16.100.224/80)

Workaround

Apply a pre-filter rule to fastpath this traffic on platforms supporting offloading such as FPR4100 and FPR9300 platforms. Example: Network Object: VLAN_102 10.17.15.204 10.16.100.224 Source Network: VLAN_102 Destination Network: VLAN_102 Action: Fastpath

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

Cisco - Defect ID: CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

Last updated on 8/28/2024

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?