Issue
Traffic is sent out from the ASA unencrypted.
Cause
This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host.
There are 2 commands which shows this behaviour. They are,
Interface outside:
!
out id=0xd616fff0, priority=70, domain=encrypt, deny=false
hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
out id=0xd1592dd0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x4bed13c, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
Note : Details of this bug can also be viewed within CSCsd48512 (Duplicate ASP crypto table entry causes firewall to not encrypt traffic)
Solution
There are 2 solutions to this issue,
- Reboot the firewall.
- Upgrade the firewall to a version 7.0(4.13), 7.2(0.46), 7.1(2.1), 7.0(5), 7.2(1) or 8.0(0.1).
Additional References
CSCsh48962 – Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI.
CSCso50996 – ASA dropping the packet instead of encrypting it.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial