Bug in Cisco ASA 8.4(4)1 found

I had a new office set-up in Sao Paulo/Brazil and found a bug what should be already fixed but still exists. You cannot access the management interface (inside) of your ASA when you come over an L2L/RemoteAccess VPN and your NAT statements overlaps the management ip address.

It’s an split-tunneling configuration where VPN traffic keeps the original IP address and when you go into the internet you will translated to the outside IP address. Have a look here at the cisco bug CSCtr16184

I used the following config what didn’t work:

nat (inside,outside) source static inside-subs inside-subs destination static vpn-subs vpn-subs

When you use the NAT statements described in the workaround it works fine:

nat (inside,outside) source static inside-subs inside-subs destination static vpn-subs vpn-subs route-lookup
nat (outside,inside) source static vpn-subs vpn-subs destination static inside-subs inside-subs route-lookup

This behavior should be already fixed in version 8.4(2.3) but in my 8.4(4)1 it still exists.

Here the bug details from Cisco:

To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2.

Symptom:

After upgrading the ASA to 8.4.2, all management traffic to-the-box(including icmp/telnet/ssh/ASDM) from hosts over the VPN (L2L or Remote ACcess VPN) may fail when destined to the management-access interface IP address.

Conditions:

1. Issue is observed if ASA is on 8.4.2. Not observed on 8.4.1.
2. Users directly connected to the internal interfaces face no issues with icmp/telnet/ssh/asdm to their respective interfaces.

Workaround:

The problem can be traced to a Manual NAT statement that overlaps with the management-access interface IP address. The NAT statement must have both the source and destination fields. Adding the “route-lookup” keyword at the end of the NAT statement resolves the issue.

Bug in Cisco Catalyst 2960S

I found a new bug in the IOS 12.2(55) on our c2960s where we had a high cpu usage and lot of traceback syslog messages.

Here is the info from the Cisco TAC about the problem:

Symptom:
C2960S switch getting the following message:

%SUPERVISOR-4-UNEXPECTED: rfd_idx = 56B hwptr 64D75AC queue 8 
-Traceback= 12ECA7C 12EF254 12EF5DC 1382180 137C680 137C628 13821F0 1383128 137C730 184AA64 184AA3C 1848974

Conditions:
WS-C2960S running IOS earlier than 12.2(58)SE

Workaround:
Temporary workaround is reload, fix is in 12.2(58)SE
Action Plan
1. As a temporary workaround we can reload the switch.
2. For permanent solution please upgrade the switch to 12.2(58)SE.