The Roving Network Engineer's blog..: Why ACS replication fails through a firewall..

Friday, May 7, 2010

Why ACS replication fails through a firewall..

Ever tried putting a Cisco ACS server on each side of an ASA, and getting them to replicate? By default it doesn't work, and it's bugged me for ages as to why. I finally discovered why today. It's one of those 'once it's explained it's flippin obvious' ones..

I am assuming of course that NAT and ACL entries are correct!

Why you get a problem

ACS uses port TCP2000 for replication traffic. Anyone think what else uses TCP2000? SCCP (Skinny) of course! And guess what is a default inspection on the ASA :

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!

How to resolve the issue

By default, the ASA will inspect the traffic as if it's SCCP, will see that it's not valid SCCP traffic, and quietly drop it. You can stop this behaviour in two ways:

1) Disable the inspection completely if you're not using Cisco IPT.
2) Remove it from the default inspection list, and set up a separate class to match the traffic you DO want to inspect for SCCP, and inspect only it..

Example

Lets say two ACS servers, 1.1.1.1 and 2.2.2.2 need to replicate, and you do use SCCP on the network :

access-list NOT-ACS extended deny tcp host 1.1.1.1 host 2.2.2.2
access-list NOT-ACS extended permit ip any any
!

class-map NOT-ACS
match access-list NOT-ACS
!

policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
class NOT-ACS
  inspect skinny
!

Your ACS devices will replicate, and your SCCP still gets inspected..

Thanks to my old buddy Frank Gannon for spotting this one!

(updated to correct config error spotted by Robert)

3 comments:

Mariusz said...: With ACS 4.2 you may change the replication port to anything between 2010 and 2020.; May 15, 2010 6:01 PM
Robert said...: Thanks for this post. It makes a lot of sense, although the example config doesn't seem to match what you said. Shouldn't the last two lines of the config read:

class NOT-ACS
inspect skinny

Sorry for being pedantic. Correct me if I'm wrong.; July 10, 2010 12:33 PM
Dan Hughes said...: Cough Cough - you're right of course. I'll update the post..; July 10, 2010 1:49 PM