Asyncronous routing within Active Standby ASA pair

Unanswered Question
May 8th, 2008

Hi

I have 2 pairs of ASA5520's one pair at my Head Office the other pair at my DR site. they are configured as Active Standby Pairs at each site with a vpn tunnel between the two sites.

I have traffic that originates off one of the interfaces on the ASA but arrives back in on a different interface.

Will the ASA support this?

I have VPN's from my field sites that needed to come in and go out on the same interface so I have configured the same-security-traffic permit intra-interface for them but my WAN has some asyncronous routing that allows traffic to come in on a different interfacethan it went out on.

Please Help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tj.mitchell Thu, 05/08/2008 - 19:16

The firewall will not allow this as the state table will show the traffic on one interface then returning on another. The firewall will deny the traffic as it won't have a syn to match the ack.

It sounds like you need to fix the asynchronise routing on the WAN, unless you want that behavior, if so then I think the design should be reviewed to determine the best location for the firewall installation and configuration.

graham.peck Sun, 05/18/2008 - 10:09

Thanks TJ

I have tried to get rid of as much asynchronis traffic as possible but now have only one issue left where I have about 2000 field clients that terminate VPN's on Microsoft RRAS servers at either my head office or my disaster site. As part of redundancy I have this traffic going down my tunnel from DR should the Head Office link fail to the field. All other traffic goes through the tunnel fine but RRAS will not terminate giving a 792 error. It is as if the tunnel is malforming the packets causing the RRAS server to drop them. In effect I have a ipsec tunnel in a ipsec tunnel. Can I have this or am I going to have to redesign my WAN?

Actions

This Discussion