Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
3
Replies

Asyncronous routing within Active Standby ASA pair

graham.peck
Level 1
Level 1

‎05-08-2008 02:19 PM - edited ‎03-11-2019 05:42 AM

Hi

I have 2 pairs of ASA5520's one pair at my Head Office the other pair at my DR site. they are configured as Active Standby Pairs at each site with a vpn tunnel between the two sites.

I have traffic that originates off one of the interfaces on the ASA but arrives back in on a different interface.

Will the ASA support this?

I have VPN's from my field sites that needed to come in and go out on the same interface so I have configured the same-security-traffic permit intra-interface for them but my WAN has some asyncronous routing that allows traffic to come in on a different interfacethan it went out on.

Please Help

Labels:
0 Helpful
3 Replies 3

tj.mitchell
Level 4
Level 4

‎05-08-2008 07:16 PM

The firewall will not allow this as the state table will show the traffic on one interface then returning on another. The firewall will deny the traffic as it won't have a syn to match the ack.

It sounds like you need to fix the asynchronise routing on the WAN, unless you want that behavior, if so then I think the design should be reviewed to determine the best location for the firewall installation and configuration.

0 Helpful

graham.peck
Level 1
Level 1
In response to tj.mitchell

‎05-18-2008 10:09 AM

Thanks TJ

I have tried to get rid of as much asynchronis traffic as possible but now have only one issue left where I have about 2000 field clients that terminate VPN's on Microsoft RRAS servers at either my head office or my disaster site. As part of redundancy I have this traffic going down my tunnel from DR should the Head Office link fail to the field. All other traffic goes through the tunnel fine but RRAS will not terminate giving a 792 error. It is as if the tunnel is malforming the packets causing the RRAS server to drop them. In effect I have a ipsec tunnel in a ipsec tunnel. Can I have this or am I going to have to redesign my WAN?

0 Helpful

m.sir
Level 7
Level 7

‎05-18-2008 10:45 PM

For active/active failover is there support for asymetrical routing (using asr-group)

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html#wp1102712

Iam not sure if it fits to your scenario

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card