I have a problem replicating ACS database through an FWSM blade. The primary ACS is under a Mgmt zone in the FWSM. A secondary one, located in the same zone receives replication with no problems. All others that sit outside the Mgmt zone do not receive replication. TCP 2000 required for replication is open along the path. I can see the sessions initiated on the FWSM through CSM, but these sessions expire after the replication timeout and are closed by the FWSM. No trace of connections reaching the secondary ACSes appears in the Database replication log of the receiving ACSes. Any caveats on this issue? NAT shouldn't be an issue here since no NAT is performed along the path. Any ideas?
ASA/FWSM uses TCP port 2000 to inspect the skinny protocol.This can result in
no fixup protocol skinny 2000
If its not possible for your environment then
1. create an ACL for traffic you want to enable skinny inspection
2. create class-map to match this traffic
3. In global policy, take the skinny inspection out of the class inspection_default, and add it to the class we created in step 2.