VPN Traffic Issue - Different Default Gateways

Unanswered Question
Oct 27th, 2008

Hi,

I'm running 8.0.4 on two ASA's in active/passive mode with client-to-site IPSEC and SSL VPN tunneling active. This issue occurs whether I connect via IPSEC or SSLVPN.

I have a variety of machines pointing to ASA's as their default gateway which work fine using RDP or any other type of connection from the VPN clients. Other servers point to a Sonicwall firewall as their default gateway which has a route to the ASA's for the network the VPN clients sit on.

The ICMP redirect seems to work correctly as I see a route entry for the VPN client (pointing to the ASA's) in the servers route table that use the Sonicwalls as their default gateways.

From the VPN client, I can ping ALL servers but cannot connect via RDP or any other method to the server using the Sonicwall. I fired up a sniffer and see a RST coming from the clients back to the server and I'm not sure why. This is what Wireshark shows:

Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set

Any ideas as to the cause?

Thanks.

-Jamie

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
j.bourque Tue, 10/28/2008 - 12:27

If you move the DG of a server to the ASA can you RDP in then? May help rule out the ASA as the problem. sounds like the traffic is coming in the ASA and trying to go out the Sonicwall. A work around solution may be to add a route statement to the server stating that the remote VPN client network IP scheme can be found at the ASA. cmd - route add [networkIP] mask [subnetmask] [ASAIPAddress]. IE. route add 10.1.1.0 mask 255.255.255.0 192.168.1.254....from a command prompt. If this resolved the issue then the problem is in the sonic wall. please rate if this helps

Actions

This Discussion