ASA assimetric routing, it dont see the Syn/Ack backing then reset connec..

Unanswered Question
Nov 26th, 2008

I have a topology where an ASA is the default gateway for the network.


There is a network the ASA knows by other router in the inside network.


Then when a host want to reach this network and goes to ASA as it is host's default gateway the ASA send the traffic comming from inside to a router also in inside.


When the traffic comes back from destination it comes from WAN to this router (the one ASA sent traffic to) and this router send it direct to the host. Not to ASA because this router already knows this host locally.


Then as ASA sees a TCP/SYN going to destination but does not sees TCP/SYN/ACK coming back it sent a TCP/RST to the destination.


How can I prevent it?


I'm using version 8.X, already tried to disable threat-detection basic....


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 11/26/2008 - 03:23

Couple of things spring to mind


1) change the default-gateway to be the internal router. This may or may not fit into your topology. Presumably the ASA is for Internet access ? If so you could add a default-route on the internal router pointing to the ASA


2) NAT the source IP address as it goes through the ASA to the ASA inside interface. Then the WAN router would have to send the return traffic back to the ASA


I would choose option 1 if at all possible.


Jon

guibarati Wed, 11/26/2008 - 07:55

I ended up finding out who is sending the reset is the own originating host not the ASA.


It seems the ASA is ramdomizing the sequence number of the packet then when it comes back to host without coming to ASA the hosts sees a wrong sequence number and send a reset.


I will disable randomize packets for the desired traffic and see how does it goes.


Thanks,

Actions

This Discussion