Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
360
Views
4
Helpful
2
Replies

VPN traffic issues.

incognito_54
Level 1
Level 1

‎01-13-2009 12:28 PM - edited ‎03-11-2019 07:36 AM

I have an ASA and a load balancer (F5) that i'm trying to configure as follows and experiencing routing issues.

A load balancer with 4 ports.

Port 1 connected to ISP 1

Port 2 connected to ISP 2

Port 3 connected to ASA outside interface.

Port 4 currently not connected.

ASA default route is set to point to the IP address of Port 3 on the load balancer. This IP address is a private IP address.

I'm looking to use this same ASA for VPN. As such i want to activate port 4 on the load balancer. Port 4 will be in the address space of ISP 1. Port 4 from the Load balancer will connect to Interface 4 on the ASA. Interface 4 on the ASA has a public IP address in the space of ISP 1. Interface 4 on the ASA will thus be my VPN termination point.

When users connect to the VPN they connect to an IP address in the space of ISP 1. This traffic is then routed to ASA interface 4.

The problem occurs when users connect to the VPN. Their traffic gets dropped by the ASA as it cannot find a route back to them. The default route set on the ASA(A private IP address) points to port 3 of the LB, which is not where their traffic came from in the first place.

I hope this lengthy expl. makes sense.

Please help. Pulling hair out.

Thanks

.a

Labels:
0 Helpful
2 Replies 2

Fernando_Meza
Level 7
Level 7

‎01-13-2009 01:55 PM

Hi,

Unfortunately your current set up is causing asymmetric routing which the firewall will drop. This is by design. You need to either configure Public IP to the ASA's outside interface ( and reconfigure the load balancer accordingly )and terminate the VPNs there or configure the routing on the ASA so that default route is by interface 4

I hope it helps .. please rate helpful posts

incognito_54
Level 1
Level 1
In response to Fernando_Meza

‎01-14-2009 01:15 PM

Thank you much for your response. I've tried terminating IPSEC connections at the load balancer but this breaks the VPN connection as the ASA is the intended termination point.

Changing the IP address of the outside interface of the ASA would force traffic to go outbound via only one interface on the load balancer negating the use of the load balancer.

Thanks for your time.

Sky.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card