We have the following setup
Data Center--> 2 6506 Switches (vss)--> 2 ASAs (Active/Standby) Outside--> 7206 Router connecting several E1 (G.703) sites
OSPF is running on 6506, ASA, and routers.
ASA is running 7.0 code, no nat is configured
One of our remote sites connected via a 2mb E1 G.703 link was being denied by the asa, with many messages like the one below.
%asa-2-106001: Inbound tcp connection denied from "DataCenter server ip"/80 to "Remote site ip"/1535 flags syn ack on interface outside
I was also getting many messages like - UDP denied due to DNS reply. This site has been running fine for 2 months before this incident.
I was able to telnet from my pc (asa inside segment) to the remote site router, but couldnt get any further. None of the remote site users were able to access the dat center resources.
The problem was resolved when I shut down the serial interface on the 7206 router connecting to that site and no shut it again.
Now I do not suspect any syn attack since the connection was fine after the interface was reset.
Could it be asymmetric routing, Although this is a point to point link?
Can our SP cause asymetric routing? To be more specific can asymetric routing occur due to layer 2 issues? The reason behind my question is that previously we faced a link problem with the same remote site and it was SP related, they had 2 active connections to the site although we have 1 E1 circuit?
I wonder if there are any other reasons that I might have overlooked.
All Help is appreciated