ASA 5520 intra interface routing problem with FWX_E_SEQ_ACK_MISMATCH on ISA 2006

versitycontract · ‎03-22-2010

Hello,

I have weird problem with intra interface routing on cisco ASA 5520.. I wonder if it's even possible to solve that.Please advise...

Description:

We would like to have ASA 5520 as default gateway and VPN end-point for subsidiaries. In attachment is very simple network diagram. Problem is, that ASA 5520 don't have public IP, it has only private IP and default route is set to 10.1.1.2 (ISA server 2006 - firewall for internet access). I have permitted "same-security-traffic permit inter-interface" but communication don't work. packets for public IP addresses leaves ASA for ISA firewall (inside to inside interface) but nothing come back and TCP connection is reseted by ISA server. Problem in ISA logs is:

FWX_E_SEQ_ACK_MISMATCH - A TCP packet was rejected because it has an invalid sequence number or an invalid acknowledgement number. Error 0xc0040034. This ACK Mismatch check cannot be disabled. Inside to inside addresses are in NAT exclusion.

Data flow from subsidiaries works correctly and internet is accessible via ISA server (interface outside->inside->ISA server on inside), only inside-inside traffic doesnt work. Security levels are set to 0. Complete configuration is attached. VRF routing like on Cisco router is not supported on ASA.

Thanxs a lot for advice!

Jennifer Halim · ‎03-22-2010

That will not work as it will cause TCP asymmetric routing as follows:

1) From 10.1.1.0 subnet, the SYN packet will be routed towards the ASA, ASA will forward it to the ISA server (assuming you have "same-security-traffic permit intra-interface")

2) SYN-ACK from the internet will be routed towards the ISA server, and instead of forwarding the SYN-ACK back to the ASA, because ISA server inside interface is in the same subnet as the 10.1.1.0 subnet, the SYN-ACK packet will be routed directly towards the 10.1.1.0 hosts.

3) Host will respond with an ACK packet towards the ASA because it's its default gateway, and ASA will reject that because ASA never sees the SYN-ACK packet.

ASA never sees the complete TCP 3 way handshake, therefore, connection is dropped.

The only way for the 10.1.1.0 subnet to have connectivity to the internet is to configure its default gateway as the ISA server (10.1.1.2).

Hope it helps.

versitycontract · ‎03-22-2010

Hi, it seems logical. But, we have similar configuration in our own network only difference is that we don't have ASA but cisco 1800. Cisco router is gateway for computers and cisco has default route to ISA server with internet connectivity on the same interface. Cisco 1800 is not under my administration.

I would like to have configuration like: http://www.cisco.com/image/gif/paws/71342/intra-interface-communications-1.gif and it is possible as I can see from http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml . But I think that I miss something..

Problem with ISA server as default gateway is communication between subsidiaries and more exactly direct communication PC-PC because of ISA as gateway. With ASA as default gateway ping is working properly, but TCP connection has ACK problem..

Jennifer Halim · ‎03-22-2010

Unfortunately ASA firewall is a security device, and a stateful firewall, hence it is keeping track of the connection table, and incomplete TCP connection is deem to be not secure (possibly an attack), unlike a router which is a routing device, so it doesn't keep track of the connection table but just route traffic.

Ping will definitely work, and UDP traffic will work to as they are connectionless. The only traffic that won't work is TCP traffic.