01-15-2012 02:55 AM
Hello,
I have two WAE 574 devices and a CM 274 all running code level 4.3.1.6, The CM is behind a PIX firewall. There is no firewall between the branch and core WAE. The branch device is behind a NAT router. The CM and SSL ASA rea behind a PIX 515 firewall. The branch WAE is running inline mode and the core WAE is using WCCP redirection. Both the CM and SSL ASA are reverse NATted on the PIX firewall. The branch WAE has the primary interface unchecked on the CM and is using the NAT address.
I am getting asymmetric route issues. This is because for some reason the NAT address of the branch WAE sends the SYN which is responded to but the ACK is coming from the unnatted private address. When I turn off directed mode I can see optimisation start for some sessions but not for the SSL
ASA.
Example
Branch WAE Private 192.68.1.45
Branch WAE Public 206.99.88.10
CM private 192.168.20.9
CM public 240.10.10.20
PIX log
an 15 2012 11:50:58: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Although the PIX NATs the CM address, the core WAE is still still seeing it's private address.
Do you have any idea what could be causing this ?
Best regards
Stephen
Jan 15 2012 11:51:12: %PIX-5-106100: access-list DMZ_access_in denied tcp DMZ/192.168.20.9(443) -> outside/206.99.88.10(46871) hit-cnt 1 f]
Jan 15 2012 11:51:31: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:51:37: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46847 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:08: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/49634 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:10: %PIX-5-106100: access-list outside_access_in permitted tcp outside/206.99.88.10(23183) -> DMZ/240.10.10.20(443) ]
Jan 15 2012 11:52:10: %PIX-6-302013: Built inbound TCP connection 1475554768 for outside:206.99.88.10/23183 (206.99.88.10/23183) to DMZ:WAD)
Jan 15 2012 11:52:10: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/23183 to 240.10.10.20/443 flags ACK on interface e
Solved! Go to Solution.
01-16-2012 01:28 AM
Hi Stephen,
To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.
Regards
Daniel
01-16-2012 01:28 AM
Hi Stephen,
To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.
Regards
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide