I have an ACS 4.0(1) for Windows server with an internal database faling to replicate to a second 4.0(1) server over the WAN.
The two sites are connected by a PIX VPN. The primary is running 7.0(4). The secondary is running 6.3(3). The ACS servers are on the same L3 segment as the PIX internal interfaces. We are not nating (nonat) on the VPN between the two sites.
A sniff of the replication traffic on the primary server shows a TCP session setup on port 2000 as expected. The primary server sends two PSH packets and sees an ACK for each from the secondary. The primary sends out no more packets and five minutes later issues a RST.
A concurrent sniff on the secondary server shows the session setup (3 packets). It does not recieve or reply to the two PSH packets from the primary. The only other packet is sees is the RST five minutes later.
I ran a capture on the inside interfaces of the PIXs and found that the PIX at the primary site recieves the TCP PSH and shows replies. The PIX at the secondary site does not send out the TCP PSH or show replies.
I have heard that earlier versions of ACS may have had problems conducting internal replication over a VPN. I can accept that 4.0 may not be able to do this. What I am trying to find out is:
1. How can I see an ACK from the secondary ACS server to the primary's PSH when the secondary never recieves the PSH? There are no proxy or caching servers in the path.
2. What is it about the TCP PSH packet that it does not make it through the tunnel when the SYN packets do?
I have attached the capture that has been run on each of the PIXs.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...