Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Identifying and Troubleshooting Asymmetric Routing in WAAS

 

 

Introduction

Asymmetric routing occurs when traffic does not traverse the same path in both directions of a conversation. While routing protocols ensure that loops are avoided, the symmetry of bidirectional traffic flows cannot be guaranteed when destination prefixes are reachable by multiple paths.

 

Asymmetric Routing

In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. This is commonly seen in Layer-3 routed networks. Asymmetric routing is not a problem by itself, but will cause problems when Network Address Translation (NAT) or firewalls are used in the routed path. A branch site that has multiple WAN connections, with either a single router or multiple routers, is always prone to asymmetric routing. This can occur because the routing protocol on each end selects a different path, by load or session balancing, or even by path optimization mechanisms.

 

Identifying Asymmetric Routes

Asymmetric routing can be caused by a variety of factors, including bad network design, wrong device config, policy based routing etc. To Identify asymmetric routes follow these steps:

 

a) Check the connections on the WAE that may have Asymmetry.

 

sh stat conn | inc Asym

 

This will list Asymmetric connection. Let us say you have gone through the connection and identified 4 subnets that these connections belong to.

 

b) Check the connection in WAE for the same subnets; either same hosts or different hosts and they have been optimized. If the connections are present then the chances are that you no longer have Asymmetric issue.

 

c) If you still notice that connections are asymmetric, then do a regular traceroute and telnet hop by hop. Telnet will get redirected by TCP on the interface where WCCP is and you will see the multiple redirections which will help you resolve the issue. An easier way is to download the tool tcptraceroute to a PC on one of the boxes and run the tcptraceroute command. The output of that command will show multiple redirections.

 

Troubleshoot

Without proper design and placement of network services, asymmetric routing can create challenges in networks. For example, asymmetric routing results in suboptimal TCP performance; TCP assumes that the SYN from one end and the ACK from other end traverse the same path. Because data does not traverse the same physical path in both directions, this results in suboptimal TCP performance.

Troubleshooting Asymmetric routing simply involves changes in routing information that was responsible for this. Checking that networks/subnets are perfectly matched by subnet masks and there is no static routing causing the issue. Check and remove WCCP from one of the multiple redirections to the same WAE. However in some cases where a part of network is handled by an ISP or a vendor, it is advised to contact the repective organization and work with them to resolve the issue.

 

Verify

To verify asymmetric routing check the following.

Does a traceroute from the data center towards the remote not follow the same path as from the remote to the data center?

What are the WAAS units reporting?

What is the output of a command like 'show stat conn' show? Do you see connections in progress or partial?

 

Related Information

Cisco WAAS: Basic Troubleshooting and Gathering Information

Debugging High CPU in WAAS Deployment

Comments

Search

 

Remote Access VPN on ASA - Authentication using LDAP Server

Document

May 3, 2013 12:54 PM
2 years ago

 

 

 

Introduction

This document provides an example on how to Configure Remote Access VPN on ASA and do the Authentication using LDAP server

Prerequisites

ASA and LDAP server both should be reachable.
 

Components Used

1. ASA 8.2

2. LDAP (Microsoft)

Configuration Remote Access VPN on ASA

interface configuration:

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config)# no shutdown

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface

hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha 
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside

Configuring an Address Pool

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

Adding a User

hostname(config)# username testuser password 12345678

Creating a Transform Set

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

Creating a Tunnel group

hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

Creating a Dynamic crypto map

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

Creating a Crypto Map Entry to Use the Dynamic Crypto Map

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

Configuring LDAP server on the ASA

ciscoasa(config-aaa-server-group)#aaa-server LDAP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)#ldap-base-dn dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-dn cn=admin, cn=users, dc=ftwsecurity, dc=cisco, dc=com
ciscoasa(config-aaa-server-host)#ldap-login-password **********
ciscoasa(config-aaa-server-host)#ldap-naming-attribute sAMAccountName
ciscoasa(config-aaa-server-host)#ldap-scope subtree
ciscoasa(config-aaa-server-host)#server-type microsoft
ciscoasa(config-aaa-server-host)#exit

Assigning LDAP server under tunnel group

ciscoasa(config)#tunnel-group testgroup general-attributes
ciscoasa(config-tunnel-general)#authentication-server-group LDAP

Verifcation

Test with CLI:

You can use the test command on the command line in order to test your AAA setup. A test  request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication LDAP host 192.168.1.2
   username cisco password cisco123INFO: Attempting Authentication test to IP address <192.168.1.2>
   (timeout: 12 seconds)
INFO: Authentication Successful

Troubleshoot

If unsure of the current DN string to use, you can issue the dsquery command on a Windows Active Driectory server from a command prompt in  order to verify the appropriate DN String of a user object.

C:\Documents and Settings\Administrator>dsquery user -samid cisco!--- Queries Active Directory for samid id "cisco""CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com"

The debug ldap 255 command can help to troubleshoot authentication problems in this  scenario. This command enables LDAP debugging and allows you to watch  the process that the ASA uses to connect to the LDAP server.

Debug - Successful authentication

ciscoasa#debug ldap 255[7] Session Start
[7] New request Session, context 0xd4b11730, reqType = 1
[7] Fiber started
[7] Creating LDAP context with uri=ldap://192.168.1.2:389
[7] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[7] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[7] supportedLDAPVersion: value = 3
[7] supportedLDAPVersion: value = 2
[7] supportedSASLMechanisms: value = GSSAPI
[7] supportedSASLMechanisms: value = GSS-SPNEGO
[7] supportedSASLMechanisms: value = EXTERNAL
[7] supportedSASLMechanisms: value = DIGEST-MD5

!--- The ASA connects to the LDAP server for admin bind and search for cisco.
[7] Binding as administrator
[7] Performing Simple authentication for admin to 192.168.1.2
[7] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=cisco]
        Scope   = [SUBTREE]
[7] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][7] Talking to Active Directory server 192.168.1.2
[7] Reading password policy for cisco, dn:CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com

!--- The ASA binds to the LDAP server as cisco to test the password.
[7] Binding as user
[7] Performing Simple authentication for kate to 192.168.1.2
[7] Checking password policy for user cisco
[7] Binding as administrator
[7] Performing Simple authentication for admin to 192.168.1.2
[7] Authentication successful for kate to 192.168.1.2
[7] Retrieving user attributes from server 192.168.1.2[7] Retrieved Attributes:
[7]     objectClass: value = top
[7]     objectClass: value = person
[7]     objectClass: value = organizationalPerson
[7]     objectClass: value = user
[7]     cn: value = cisco
[7]     givenName: value = cisco
[7]     distinguishedName: value = CN=cisco,CN=Users,DC=ftwsecurity,
           DC=cisco,DC=com
[7]     instanceType: value = 4
[7]     whenCreated: value = 20070815155224.0Z
[7]     whenChanged: value = 20070815195813.0Z
[7]     displayName: value = cisco
[7]     uSNCreated: value = 16430
[7]     memberOf: value = CN=Castaways,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
[7]     memberOf: value = CN=Employees,CN=Users,DC=ftwsecurity,DC=cisco,DC=com
[7]     uSNChanged: value = 20500
[7]     name: value = cisco
[7]     objectGUID: value = ..z...yC.q0.....
[7]     userAccountControl: value = 66048
[7]     badPwdCount: value = 1
[7]     codePage: value = 0
[7]     countryCode: value = 0
[7]     badPasswordTime: value = 128321799570937500
[7]     lastLogoff: value = 0
[7]     lastLogon: value = 128321798130468750
[7]     pwdLastSet: value = 128316667442656250
[7]     primaryGroupID: value = 513
[7]     objectSid: value = ............Q..p..*.p?E.Z...
[7]     accountExpires: value = 9223372036854775807
[7]     logonCount: value = 0
[7]     sAMAccountName: value = cisco
[7]     sAMAccountType: value = 805306368
[7]     userPrincipalName: value = cisco@ftwsecurity.cisco.com
[7]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,
           DC=ftwsecurity,DC=cisco,DC=com
[7]     dSCorePropagationData&colon; value = 20070815195237.0Z
[7]     dSCorePropagationData&colon; value = 20070815195237.0Z
[7]     dSCorePropagationData&colon; value = 20070815195237.0Z
[7]     dSCorePropagationData&colon; value = 16010108151056.0Z
[7] Fiber exit Tx=685 bytes Rx=2690 bytes, status=1
[7] Session End

Debug - Authentication fails - Incorrect Password

ciscoasa#debug ldap 255[8] Session Start
[8] New request Session, context 0xd4b11730, reqType = 1
[8] Fiber started
[8] Creating LDAP context with uri=ldap://192.168.1.2:389
[8] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[8] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[8] supportedLDAPVersion: value = 3
[8] supportedLDAPVersion: value = 2
[8] supportedSASLMechanisms: value = GSSAPI
[8] supportedSASLMechanisms: value = GSS-SPNEGO
[8] supportedSASLMechanisms: value = EXTERNAL
[8] supportedSASLMechanisms: value = DIGEST-MD5

!--- The ASA connects to the LDAP server as admin to search for cisco.
[8] Binding as administrator
[8] Performing Simple authentication for admin to 192.168.1.2
[8] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=kate]
        Scope   = [SUBTREE]
[8] User DN = [CN=cisco,CN=Users,DC=ftwsecurity,DC=cisco,DC=com][8] Talking to Active Directory server 192.168.1.2
[8] Reading password policy for cisco, dn:CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com
[8] Read bad password count 1

!--- The ASA attempts to bind as cisco, but the password is incorrect.
[8] Binding as user
[8] Performing Simple authentication for kate to 192.168.1.2
[8] Simple authentication for cisco returned code (49) Invalid credentials[8] Binding as administrator
[8] Performing Simple authentication for admin to 192.168.1.2
[8] Reading bad password count for cisco, dn: CN=cisco,CN=Users,
       DC=ftwsecurity,DC=cisco,DC=com
[8] Received badPwdCount=1 for user cisco
[8] badPwdCount=1 before, badPwdCount=1 after for cisco
[8] now: Tue, 28 Aug 2007 15:33:05 GMT, lastset: Wed, 15 Aug 2007 15:52:24 GMT,
       delta=1122041, maxage=3710851 secs
[8] Invalid password for cisco
[8] Fiber exit Tx=788 bytes Rx=2904 bytes, status=-1
[8] Session End

Debug - Authentication Fail - User not found on LDAP server

ciscoasa#debug ldap 255[9] Session Start
[9] New request Session, context 0xd4b11730, reqType = 1
[9] Fiber started
[9] Creating LDAP context with uri=ldap://192.168.1.2:389
[9] Connect to LDAP server: ldap://192.168.1.2:389, status = Successful
[9] defaultNamingContext: value = DC=ftwsecurity,DC=cisco,DC=com
[9] supportedLDAPVersion: value = 3
[9] supportedLDAPVersion: value = 2
[9] supportedSASLMechanisms: value = GSSAPI
[9] supportedSASLMechanisms: value = GSS-SPNEGO
[9] supportedSASLMechanisms: value = EXTERNAL
[9] supportedSASLMechanisms: value = DIGEST-MD5

!--- The user Minakshi is not found.
[9] Binding as administrator
[9] Performing Simple authentication for admin to 192.168.1.2
[9] LDAP Search:
        Base DN = [dc=ftwsecurity, dc=cisco, dc=com]
        Filter  = [sAMAccountName=minakshi]
        Scope   = [SUBTREE]
[9] Requested attributes not found[9] Fiber exit Tx=256 bytes Rx=607 bytes, status=-1
[9] Session End

Please post comments if there are any queries and rate if useful.

 

Scenario 2:

Problem:

Is it possible to strip the suffix from a username to authenticate against an active directory in ACS 5.4? I can find this when using an external proxy service, but not for network access.

Solution:

Username suffix/prefix stripping is possible when using:
LDAP
Radius Identity server
External Proxy
With AD, the option is unavailable.
Self proxy + AD is a workaround but that has some limitations and is a complex configuration.

 

Source Discussion:

CSC Discussion:

 
 
expertadvisor20151 about 4 hours ago
 

To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.

Also, recent blog : Intelligent Traffic Director @ Cisco Live Milan

 

ITD Provides CAPEX and OPEX Savings for Customers

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.

ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

 

7514
Views
0
Helpful
1
Comments