Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 Dual internet connections getting Deny Reverse Path Check

I have an ASA 5510 with 2 "outside" interfaces connected.(all addresses are fake to protect the innocent.)

one with verizon: 63.1.1.2 / 28 (Main internet connection, VPN Tunnels attached)  interface is named "fiber"

and one with comcast: 50.1.1.5 / 28 interface is named "comcast"

the comcast network has an guest wireless router attached to it for cellphones, guest laptops etc. (50.1.1.6)  this keeps the byod off my lan.

I had to put in static routes to all my remote offices because when I turned comcast on initially, 1/2 of my tunnels dropped.

now all my tunnels are stable.

I am now getting Deny TCP Reverse path check from 50.1.1.6 (wireless router) to 63.1.1.2 on interface fiber

if I try to add a static route for these devices it says that a connected route exists.

 

any idea how I can get this to stop? It looks like I'm being attacked and filling up the asdm logs so I can't see any real issues.

2 REPLIES
Hall of Fame Super Silver

An ASA can only have one

An ASA can only have one default route. Also it does not do policy-based routing. For that reason we can very seldom connect a given ASA to two routers  and have it dynamically steer some flows to one and others to another. When we have a second ISP (and no router we control upstream), we typically use an ip sla operation with a route that tracks the success of that operation to decide if/when to flip all traffic to the second route. 

How does your guest traffic know to take the comcast route outbound?

Community Member

the comcast network is

the comcast network is attached as a backup route in case verizon goes down. I'm doing sla tracking.

the comcast connection to the ASA is 50.1.1.5 on a /28 network (not the real address)

My guest network is a separate router attached to the same subnet as my comcast interface.

the guest router is attached to 50.1.1.6 (outside the ASA) and uses the default router of 50.1.1.1
 

the problem is, when users try to attach to OWA or CAS. using the named address to my ASA of 60.1.1.2, they route out through comcast's network, back into verizon's; but because they are presenting themselves as 50.1.1.6, the ASA sees that as a connected subnet and gives me a reverse verify path failure.

if I traceroute from 50.1.1.6 to 60.1.1.2, it's following the proper routes. it goes all the way out comcast's network to the backbone of verizon, then back in.

67
Views
0
Helpful
2
Replies
CreatePlease to create content