Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA assimetric routing, it dont see the Syn/Ack backing then reset connec..

I have a topology where an ASA is the default gateway for the network.

There is a network the ASA knows by other router in the inside network.

Then when a host want to reach this network and goes to ASA as it is host's default gateway the ASA send the traffic comming from inside to a router also in inside.

When the traffic comes back from destination it comes from WAN to this router (the one ASA sent traffic to) and this router send it direct to the host. Not to ASA because this router already knows this host locally.

Then as ASA sees a TCP/SYN going to destination but does not sees TCP/SYN/ACK coming back it sent a TCP/RST to the destination.

How can I prevent it?

I'm using version 8.X, already tried to disable threat-detection basic....


Hall of Fame Super Blue

Re: ASA assimetric routing, it dont see the Syn/Ack backing then

Couple of things spring to mind

1) change the default-gateway to be the internal router. This may or may not fit into your topology. Presumably the ASA is for Internet access ? If so you could add a default-route on the internal router pointing to the ASA

2) NAT the source IP address as it goes through the ASA to the ASA inside interface. Then the WAN router would have to send the return traffic back to the ASA

I would choose option 1 if at all possible.



Re: ASA assimetric routing, it dont see the Syn/Ack backing then

I ended up finding out who is sending the reset is the own originating host not the ASA.

It seems the ASA is ramdomizing the sequence number of the packet then when it comes back to host without coming to ASA the hosts sees a wrong sequence number and send a reset.

I will disable randomize packets for the desired traffic and see how does it goes.


CreatePlease to create content