cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1798
Views
0
Helpful
7
Replies

ASA Asymmetric routing

xayavongp
Level 1
Level 1

I believe I am seeing an asymmetric routing issue but not so sure. ASA version 9.1(1)

We have the management interface (management-only configured) connected to an upstream router.

Management default route out is towards this router ( and also its IP gateway)

We also have the inside interface (different subnet) attached to the same router running IGP (OSPF) with it.

I could not source ping (from management) to an external server (TACACS). I could see error

ASA-7-710005: TCP request discarded error between the sessions.

Source ping from "inside" works fine. When the inside was "shut" the Management started working. Has anyone run into this scenario

with the managment and inside going to the same box (but on different subnets) ?

I would think the management-only would be immune to this if it is asymmetric issue.

Thanks,

Pete

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Where does the external server sits?

Remember that you have the management-only keyword with basically restrict the interface with any sort of routed traffic. it's only for management access.

I mean routed traffic will not go out that interface

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I understand that the managment-only does not pass traffic.

The server sits at another site and the WAN is stable. Is there any debugging that might be useful ?

Would there be a specific "asymmetric" error on the ASA if it sees it as such?

Well,

Exactly does not allow you to let traffic go through.

Well you woud check for logs that would actually deny the tcp connection with a flag of no-connection.

Now, how are you trying to source the packets from the management

I mean

ping management x.x.x.x is not the same as ping x.x.x.x source-interface management (as on a router)

With the ping management you will be letting the ASA know it needs to send the traffic via that management interface.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The server is trying to reach the interface but the response from the ASA seems to not make it back for the full handshake.

Used ping management x.x.x.x to verify that the management interface is able to reach the TACACS server.

It was reachable when the inside interface was "shut"...and TACACS started working.

Hello,

The ASA will always source the traffic from the closest interface to the server (no ip radius source or tacacs interface as the router).

If the server is not on the Managment interface how are you sourcing the traffic from that interface?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I removed management-access inside and the management interface was able to communicate with the ACS.

But something else broke.

I could ssh fine to the interface, but could not ping it and received this error.

Routing       failed to locate next-hop for udp and icmp for the management interface.

I added management-access management to test and the interface was able to process icmp traffic but the ACS

was not reachable anymore. Why would "management-access" effect the ASA this way? The "outside" is not even

connected yet.

Hello,

Hey bud I already asked you to explain the issue a little further, I have no idea where the ACS is connected.

You are not telling me how you are trying to connect to the ACS using the management, etc.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: