12-04-2013 11:22 AM - edited 03-11-2019 08:12 PM
I believe I am seeing an asymmetric routing issue but not so sure. ASA version 9.1(1)
We have the management interface (management-only configured) connected to an upstream router.
Management default route out is towards this router ( and also its IP gateway)
We also have the inside interface (different subnet) attached to the same router running IGP (OSPF) with it.
I could not source ping (from management) to an external server (TACACS). I could see error
ASA-7-710005: TCP request discarded error between the sessions.
Source ping from "inside" works fine. When the inside was "shut" the Management started working. Has anyone run into this scenario
with the managment and inside going to the same box (but on different subnets) ?
I would think the management-only would be immune to this if it is asymmetric issue.
Thanks,
Pete
12-04-2013 11:49 AM
Where does the external server sits?
Remember that you have the management-only keyword with basically restrict the interface with any sort of routed traffic. it's only for management access.
I mean routed traffic will not go out that interface
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-04-2013 12:03 PM
I understand that the managment-only does not pass traffic.
The server sits at another site and the WAN is stable. Is there any debugging that might be useful ?
Would there be a specific "asymmetric" error on the ASA if it sees it as such?
12-04-2013 12:07 PM
Well,
Exactly does not allow you to let traffic go through.
Well you woud check for logs that would actually deny the tcp connection with a flag of no-connection.
Now, how are you trying to source the packets from the management
I mean
ping management x.x.x.x is not the same as ping x.x.x.x source-interface management (as on a router)
With the ping management you will be letting the ASA know it needs to send the traffic via that management interface.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-04-2013 01:11 PM
The server is trying to reach the interface but the response from the ASA seems to not make it back for the full handshake.
Used ping management x.x.x.x to verify that the management interface is able to reach the TACACS server.
It was reachable when the inside interface was "shut"...and TACACS started working.
12-04-2013 01:45 PM
Hello,
The ASA will always source the traffic from the closest interface to the server (no ip radius source or tacacs interface as the router).
If the server is not on the Managment interface how are you sourcing the traffic from that interface?
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-09-2013 01:47 PM
I removed management-access inside and the management interface was able to communicate with the ACS.
But something else broke.
I could ssh fine to the interface, but could not ping it and received this error.
Routing failed to locate next-hop for udp and icmp for the management interface.
I added management-access management to test and the interface was able to process icmp traffic but the ACS
was not reachable anymore. Why would "management-access" effect the ASA this way? The "outside" is not even
connected yet.
12-09-2013 04:58 PM
Hello,
Hey bud I already asked you to explain the issue a little further, I have no idea where the ACS is connected.
You are not telling me how you are trying to connect to the ACS using the management, etc.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: