Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Asymmetric routing

I believe I am seeing an asymmetric routing issue but not so sure. ASA version 9.1(1)

We have the management interface (management-only configured) connected to an upstream router.

Management default route out is towards this router ( and also its IP gateway)

We also have the inside interface (different subnet) attached to the same router running IGP (OSPF) with it.

I could not source ping (from management) to an external server (TACACS). I could see error

ASA-7-710005: TCP request discarded error between the sessions.

Source ping from "inside" works fine. When the inside was "shut" the Management started working. Has anyone run into this scenario

with the managment and inside going to the same box (but on different subnets) ?

I would think the management-only would be immune to this if it is asymmetric issue.

Thanks,

Pete

Everyone's tags (3)
7 REPLIES

Re: ASA Asymmetric routing

Where does the external server sits?

Remember that you have the management-only keyword with basically restrict the interface with any sort of routed traffic. it's only for management access.

I mean routed traffic will not go out that interface

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA Asymmetric routing

I understand that the managment-only does not pass traffic.

The server sits at another site and the WAN is stable. Is there any debugging that might be useful ?

Would there be a specific "asymmetric" error on the ASA if it sees it as such?

ASA Asymmetric routing

Well,

Exactly does not allow you to let traffic go through.

Well you woud check for logs that would actually deny the tcp connection with a flag of no-connection.

Now, how are you trying to source the packets from the management

I mean

ping management x.x.x.x is not the same as ping x.x.x.x source-interface management (as on a router)

With the ping management you will be letting the ASA know it needs to send the traffic via that management interface.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA Asymmetric routing

The server is trying to reach the interface but the response from the ASA seems to not make it back for the full handshake.

Used ping management x.x.x.x to verify that the management interface is able to reach the TACACS server.

It was reachable when the inside interface was "shut"...and TACACS started working.

ASA Asymmetric routing

Hello,

The ASA will always source the traffic from the closest interface to the server (no ip radius source or tacacs interface as the router).

If the server is not on the Managment interface how are you sourcing the traffic from that interface?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA Asymmetric routing

I removed management-access inside and the management interface was able to communicate with the ACS.

But something else broke.

I could ssh fine to the interface, but could not ping it and received this error.

Routing       failed to locate next-hop for udp and icmp for the management interface.

I added management-access management to test and the interface was able to process icmp traffic but the ACS

was not reachable anymore. Why would "management-access" effect the ASA this way? The "outside" is not even

connected yet.

ASA Asymmetric routing

Hello,

Hey bud I already asked you to explain the issue a little further, I have no idea where the ACS is connected.

You are not telling me how you are trying to connect to the ACS using the management, etc.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
841
Views
0
Helpful
7
Replies