Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
4
Replies

ASA Context running in parallel with ASA-VPN

natedog
Level 1
Level 1

‎09-19-2007 08:35 PM - edited ‎03-11-2019 04:13 AM

The scenario I have is an ASA in context mode and I am looking to terminate VPN clients on a seperate ASA that has an interface on the same private subnet. I have added a route to the ASA context for the VPN pool that belongs to the VPN-ASA. i can ping the vpn clients from the ASA context but I cannot establish any connection from the VPN client I get the following message

04:21:21 106001 192.168.41.215 10.50.1.1 Inbound TCP connection denied from 192.168.41.215/23 to 10.50.1.1/52412 flags SYN ACK on interface inside

Any ideas? Thanks.

Labels:
0 Helpful
4 Replies 4

santukumar
Level 1
Level 1

‎09-24-2007 03:44 AM

U have not cleared that u r talking about multiple mode.can u ping from outside to inside, if yes, then check ur vpn config i.e. check with this command---

show isakmp sa

show ipsec sa

And then see that vpn has been created or not.

0 Helpful

natedog
Level 1
Level 1
In response to santukumar

‎09-27-2007 12:18 PM

yes I am running one ASA in multiple context mode. The other ASA is running parallel in single context mode. The vpn terminates fine and I can ping the ipsec clients as they connect from the ASA that's running in multiple context mode. However if a vpn user tried to access internal resources its failing. This is the error I am getting which is related to translation problems.

192.168.41.20 10.50.1.1 Inbound TCP connection denied from 192.168.41.20/23 to 10.50.1.1/2103 flags SYN ACK on interface inside

0 Helpful

umamytov
Level 1
Level 1
In response to natedog

‎09-28-2007 07:16 PM

It appears packet from server (SYN ACK from port 23 is certainly a server packet) to client is getting dropped. Since you said two ASAs are sitting in parallel can you clarify which ASA dropping the packet ? If it's multi context one then it appears routing needs to be fixed such that packets destined to VPN client IPs go to VPN-ASA. I would guess you have a L3 box on inside segment that routes to ASAs depending on destination. It may be that L3 box is routing VPN client IPs to multi-ASA instead of VPN-ASA.

0 Helpful

natedog
Level 1
Level 1
In response to umamytov

‎09-29-2007 05:51 AM

Right now I am not using any layer 3 box, i was hoping to avoid that and just have the multi-contxt ASA send packets over to the ASA-VPN device when they needed route out.

I have tried utilizing the NO_NAT rules on both the VPN-ASA and context ASA but since the traffic is never leaving the inside interface of the context ASA then that doesnt make any sense.

Am I going to need a layer 3 box to handle this?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card