I have two locations with a ASA5515 Cluster Vers 8.2 at one side and a ASA 5525 Cluster Vers 9.2 at the other side. Both sides are connected with a server DMZ zone. At the server I have entered a static route to one of the firewall systems. The communication seem to be well but after a while 10 minutes or later the communication breaks. The wireshark analyzer shows that at point of break the packet to the server system came with the source mac address of the firewall system from the other side. I don´t know how I can fix the problem.
both firewall cluster are connected by a redundant gbit leased line.
My problem is that the vpn router had a static route over FW cluster site-A, at the error situation after ten minutes or some hours I can see traffic from client at vpn site through the FW cluster at site-B and the connection breaks. After a while the traffic comes over FW Cluster site-A and the Connection is all right.
At the document you can see the Topologie and the logs of the FW Cluster and capture of the Server traffic
Looks like this is asynchronous routing , the reverse path is not the same as the original path.
I can see HSRP is configured on the routers so checking routing for your server subnets 10.17.1.x on the routers might help you. What path (traceroute) HSRP router is taking to reach 10.17.1.x subnet is important.
Yes of course that seem to be a problem of asynchronous routing. First I have entered the explizit and supernet routes at the hsrp routers with different metrics, second I have disabled HSRP at the standby node so that only one routing instance is there. The problem is still available. I don't know what instance send the return packets through the firewall with ip 10.200.0.224 . At the netxt step I entered at the 10.200.0.224 firewall at the outside Interface routes for Destination 10.17.1.117 over Gateway 10.200.0.222, after that the communication works without breaks but I also can see a lot of wrong packets at both sites.
Good to hear you made some progress on this one , so from this what i understood is there is routing issue on the HSRP routers (it could be having two routes for the 10.17.1.x subnet ; one to .222 ASA , and second to .224 ASA) when you entered route on the .224 ASA pointing back to .222 your connection is working.
so routers could be sending some packets to .224 ASA. With the limited information of how your routing is configured this is what i understood.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :