Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asyncronous routing within Active Standby ASA pair


I have 2 pairs of ASA5520's one pair at my Head Office the other pair at my DR site. they are configured as Active Standby Pairs at each site with a vpn tunnel between the two sites.

I have traffic that originates off one of the interfaces on the ASA but arrives back in on a different interface.

Will the ASA support this?

I have VPN's from my field sites that needed to come in and go out on the same interface so I have configured the same-security-traffic permit intra-interface for them but my WAN has some asyncronous routing that allows traffic to come in on a different interfacethan it went out on.

Please Help


Re: Asyncronous routing within Active Standby ASA pair

The firewall will not allow this as the state table will show the traffic on one interface then returning on another. The firewall will deny the traffic as it won't have a syn to match the ack.

It sounds like you need to fix the asynchronise routing on the WAN, unless you want that behavior, if so then I think the design should be reviewed to determine the best location for the firewall installation and configuration.

New Member

Re: Asyncronous routing within Active Standby ASA pair

Thanks TJ

I have tried to get rid of as much asynchronis traffic as possible but now have only one issue left where I have about 2000 field clients that terminate VPN's on Microsoft RRAS servers at either my head office or my disaster site. As part of redundancy I have this traffic going down my tunnel from DR should the Head Office link fail to the field. All other traffic goes through the tunnel fine but RRAS will not terminate giving a 792 error. It is as if the tunnel is malforming the packets causing the RRAS server to drop them. In effect I have a ipsec tunnel in a ipsec tunnel. Can I have this or am I going to have to redesign my WAN?


Re: Asyncronous routing within Active Standby ASA pair

For active/active failover is there support for asymetrical routing (using asr-group)

Iam not sure if it fits to your scenario