I have posted this problem in the AAA forum as originally I though this must be a triple A issue.
I am trying to replicate two ACS servers across an ASA5500. If I take the ASA out of the configuration, the two ACS servers will replicate with no problem. Once the ASA is back in, replication fails.
Comparing the sniffer traces of the working or not working topology, I can see that after the usual TCP handshaking, A packet is sent from ASA1 to ASA2 with 20 bytes of data. ASA 2 sends an akc for this packet and a next sequence value. In the version that wont work, the ASA1 only receives the ack, NOT the next sequence value.
Could it be that the ASA is somehow stripping the next sequence bit of the packet?
according to the post, acs1 initiated the replication with ack 233. acs2 received the packet, sent an ack, and waiting for the next packet. now, for some unknown reason, the acs1 seems not receiving the response from acs2.
you mentioned that the interfaces security level are set to 50. just wondering if you mean the one connected to the acs servers. if so, verify whether the command "same-security-traffic permit inter-interface" is enabled.
Yup the interfaces are set to same security permit . They are both subinterfaces and are both set to 50
I have now put a sniffer on the other side of this setup (ACS2 side) and see just 3 packets. A syn from ACS1, a syn ack from ACS2 and an Ack from ACS1.
To me this seems as if the packets I was getting on my sniffer when it was on the ACS1 side, are being produced by the ASA!!!!! Why would an ASA spoof packets?
This doesnt make any sense to me at all. I have raised it on the ask the experts forum but no reply as yet.
--------------------------------sniffer on ACS1 side-----------------
ACS1 ---snifferASA -----ACS2
ACS1 initiates replication and full handshake takes place, followed by several TCP packets either way. ACS1 gets an Ack from (supposedly) ACS2 but no next sequence packet. The process now hangs as ACS1 is waiting for the next sequence it should send.
--------------------------------sniffer on ACS2 side-----------------
ACS2 ---snifferASA -----ACS1
Now it gets weird .I again initiate a replication from ACS1 and see a SYN from ACS1, this is SYN ACKed by ACS2 and an ACK comes back from ACS2.
That is it .nothing else. Where are the packets that I see on the other side coming from?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...