Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
1
Replies

Asymmetric Routing on ASA5500

davmitchell
Level 1
Level 1

‎04-05-2006 01:48 PM - edited ‎02-21-2020 12:49 AM

I am bringing up a new 5520 and have run into a problem with asymmetric routing. Without going into a ton of detail. Let's say we are using 10.0.1.0/24 for our address pool for remote VPN clients. One of them wants to connect to 10.0.2.2. That results in this connection state as shown by 'show connection all detail':

TCP outside:10.0.1.1/59200 outside:10.0.2.2/80 flags SaAB

Due to our routing configuration, the response traffic is going to come in to the "inside" interface of the ASA and as a result it gets dropped:

%ASA-6-106015: Deny TCP (no connection) from 10.0.2.2/80 to 10.0.1.1/59200 flags SYN ACK on interface inside

Is there any way to relax this check somehow? This set up worked fine on our older VPN3000 concentrators.

0 Helpful
1 Reply 1

wong34539
Level 6
Level 6

‎04-11-2006 11:57 AM

Using the asr-group command to configure asymmetric routing support is more secure than using the static command with the nailed option.

When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the security appliance that receives the packet does not have any connection information for the packet, the packet is dropped. This most commonly occurs when the two security appliances in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card