I am bringing up a new 5520 and have run into a problem with asymmetric routing. Without going into a ton of detail. Let's say we are using 10.0.1.0/24 for our address pool for remote VPN clients. One of them wants to connect to 10.0.2.2. That results in this connection state as shown by 'show connection all detail':
TCP outside:10.0.1.1/59200 outside:10.0.2.2/80 flags SaAB
Due to our routing configuration, the response traffic is going to come in to the "inside" interface of the ASA and as a result it gets dropped:
%ASA-6-106015: Deny TCP (no connection) from 10.0.2.2/80 to 10.0.1.1/59200 flags SYN ACK on interface inside
Is there any way to relax this check somehow? This set up worked fine on our older VPN3000 concentrators.
Using the asr-group command to configure asymmetric routing support is more secure than using the static command with the nailed option.
When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the security appliance that receives the packet does not have any connection information for the packet, the packet is dropped. This most commonly occurs when the two security appliances in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...