Cisco Support Community
Community Member

Asymmetric Routing on ASA5500

I am bringing up a new 5520 and have run into a problem with asymmetric routing. Without going into a ton of detail. Let's say we are using for our address pool for remote VPN clients. One of them wants to connect to That results in this connection state as shown by 'show connection all detail':

TCP outside: outside: flags SaAB

Due to our routing configuration, the response traffic is going to come in to the "inside" interface of the ASA and as a result it gets dropped:

%ASA-6-106015: Deny TCP (no connection) from to flags SYN ACK on interface inside

Is there any way to relax this check somehow? This set up worked fine on our older VPN3000 concentrators.


Re: Asymmetric Routing on ASA5500

Using the asr-group command to configure asymmetric routing support is more secure than using the static command with the nailed option.

When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the security appliance that receives the packet does not have any connection information for the packet, the packet is dropped. This most commonly occurs when the two security appliances in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address.

CreatePlease to create content