https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421577#M307748 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The ASA will always source the traffic from the closest interface to the server (no ip radius source or tacacs interface as the router).</P><P></P><P>If the server is not on the Managment interface how are you sourcing the traffic from that interface?</P><P></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Wed, 04 Dec 2013 21:45:53 GMT Julio Carvajal 2013-12-04T21:45:53Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421572#M307730 <P>I believe I am seeing an asymmetric routing issue but not so sure. <STRONG>ASA version 9.1(1)</STRONG></P><P></P><P>We have the management interface (<STRONG>management-only</STRONG> configured) connected to an upstream router. </P><P>Management default route out is towards this router ( and also its IP gateway)</P><P></P><P>We also have the inside interface (different subnet) attached to the same router running IGP (OSPF) with it.</P><P></P><P>I could not source ping (from management) to an external server (TACACS). I could see error</P><P><STRONG>ASA-7-710005: TCP request discarded error</STRONG> between the sessions.</P><P></P><P>Source ping from "inside" works fine. When the inside was "shut" the Management started working. Has anyone run into this scenario</P><P>with the <STRONG>managment </STRONG>and <STRONG>inside </STRONG>going to the same box (but on different subnets) ? </P><P>I would think the management-only would be immune to this if it is asymmetric issue.</P><P></P><P>Thanks,</P><P>Pete</P> Tue, 12 Mar 2019 03:12:54 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421572#M307730 xayavongp 2019-03-12T03:12:54Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421573#M307731 <HTML><HEAD></HEAD><BODY><P>Where does the external server sits?</P><P></P><P>Remember that you have the management-only keyword with basically restrict the interface with any sort of routed traffic. it's only for management access.</P><P></P><P>I mean routed traffic will not go out that interface</P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com" rel="nofollow">http://laguiadelnetworking.com</A></P></BODY></HTML> Wed, 04 Dec 2013 19:49:38 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421573#M307731 Julio Carvajal 2013-12-04T19:49:38Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421574#M307735 <HTML><HEAD></HEAD><BODY><P>I understand that the managment-only does not pass traffic.</P><P>The server sits at another site and the WAN is stable. Is there any debugging that might be useful ?</P><P>Would there be a specific "asymmetric" error on the ASA if it sees it as such?</P></BODY></HTML> Wed, 04 Dec 2013 20:03:27 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421574#M307735 xayavongp 2013-12-04T20:03:27Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421575#M307737 <HTML><HEAD></HEAD><BODY><P>Well,</P><P></P><P>Exactly does not allow you to let traffic go through.</P><P></P><P>Well you woud check for logs that would actually deny the tcp connection with a flag of no-connection.</P><P></P><P>Now, how are you trying to source the packets from the management</P><P></P><P>I mean </P><P>ping management x.x.x.x is not the same as ping x.x.x.x source-interface management (as on a router)</P><P></P><P>With the ping management you will be letting the ASA know it needs to send the traffic via that management interface.</P><P></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Wed, 04 Dec 2013 20:07:07 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421575#M307737 Julio Carvajal 2013-12-04T20:07:07Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421576#M307742 <HTML><HEAD></HEAD><BODY><P>The server is trying to reach the interface but the response from the ASA seems to not make it back for the full handshake.</P><P>Used<STRONG> ping management x.x.x.x </STRONG>to verify that the management interface is able to reach the TACACS server.</P><P></P><P>It was reachable when the <STRONG>inside </STRONG>interface was "<STRONG>shut</STRONG>"...and TACACS started working.</P></BODY></HTML> Wed, 04 Dec 2013 21:11:13 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421576#M307742 xayavongp 2013-12-04T21:11:13Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421577#M307748 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The ASA will always source the traffic from the closest interface to the server (no ip radius source or tacacs interface as the router).</P><P></P><P>If the server is not on the Managment interface how are you sourcing the traffic from that interface?</P><P></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Wed, 04 Dec 2013 21:45:53 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421577#M307748 Julio Carvajal 2013-12-04T21:45:53Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421578#M307756 <HTML><HEAD></HEAD><BODY><P>I removed <STRONG>management-access inside</STRONG> and the management interface was able to communicate with the ACS.</P><P></P><P>But something else broke. </P><P>I could ssh fine to the interface, but could not ping it and received this error.</P><P><TT>Routing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; failed to locate next-hop</TT> for udp and icmp for the management interface.</P><P></P><P>I added <STRONG>management-access management </STRONG>to test and the interface was able to process icmp traffic but the ACS</P><P>was not reachable anymore. Why would "management-access" effect the ASA this way? The "outside" is not even</P><P>connected yet.</P></BODY></HTML> Mon, 09 Dec 2013 21:47:59 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421578#M307756 xayavongp 2013-12-09T21:47:59Z https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421579#M307763 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Hey bud I already asked you to explain the issue a little further, I have no idea where the ACS is connected.</P><P></P><P>You are not telling me how you are trying to connect to the ACS using the management, etc.</P><P></P><P></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Tue, 10 Dec 2013 00:58:28 GMT https://community.cisco.com/t5/network-security/asa-asymmetric-routing/m-p/2421579#M307763 Julio Carvajal 2013-12-10T00:58:28Z