Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
0
Helpful
0
Replies

ASA - Traffic keeps bouncing?

Eric Snijders
Level 1
Level 1

‎04-16-2019 12:07 AM - edited ‎04-16-2019 12:07 AM

Hi all,
I think i have a very simple case. Consider the following topology:

LAZmlYD.png

Yesterday i did a ping sweep with nmap from our AnyConnect VPN. Our internet facing firewall (where AnyConnect VPN is running) was logically reporting a TCP SYN attack and a lot of "Duplicate TCP SYN". This is behaviour i expect. BUT... For some reason, traffic to non-existing hosts keep bouncing between the 2 firewalls. Even when i disconnect my AnyConnect VPN, the traffic keeps bouncing between the 2 firewalls. This is because the Internet facing firewall is forwarding this traffic due to a /23 route in this case, and the second firewall doesn't have a route, so it's hitting the 0-route back to the internet facing route.

Now i was wondering: why isn't the TTL decreased for these packets? The packets just infinitely keep bouncing. Shunning the source on both firewalls resolves this, but i don't think that should be the right way.

How can i fix this? We need the /23 route because we subnet it further, but not every host/subnet within this range is being used.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card