Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
2
Replies

ASA 5510 Dual internet connections getting Deny Reverse Path Check

Lee Dress
Level 1
Level 1

‎10-10-2014 12:51 PM - edited ‎03-11-2019 09:54 PM

I have an ASA 5510 with 2 "outside" interfaces connected.(all addresses are fake to protect the innocent.)

one with verizon: 63.1.1.2 / 28 (Main internet connection, VPN Tunnels attached)  interface is named "fiber"

and one with comcast: 50.1.1.5 / 28 interface is named "comcast"

the comcast network has an guest wireless router attached to it for cellphones, guest laptops etc. (50.1.1.6)  this keeps the byod off my lan.

I had to put in static routes to all my remote offices because when I turned comcast on initially, 1/2 of my tunnels dropped.

now all my tunnels are stable.

I am now getting Deny TCP Reverse path check from 50.1.1.6 (wireless router) to 63.1.1.2 on interface fiber

if I try to add a static route for these devices it says that a connected route exists.

 

any idea how I can get this to stop? It looks like I'm being attacked and filling up the asdm logs so I can't see any real issues.

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-10-2014 09:29 PM

An ASA can only have one default route. Also it does not do policy-based routing. For that reason we can very seldom connect a given ASA to two routers  and have it dynamically steer some flows to one and others to another. When we have a second ISP (and no router we control upstream), we typically use an ip sla operation with a route that tracks the success of that operation to decide if/when to flip all traffic to the second route. 

How does your guest traffic know to take the comcast route outbound?

0 Helpful

Lee Dress
Level 1
Level 1
In response to Marvin Rhoads

‎10-13-2014 07:08 AM

the comcast network is attached as a backup route in case verizon goes down. I'm doing sla tracking.

the comcast connection to the ASA is 50.1.1.5 on a /28 network (not the real address)

My guest network is a separate router attached to the same subnet as my comcast interface.

the guest router is attached to 50.1.1.6 (outside the ASA) and uses the default router of 50.1.1.1
 

the problem is, when users try to attach to OWA or CAS. using the named address to my ASA of 60.1.1.2, they route out through comcast's network, back into verizon's; but because they are presenting themselves as 50.1.1.6, the ASA sees that as a connected subnet and gives me a reverse verify path failure.

if I traceroute from 50.1.1.6 to 60.1.1.2, it's following the proper routes. it goes all the way out comcast's network to the backbone of verizon, then back in.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card