ASA 5515 With FirePower

ASA Ver: 9.6(4)

Licence: Security Plus

Anyconnect Ver: 4.4.03034

Issue:

The ASA is used for Anyconnect remote access. This works fine for around 3-4 days and then the clients cannot resolve DNS. The anyconect client is still connected (VPN is up) so all looks normal.

Rebooting the ASA clears the issue for another 3-4 days until it returns.  We have upgraded both the ASA and the anyconnect version (we’re on our 3rd version) but the issue persists.

When issue occurs the following can be observed, (192.168.xx.xx is our DNS/wins)

Error

5              Feb 09 2018         10:11:48               305013  192.168.1.35     137         192.168.xx.xx     137         Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src OUTSIDE-BT-194Subnet:192.168.71.35/137(LOCAL\user.name) dst INSIDE+GUESTWiFi:192.168.1.178/137 denied due to NAT reverse path failure

I’ve tried Clear conn & Clear Xlate but the error remains, up to this point only a reboot sorts the problem (I have a limited amount of time to fault find before I have to get the service back up)

After Reboot

6              Feb 09 2018         12:23:24               302015  192.168.1.10     137         192.168.xx.xx     137         Built inbound UDP connection 170962 for OUTSIDE-19xSubnet:192.168.1.10/137 (192.168.71.1/137)(LOCAL\user.name) to INSIDE+GUESTWiFi:192.168.2.178/137 (192.168.2.178/137) (user.name)

This suggests a NAT error but that is not what is been seen here. Any help appreciated