ASA 5515 With FirePower
ASA Ver: 9.6(4)
Licence: Security Plus
Anyconnect Ver: 4.4.03034
Issue:
The ASA is used for Anyconnect remote access. This works fine for around 3-4 days and then the clients cannot resolve DNS. The anyconect client is still connected (VPN is up) so all looks normal.
Rebooting the ASA clears the issue for another 3-4 days until it returns. We have upgraded both the ASA and the anyconnect version (we’re on our 3rd version) but the issue persists.
When issue occurs the following can be observed, (192.168.xx.xx is our DNS/wins)
Error
5 Feb 09 2018 10:11:48 305013 192.168.1.35 137 192.168.xx.xx 137 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src OUTSIDE-BT-194Subnet:192.168.71.35/137(LOCAL\user.name) dst INSIDE+GUESTWiFi:192.168.1.178/137 denied due to NAT reverse path failure
I’ve tried Clear conn & Clear Xlate but the error remains, up to this point only a reboot sorts the problem (I have a limited amount of time to fault find before I have to get the service back up)
After Reboot
6 Feb 09 2018 12:23:24 302015 192.168.1.10 137 192.168.xx.xx 137 Built inbound UDP connection 170962 for OUTSIDE-19xSubnet:192.168.1.10/137 (192.168.71.1/137)(LOCAL\user.name) to INSIDE+GUESTWiFi:192.168.2.178/137 (192.168.2.178/137) (user.name)
This suggests a NAT error but that is not what is been seen here. Any help appreciated