ASA asymmetric routing problem

zoran.suica · ‎10-19-2011

Hello,

my problem is as follows. I have configured ASA 5550 in transparent mode with two security contexts (admin and another one named "host").

I have configured in context "host" 8 bridge groups (running 8.4). Each bridge group has two interfaces, inside and outside and it's own subnet.

Now my problem is asymmetric routing. When packet (SYN) enters one of my outside interfaces and goes out on inside in the same bridge group,

beacuse of asymmetric routing behind my inside interfaces, it is possible that reply packet (SYN ACK) enters inside interface in another bridge

group. So firewall drops this packet. Now, my question is how can I resolve this problem?

I've tried configuring asr-group but it doesn't work. I have active/standby failover configuration and I see that asr-group is usually configured

with active-active failover. But is it possible to configure it in active/standby?

Thanks

aswami300 · ‎10-19-2011

Hi Zoran,

Try tcp state bypass feature

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

--

Anubhav Swami (Anna)

zoran.suica · ‎10-19-2011

Hi Anubhav,

thank you for your answer but unfortunately my company's security policy asks for stateful firewall and tcp state bypass disables stateful firewall.

Zoran

aswami300 · ‎10-19-2011

Hi Zoran,

If tcp state bypass is not an option. then we can troubleshoot asr-group configuration.

can you please check if you have correctly identified ingress and egress interface and applied asr-group to correct interface.

--

Anubhav Swami

zoran.suica · ‎10-19-2011

Hi,

here is part of my configuration for two bridge groups. I did this for test and it doesn't work.

This is all in one context and I tried telnet from my PC. SYN enters vlan 325 and goes out on

225, and then SYN ACK enters vlan 126 but ASA drops it.

interface BVI2

ip address 192.168.225.50 255.255.255.0 standby 192.168.225.51

!

interface BVI3

ip address 192.168.126.50 255.255.255.0 standby 192.168.126.51

!

interface GigabitEthernet0/0.225

nameif VLAN225

bridge-group 2

security-level 100

asr-group 1

!

interface GigabitEthernet0/0.325

nameif VLAN325

bridge-group 2

security-level 0

asr-group 1

!

interface GigabitEthernet0/2.126

nameif VLAN126

bridge-group 3

security-level 100

asr-group 1

!

interface GigabitEthernet0/2.127

nameif VLAN127

bridge-group 3

security-level 0

asr-group 1

!

aswami300 · ‎10-19-2011

Hi Zoran,

I was checking some configuration example and here are some Prerequisities for asr-group:

You must have to following configured for asymmetric routing support to function properly:

•Active/Active Failover

•Stateful Failover—Passes state information for sessions on interfaces in the active failover group to the standby failover group.

•replication http—HTTP session state information is not passed to the standby failover group, and therefore is not present on the standby interface. For the ASA to be able re-route asymmetrically routed HTTP packets, you need to replicate the HTTP state information.

After carefully reviewing your initial post I found that you are running Active/Standby failover. I am afraid asr-group is not supported with active/standby.

You have following options:

1. Configure active/active failover and then configure asr-group.

2. Correct asymmetric routing.

3. Enable selective tcp-state bypass if your company policy permit the same.

For Details refer to following link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html#wp1110881

--

Anubhav Swami