10-19-2011 06:44 AM - edited 03-11-2019 02:39 PM
Hello,
my problem is as follows. I have configured ASA 5550 in transparent mode with two security contexts (admin and another one named "host").
I have configured in context "host" 8 bridge groups (running 8.4). Each bridge group has two interfaces, inside and outside and it's own subnet.
Now my problem is asymmetric routing. When packet (SYN) enters one of my outside interfaces and goes out on inside in the same bridge group,
beacuse of asymmetric routing behind my inside interfaces, it is possible that reply packet (SYN ACK) enters inside interface in another bridge
group. So firewall drops this packet. Now, my question is how can I resolve this problem?
I've tried configuring asr-group but it doesn't work. I have active/standby failover configuration and I see that asr-group is usually configured
with active-active failover. But is it possible to configure it in active/standby?
Thanks
10-19-2011 06:55 AM
Hi Zoran,
Try tcp state bypass feature
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
--
Anubhav Swami (Anna)
10-19-2011 06:59 AM
Hi Anubhav,
thank you for your answer but unfortunately my company's security policy asks for stateful firewall and tcp state bypass disables stateful firewall.
Zoran
10-19-2011 07:15 AM
Hi Zoran,
If tcp state bypass is not an option. then we can troubleshoot asr-group configuration.
can you please check if you have correctly identified ingress and egress interface and applied asr-group to correct interface.
--
Anubhav Swami
10-19-2011 07:22 AM
Hi,
here is part of my configuration for two bridge groups. I did this for test and it doesn't work.
This is all in one context and I tried telnet from my PC. SYN enters vlan 325 and goes out on
225, and then SYN ACK enters vlan 126 but ASA drops it.
interface BVI2
ip address 192.168.225.50 255.255.255.0 standby 192.168.225.51
!
interface BVI3
ip address 192.168.126.50 255.255.255.0 standby 192.168.126.51
!
interface GigabitEthernet0/0.225
nameif VLAN225
bridge-group 2
security-level 100
asr-group 1
!
interface GigabitEthernet0/0.325
nameif VLAN325
bridge-group 2
security-level 0
asr-group 1
!
interface GigabitEthernet0/2.126
nameif VLAN126
bridge-group 3
security-level 100
asr-group 1
!
interface GigabitEthernet0/2.127
nameif VLAN127
bridge-group 3
security-level 0
asr-group 1
!
10-19-2011 07:37 AM
Hi Zoran,
I was checking some configuration example and here are some Prerequisities for asr-group:
You must have to following configured for asymmetric routing support to function properly:
•Active/Active Failover
•Stateful Failover—Passes state information for sessions on interfaces in the active failover group to the standby failover group.
•replication http—HTTP session state information is not passed to the standby failover group, and therefore is not present on the standby interface. For the ASA to be able re-route asymmetrically routed HTTP packets, you need to replicate the HTTP state information.
After carefully reviewing your initial post I found that you are running Active/Standby failover. I am afraid asr-group is not supported with active/standby.
You have following options:
1. Configure active/active failover and then configure asr-group.
2. Correct asymmetric routing.
3. Enable selective tcp-state bypass if your company policy permit the same.
For Details refer to following link:
--
Anubhav Swami
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide