I understand the Management interface in the ASA does not allow the traffic to pass through it. But got this error
"%ASA-4-418001: Through-the-device packet to/from management-only network is denied: tcp src outside:x.x.x.x dst mgmt: y.y.y.y."
Why would the "outside" interface try to process traffic through the management-only interface? I assume it would process through the inside.
This error is causing some outside traffic to not process through the inside correctly (ASA ver 9.1).
Once M0/0 was "shut" to test, traffic flow fine. Where should I look to possibly identify the issue ?
ip addresss x.x.x.x x.x.x.x
route management 0 0 N.N.N.N 1
I am not aware of any other special "route" configurations on the ASA for default route other than the "tunneled" route meant for VPN traffic. Then again I am not sure if there has been some changes for example related to the ASA5500-X Series since its management interface was forced to "management-only" unlike the original ASA5500 Series which let you remove it.
So I am wondering why you have a default route towards the management interface? Maybe this part of the problem. One reason might also be NAT configuration that doesnt specify the actual interface where the internal hosts are located at but in that case there should not be a problem unless there was a problem with the routing.
Maybe you could provide us with the "packet-tracer" output of the above connection logged if its targeted to a public IP address in a Static NAT / Static PAT configuration?
packet-tracer input outside tcp
Maybe I am not understanding the intended use of the managment interface. I have read the various forums concerning it but don't seem to grasp it.
The default route for the managment interface is intended to allow reachability of systems not within the same vlan or network as the management interface. So basically relying on the upstream router. Does the management need to be truly OOB ? And systems needing access to it should be on the same VLAN /network ? I just don't see any concise documentaion on what it can or can not do.
The default route is probably messing with it as you suggested. A " show route inside" and " show route management" has the same default route address. I was expecting to see two different default route address based on source interface specified.
We are not running any NAT/PAT configuration.
Packet-tracer reveals a Phase 4 drop as a result of implicit deny. I assume this is expected as a result of the interface
being management-only. I expected to get the error "%ASA-4-418001, but saw that it was effecting our traffic after further testing.
I don't really use the Management interface much on the ASA units. In the past with the original ASA5500 Series I tended to use it as the Failover link which in the new series I guess is not possible anymore.
I would like to see the "packet-tracer" output to determine what is actually happening. If that doesnt help would really need to see some configurations to determine the cause of the problem. To my understanding you have a connection that should be forwarded to "inside" but is getting passed to the "mgmt" at the moment. So there either has to be some NAT or routing that is causing the problem.
I agree that the routing in place is causing some of the issues. Trying to get the mgmt interface to work is too much of a headache, especially without a true OOB set-up. I can't play around with the connected routers because of impact...I have decided to not use the management interface. Thanks for your input though.