Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
2
Replies

Asymetric routing issue

infosys02
Level 1
Level 1

‎09-26-2017 06:28 AM - edited ‎02-21-2020 06:22 AM

Hi,

 

I am in the process of replacing an old router/firewall with a Cisco 5506-X firewall. (I'm aware that the 5506 is not a router, I'm working with what I am given..) - note that the layout is the same as with our old firewall/router and that I'm trying to avoid any changes or having to deal with MPLS / Phone service provider for multiple reasons.

 

The network I am dealing with is pretty poorly laid out; There's a half-managed phone system with a dedicated MPLS network for voice traffic - The MPLS router is the default gateway for VoIP equipement (Phones, Media gateways and what-not).

 

We have L2L VPNs between this location and other locations.

 

On the MPLS router, there is a static route that forwards all traffic from the voice vlan vlan100 to an interface "vlan10" of our ASA

 

I can ping the devices in the voice vlans but the TCP connections fail.

I made a service policy rule to bypass TCP state although now I end up with the following error;

 

- Routing failed to locate next hop for TCP from outside: x.x.x.x/x to vlan10:192.168.0.20/x

- Teardown TCP state-bypass connection XXXX from outside:x.x.x.x to vlan10 - 192.168.0.17 No valid adjacency

 

The ASA tries to establish the TCP connections through the vlan10 interface even though the IP address is directly connected to the vlan100 interface.

 

It makes sense because that's where the traffic is coming from but is there a way to force the traffic to vlan100 to exit through the vlan100 interface?

 

I'm not familiar enough with the ASAs to figure this one out and I'm not even sure it's possible to fix that without changing the routes on the voice MPLS router so that packets from vlan100 is routed through our vlan100 interface.

 

Here's a very high level picture of what the traffic looks like with different IPs;

 

 

Graph.PNG

 

Any help would be greatly appreciated!

Thanks

Labels:
0 Helpful
2 Replies 2

infosys02
Level 1
Level 1

‎09-26-2017 12:28 PM

Just noticed I could route everything through my vlan 10 and just remove the vlan 100 -.- 

 

I don't know how to delete a thread but in any case, I resolved my own "problem".

0 Helpful

Jesper Erbs2
Level 1
Level 1
In response to infosys02

‎09-30-2017 07:22 AM

Great you found a solution!
My guess would be, that you had a NAT issue if you should come across issues like it again.
The NAT in the ASA can overrule the routing table.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card