Pity the ASA log doesnt say why it failed anti-spoofing,just that it did and on what interface it came in on. How hard could it be for the log to say it failed because it was expecting it on interface A, but it came in interface B!!!
If you are troubleshooting someone elses network that you dont know where subnet sits, its not the easiest thing to do.
Sadly again as the ASA doesnt allow you to do a show route x.x.x.x without specifying an interface. So all i did was check the route against the interface it came in on and the route was a match. What i didnt know was that there was a more specific route on a different interface.
Should have been simple to spot? Well the log only gives the host that fails, (not the network which is understandable) but if you do a sh route on an ASA and all the networks have been given name, you cant match it!
What should have been a simple troubleshooting exercise was made difficult by the ASA coding in my opinion.
In short, the answer was assymetric routing, as another interface had a more specific route.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 22.214.171.124Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 126.96.36.199R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...