Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
3
Replies

Hosting a web service with Dual ISP connections on ASA

magurwara
Level 1
Level 1

‎08-08-2018 12:50 AM - edited ‎02-21-2020 08:04 AM

I am getting deny reverse path check errors when trying to host a TCP service on the firewall that has two ISP links.

Trying to host the service on ISP-2 IP range while the default route on the firewall is through ISP-1.

Using route-map to route the traffic out through ISP-2 works fine which I thought would be enough for hosting the service as well since the incoming requests should be coming in via ISP-2's link.  However, the incoming request to the hosted service fails due to the reverse path check failure.

 

Is there a workaround? Further configurations? Or is there no way to make this work without disabling reverse path check?

 

Thanks

 

 

 

0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎08-08-2018 01:27 AM

The command 'no ip verify reverse-path interface IF-NAME' disables uRPF
0 Helpful

magurwara
Level 1
Level 1
In response to Mohammed al Baqari

‎08-08-2018 04:39 AM

Thanks Mohammed but disabling reverse path check is what I don't want to do. 

However, I am wondering whether it is serving a purpose in this scenario.

0 Helpful

magurwara
Level 1
Level 1
In response to magurwara

‎08-16-2018 08:42 AM

Hi All,

I found a possible solution to this problem without disabling uRPF check.  However, it cannot be used in our case (see below).  Still sharing so that this may be useful for anyone having a similar problem.

 

The solution could be to configure a Traffic Zone, say, 'Internet'.  Put both ISP interfaces into this zone.  It will then allow traffic to enter or leave from any interface within the zone.

 

From ASDM GUI:

"You can assign multiple interfaces to a traffic zone, which lets traffic from an existing flow exit or enter the ASA on any interface within the zone."

 

However, within the documentation, it warns that .....

"Do not configure other services (such as VPN or Botnet Traffic Filter) for interfaces in a traffic zone; they may not function or scale as expected."

 

This in my case will leave this solution useless as we do host VPNs on the interfaces I was planning to put in this zone.  I guess with further configuration, a new interface could be configured in this zone and all non-vpn services could be made part of this as all Access Rules, NAT, Service Rules (other than QoS traffic policing), and Routing are supported with zones.

 

Any thoughts from any one?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card