Hi,
we are running two ASA5550 as fail-over.
Everything works fine. But there is still a little "bug".
[...]
same-security-traffic permit intra-interface
[...]
is enabled.
Now, let's open an PostgreSQL-Connection from 10.10.1.22 to 10.10.1.8 (same subnet, same interface "IT").
First try (using psql for a connection), I get
[...]
11:27:56|106015|10.10.1.22|51019|10.10.1.8|5432|Deny TCP (no connection) from 10.10.1.22/51019 to 10.10.1.8/5432 flags RST on interface IT
11:27:56|302014|10.10.1.22|51019|10.10.1.8|5432|Teardown TCP connection 290800318 for IT:10.10.1.22/51019 to IT:10.10.1.8/5432 duration 0:00:00 bytes 0 TCP Reset-O
11:27:56|302013|10.10.1.22|51019|10.10.1.8|5432|Built inbound TCP connection 290800318 for IT:10.10.1.22/51019 (10.10.1.22/51019) to IT:10.10.1.8/5432 (10.10.1.8/5432)
11:27:53|302014|10.10.1.22|51019|10.10.1.8|5432|Teardown TCP connection 290800140 for IT:10.10.1.22/51019 to IT:10.10.1.8/5432 duration 0:00:00 bytes 0 TCP Reset-O
11:27:53|302013|10.10.1.22|51019|10.10.1.8|5432|Built inbound TCP connection 290800140 for IT:10.10.1.22/51019 (10.10.1.22/51019) to IT:10.10.1.8/5432 (10.10.1.8/5432)
[...]
in the ASA log.
psql now runs into a time out.
Starting the second try, the ASA doesn't report any packets and the connection is established.