Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
3
Replies

No link between devices on the inside interface

Go to solution
Hamood Rehman
Level 1
Level 1

‎09-07-2012 10:06 AM - edited ‎03-11-2019 04:51 PM

Hello Support Community,

We are in the process of setting up a DR site. DR site has network up and running and can talk to internet and the corporate site. Corporate site however can not talk to the DR site because the ASA at the DR site drops the TCP ACK SYN because the SYN from Corp does not go through the DR ASA. DR ASA sees the ACK SYN because it is the default gateway of DR servers. Please see the simplified diagram.

Any suggestions? Thanks.

Labels:
Preview file
35 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-07-2012 10:45 AM

Hello Hamood,

This is the expected behavior of a security firewall as he is seeing an asymetric flow ( Routing issue)

The work around is the TCP state bypass policy,

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Rate all the answers, for the community that is as important as a thanks

Regards,

Juliio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
edatwyler
Level 1
Level 1

‎09-07-2012 12:51 PM

My preferred method would be to bring the routing at the DR site down to the switch if that point to point link is your preferred  connection.  Or, you could figure out a way to send Corp-To-DR traffic over your VPN tunnel.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-07-2012 10:45 AM

Hello Hamood,

This is the expected behavior of a security firewall as he is seeing an asymetric flow ( Routing issue)

The work around is the TCP state bypass policy,

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Rate all the answers, for the community that is as important as a thanks

Regards,

Juliio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
edatwyler
Level 1
Level 1

‎09-07-2012 12:51 PM

My preferred method would be to bring the routing at the DR site down to the switch if that point to point link is your preferred  connection.  Or, you could figure out a way to send Corp-To-DR traffic over your VPN tunnel.

0 Helpful

Go to solution
Hamood Rehman
Level 1
Level 1
In response to edatwyler

‎09-11-2012 08:40 AM

Thanks,

We decided to replace the 2960 at DR with a 3750 and change the DG on DR servers to the 3750. But that means travelling to DR site (5 Hours!), so in the meantime I will configure TCP Bypass and see how it goes.

We plan on configuring the VPN later as a back up.

Thanks again for suggestions, good info.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card