Re: VSS-FWSM - Reverse traffice is getting blocked for some serv

sreekanth sreedharan · ‎02-11-2011

Hi,

I have set up VSS with FWSM which make our collapsed core distibution layer. The FWSM consists of two contexts namely internal and external.

The set up is working fine with some issues to particular segments in internal context, Internal context consists of 2 interfaces namely "users" and

"management" users are able to ping and telent to some of the servers but not to all. The log in FWSM shows the revers traffice from some of the management servers are getting blocked. I have configured access any any on all interfaces. The FWSM

is in active standby failover mode. What ould be the problem?

Regards,

Sreekanth V.S

sreekanth sreedharan · ‎02-11-2011

Kindly find the log from FWSM

FWSM/internalfw(config)# show logging | in 10.203.96.11

%FWSM-6-106015: Deny TCP (no connection) from 10.203.96.11/23 to 10.203.65.28/52685 flags SYN ACK on interface management

The connection was initiated from 10.203.65.28/52685 towards the server 10.203.96.11 for telnet access.

Maykol Rojas · ‎02-12-2011

Hi,

The problem is related to Asymetric routing. If you see, the SYN-ACK packet is coming from the management interface, should it be comming from there?

Cheers

Mike

sreekanth sreedharan · ‎02-12-2011

Hi Mike,

Thank you for the reply, The traffic is going from the "user" interface to the "management" interface where both interfaces has been defined in the same internal context.The return traffic is hitting the management interface where it is getting droped (please note the FWSm is configured for failover),Is it due to traffic coming back is hitting the management interface on the standby FWSM rather than the active. How asymmetric routing can be solved?

10.203.65.28---->(internal)(management)<--------10.203.96.11

eg: connection to 10.203.96.11 is showing this problem not to 10.203.96.12 which are in same subnet.

Regards,

Sree

aman.diwakar · ‎02-13-2011

When it comes to the firewall, many asymmetrical routing issues are actually NATing issues (static or dynamic). This is so because the firewall does a NAT lookup for packet forwarding before a route looking in the route table. If no NAT entry exists (XLATE table), the firewall looks at static routes, and then the routing table.

Its advisable to carefully inspect any static xlate entries as well as dynamic to see if it is misconfigured, thus looking for a packet on an interface other than the one it should arrive on.

sreekanth sreedharan · ‎02-15-2011

Hi Aman,

We are using identity nat, Kindly find the nat configuration below.

access-list management_access_in extended permit ip any any
access-list management_access_out extended permit ip any any
access-list management_nat0_outbound extended permit ip any any
access-list management_nat0_inbound extended permit ip any any

nat (management) 0 access-list management_nat0_outbound
nat (management) 0 access-list management_nat0_inbound outside

Regards,

Sreekanth

aman.diwakar · ‎02-15-2011

When the problem occurs, capture the output of the detailed xlate table at that time and shoot that over please.

VSS-FWSM - Reverse traffice is getting blocked for some servers