Assymetric routing btwn ASA & N9k

Constantin Scurac · ‎01-31-2018

Hi folks,

please see the attached diagram.
I have very weird problem. Namely :
Ping between host A and B is successfull. However, RDP doesn't work.
On ASDM (where gateway for host A is configured ) I see

2)DENY TCP (no connection) from... to....

1)Teardown TCP connection from ...to.......... TCP RESET-0

Why icmp goes back and forth successfully, but tcp:3389 can't be establish ?

From other hosts ( same subnet as host B or any other) I can RDP to it, but not from the host A.
I can ping host A from N9k-1, but not from the N9k-2.

Thanks in advance!

Reza Sharifi · ‎01-31-2018

Hi,

Are the 2 switches below the 9ks are FEXs?

If yes, why isn't the uplink to the firewalls not from the 9ks (vpc 30 and 35)?

So, hsrp is configured on 9ks? If so is the link to the firewalls layer-2 or layer-3.

Can you clarify?

HTH

Constantin Scurac · ‎01-31-2018

Hi Reza,

yes, those two switches are FEXes.
The reason why firewalls are connected to FEXes is that firewall have 1gbps links only and it will be needed to purchase additional pluggable ports to connect them to N9ks directly. So, we just connected them to FEXes.
Cisco allows connecting ASAs like that unless it doesn't run any dynamic routing protocols. This has been checked :)
HSRP is configured on N9ks, yes.
I didn't want to mess on the diagram, but there are L3 links between N9ks and ASAs.
So when pinging from host A to host B the packet goes :
1) Default GTW ( ASA 172.20.10.1). It has static routing to subnet 172.20.11.0/25 pointing to L3 interface on N9k.
2) From N9k goes to host B ( as directly connected subnet ).

Reza Sharifi · ‎01-31-2018

Hi,

Thanks for the clarification. In your first post you noted:

I can ping host A from N9k-1, but not from the N9k-2

Is vlan 10 configured on the vPC peer link?

The traffic should go from N9K-2 to N9K-1 over the vPC peer link and down to host A.

What is the result of trace route from N9K-2 to host A?

HTH

Constantin Scurac · ‎01-31-2018

Reza,

yeah, sure vlan is configured. It is just trunk with all vlans.
I'm not sure the traffic should go from N9k-2 to N9k-1. It can go directly to host A.
ESX is dual homed.
Host A is unreacheable from N9k-2. So , traceroute gives me "stars.
I've just checked once again and now I can't ping host A from N9k-1, nor from N9k-2.
One series of pings succeeded from N9k-2 to host B , but after that ping fails.
Im wondering what can be a reason of such unstable behaviour.

Reza Sharifi · ‎01-31-2018

Can you post the 9ks config?

Also, can you post the output of "sh hsrp brief" from both 9ks?

Once more thing, does it behave the same way when you disconnect the fex ports to the firewalls?

Constantin Scurac · ‎02-01-2018

Please find attached run configs and "sh hsrp br" results.
Also see "sh int counter errors".
Especially PO30 & PO35 which are port-channels for ASA firewalls.
I can't disconnect FEX ports to firewalls, because this is way I reach the devices :P

Constantin Scurac · ‎02-01-2018

The issue has been resolved. Everything because of interface

interface Vlan1015
  no shutdown
  no ip redirects
  ip address 172.20.10.30/27
  no ipv6 redirects

packets from host B (172.20.11.4) are supposed to go to it's GTW on N9k (172.20.11.1 ), later to ASA FW (via 10.130.130.5 interface) , after ASA should transmit those packets to subnet 172.20.10.0/27 as directly connected. .
so , when host A (172.20.10.10) replies, it's packets doesn't go to ASA, but are routed locally ( N9k thinks this subnet is directly connected because of interface vlan1015 ). I removed that interface and everything started to work lovely.