Hi all,

Currently we have the following situation:

an active/standby setup with 2x 5508 ASA firewalls.

The outside ip is 159.100.72.x/28

the inside ip is 150.20.x.y/16

In the routing tables there are entries for access to the 10.1.x.y/16 subnet. It is forwarded towards our core switch allong the inside interface.

there is a vpn ip pool in which people are getting a 10.1.253.x ip.

Also acl entries are there to allow 10.1.x.y/16 ip & icmp traffic to any.

In addition also an entry exist in the same access list for 150.20.x.y/16 ip traffic to any.

Currently we have anyconnect setup and is working fine, except for one subnet.

We can connect and ping from subnets like 10.1.6.x, 10.1.7.x, 10.1.100.x etc.

When we ping and setup rdp so servers in those subnets, we are successfull.

However when we try to set up an rdp connection to servers in the 10.1.1.x subnet it fails. 

When we do a tcping on port 389 it also fails. However doing a normal ping it succeeds.

In addition, when we do a packet trace on port 389, it doenst return any errors for the 10.1.1.x subnet. 

We thought perhaps it was a bug at first in the firmware. However we updated the asa to the latest frimware available and still it doesnt work.

as far as the coreswitch goes, there isnt any access list blocking traffic. We have some old cisco asa firewalls in place, and there the setup is working fine. tcp 389 is allowed there. However when we change the gateway for the specific vlan to point towards the new firewall it only seems to fail on the 10.1.1.x subnet and not for any other subnet.