I have an issue with WS-SVC-FWM-1 module - in the active/active failover it doesn't make ICMP connection state replication with asr-groups configured on the respective interfaces. Although other connections are working just fine (asymmetric routing is verified with 'show ip cef' on the MSFC) it seems that only newer ASAs are doing ICMP replication in failover, but I couldn't find any documentation describing replication behavior for the FWSM. Can anyone clearly describe FWSM's behavior for this?
... View more
Hi! I have an issue while connecting from a Hardware VPN Client, sitting behind the NAT - it only receives the 1-st route from 3, configured in the split-tunnel ACL on the Easy VPN Server: EZ_CLNT#sho cry sess Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: <VPN-SRV-IP> port 4500 IKE SA: local 192.168.5.2/4500 remote 192.168.35.2/4500 Active IKE SA: local 192.168.5.2/4500 remote 192.168.35.2/4500 Inactive IPSEC FLOW: permit ip 172.16.3.0/255.255.255.0 172.16.2.0/255.255.255.0 Active SAs: 2, origin: crypto map Interface: FastEthernet0/0 Session status: DOWN Peer: 192.168.35.2 port 500 IPSEC FLOW: permit ip 172.16.3.0/255.255.255.0 172.16.5.0/255.255.255.0 Active SAs: 0, origin: crypto map IPSEC FLOW: permit ip 172.16.3.0/255.255.255.0 172.16.6.0/255.255.255.0 Active SAs: 0, origin: crypto map I've tried to connect from a Client with a Public IP - it works ok, all 3 routes are correctly installed. Why is this this happening?
... View more