I have a simple scenario; an ASA just for just inbound AnyConnect clients. I have 2 ISPs connected to the ASA and wish to use both simultaneously for inbound connections by simply configuring the DNS name ( ISP IP address on ASA) to one or the other on the AnyConnect client.
I am using static routes, so I only have a static route of - route ISP1 0.0.0.0 0.0.0.0 184.108.40.206
Trying to connect remotely, I get the error on the ASA, (220.127.116.11.being my client PC)
route failed to locate next hop for TCP from identity: 18.104.22.168 to ISP2 22.214.171.124
adding a 2nd default route to ISP2 with metric 2, as someone suggested, makes no difference.
I fully understand why it happens, but not sure how to configure it. I assume a connection coming one interface would go back out the same interface due to some session table, regardless of the static route. But then, how does that interface find it's default gateway?
We generally cannot accomodate that feature on an ASA - as least not with both ISPs active. We can do active/standby with an IP SLA operation that monitors the health of one and then flips the default route to the other when the first one (or, more accurately, reachability of some address beyond it) goes away.
In the absence of a more specific route back to the originating client, return traffic leaving the ASA will only take the default gateway with the lowest metric - even if there are separate gateways for each interface.
The stateful aspect of the firewall only applies to the tcp connections or udp flows coming throught it - not the ingress interface of the traffic.
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the SecureX regio...
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the Secur...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...