12-11-2012 12:34 PM
Trying to keep what seems like a convoluted problem fairly simple.
For this particular problem, I have 4 interfaces on the ASA 5510 (untrust, trust, prod, dmz), 3 subnets and a single VPN network.
VPN network = 10.1.55.0
trust interface = 192.168.1.0
prod interface = 192.168.5.0
dmz interface = 192.168.6.0
VPN network is connected to ASA via S2S tunnel using 'HWVPN' tunnel group. There is an F5 BigIP Load balancer with interfaces on the 192.168.1.0, 192.168.5.0 and 192.168.6.0 networks. Virtual Servers for the F5 are on the 192.168.6.0 network.
I can ping from 10.1.55.210 (my computer) to 192.168.6.189 (F5 Load Balancer Virtual Server) just fine.
ping 192.168.6.189
Pinging 192.168.6.189 with 32 bytes of data:
Reply from 192.168.6.189: bytes=32 time=47ms TTL=255
Reply from 192.168.6.189: bytes=32 time=45ms TTL=255
Reply from 192.168.6.189: bytes=32 time=41ms TTL=255
Reply from 192.168.6.189: bytes=32 time=44ms TTL=255
Ping statistics for 192.168.6.189:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 41ms, Maximum = 47ms, Average = 44ms
I can hit the web interface (https://192.168.6.183) for the F5 via 10.1.55.210 just fine, login, etc. When I attempt to hit any of the F5 Virtual Servers/Proxies on the 192.168.6.0 network from the 10.1.55.0 network (over the VPN tunnel), I get these errors:
6 | Dec 11 2012 | 14:10:56 | 302013 | 10.1.55.210 | 51484 | 192.168.6.189 | 80 | Built inbound TCP connection 293269657 for untrust:10.1.55.210/51484 (10.1.55.210/51484) to dmz:192.168.6.189/80 (192.168.6.189/80) |
6 | Dec 11 2012 | 14:10:56 | 106015 | 192.168.5.14 | 80 | 10.1.55.210 | 51484 | Deny TCP (no connection) from 192.168.5.14/80 to 10.1.55.210/51484 flags SYN ACK on interface prod |
So the TCP handshake is failing. Some more information.. the F5 Virtual Server at 192.168.6.189 currently is associated with a load balancing pool with 1 member (192.168.5.14). So 10.1.55.210 (untrust interface) tries to make a TCP connection to 192.168.6.189 (dmz interface), which load balances that request over to 192.168.5.14 (prod interface), which then attempts to reply on its interface (prod) back to 10.1.55.210, and fails, because no connection is made through that interface. Here is the routing information for that server. (192.168.5.14)
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.183 192.168.5.14 266
10.1.0.0 255.255.0.0 192.168.5.1 192.168.5.14 11
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.5.1 192.168.5.14 11
192.168.2.0 255.255.255.0 192.168.5.1 192.168.5.14 11
192.168.5.0 255.255.255.0 On-link 192.168.5.14 266
192.168.5.14 255.255.255.255 On-link 192.168.5.14 266
192.168.5.255 255.255.255.255 On-link 192.168.5.14 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.5.14 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.5.14 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.5.183 Default
===========================================================================
Typical traffic to this server (192.168.5.14) works fine (RDP, CIFS, etc.), but internal traffic routed to 192.168.6.0 and then load balanced back to 192.168.1.0 or 192.168.5.0 does not get back correctly. The 192.168.5.183 gateway in the routing table is the F5 load balancer.
We also have external IPs associated (NAT'd) for each F5 proxy/virtual server on the 192.168.6.0 network. If an internal (VPN or otherwise) computers hits the external IP, load balancers to the 192.168.1.0 or 192.168.5.0 networks, it goes back out and back in just fine. However, we want to point internal DNS at the 192.168.6.0 network, and have that route to/from the VPN networks (10.1.0.0) without having to use the external IP.
Here is our ASA config, less the user entries, and with public IPs "whited" out:
Result of the command: "sh run"
: Saved
:
ASA Version 8.4(3)
!
hostname fire2
domain-name XXXXXXXXXXXXX
enable password EKulpKJap2J/lkIx encrypted
passwd jI7uBnbk1SCnR6Lm encrypted
names
name 216.82.225.202 Bandwidth.com_2
name 216.82.224.202 Bandwidth.com_1
name 4.79.212.236 Bandwidth.com_0
name 169.254.255.2 AWS1 description IP ADdress for AWS Tunnel 1
name 169.254.255.6 AWS2
dns-guard
!
interface Ethernet0/0
description Internet
nameif untrust
security-level 0
ip address XX.XXX.XX.XX 255.255.255.240 standby XX.XXX.XX.XX
!
interface Ethernet0/1
description Subnet for Production Application Server Broadcast Containment
nameif prod
security-level 99
ip address 192.168.5.1 255.255.255.0 standby 192.168.5.2
!
interface Ethernet0/2
description DMZ for F5 Load Balancer Cluster
nameif dmz
security-level 98
ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
description Corporate Data Center Subnet
nameif trust
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name XXXXXXXXXXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-10.1.55.0
subnet 10.1.55.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.70.0
subnet 10.1.70.0 255.255.255.0
object network obj-10.1.69.0
subnet 10.1.69.0 255.255.255.0
object network obj-192.168.5.10
host 192.168.5.10
object network obj-192.168.5.12
host 192.168.5.12
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.6.181
host 192.168.6.181
object network obj-192.168.6.182
host 192.168.6.182
object network obj-192.168.6.183
host 192.168.6.183
object network obj-192.168.6.184
host 192.168.6.184
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network obj-10.1.51.0
subnet 10.1.51.0 255.255.255.0
object network obj-192.168.1.11
host 192.168.1.11
object network obj-192.168.1.9
host 192.168.1.9
object network obj-192.168.1.8
host 192.168.1.8
object network obj-192.168.1.40
host 192.168.1.40
object network obj-192.168.1.41
host 192.168.1.41
object network obj-192.168.1.90
host 192.168.1.90
object network obj-192.168.1.83
host 192.168.1.83
object network obj-192.168.1.14
host 192.168.1.14
object network obj-192.168.1.178
host 192.168.1.178
object network obj-192.168.1.17
host 192.168.1.17
object network obj-192.168.1.70
host 192.168.1.70
object network obj-192.168.1.71
host 192.168.1.71
object network obj-192.168.1.161
host 192.168.1.161
object network obj-192.168.1.110
host 192.168.1.110
object network obj-192.168.1.189
host 192.168.1.189
object network obj-192.168.1.140
host 192.168.1.140
object network obj-192.168.1.30
host 192.168.1.30
object network obj-192.168.1.31
host 192.168.1.31
object network obj-192.168.1.151
host 192.168.1.151
object network obj-192.168.1.92
host 192.168.1.92
object network obj-192.168.1.95
host 192.168.1.95
object network obj-192.168.1.60
host 192.168.1.60
object network obj-192.168.1.15
host 192.168.1.15
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.6.185
host 192.168.6.185
object network obj-192.168.6.186
host 192.168.6.186
object network obj-192.168.6.187
host 192.168.6.187
object network obj-76.173.218.138
host 76.173.218.138
object network obj-131.179.210.51
host 131.179.210.51
object network obj-131.179.96.240
host 131.179.96.240
object network obj-103.28.248.0
subnet 103.28.248.0 255.255.252.0
object network obj-122.248.247.129
host 122.248.247.129
object network obj-146.185.22.162
host 146.185.22.162
object network obj-149.126.72.0
subnet 149.126.72.0 255.255.248.0
object network obj-159.253.143.23
host 159.253.143.23
object network obj-173.203.97.38
host 173.203.97.38
object network obj-174.37.187.198
host 174.37.187.198
object network obj-174.37.194.147
host 174.37.194.147
object network obj-176.32.89.123
host 176.32.89.123
object network obj-178.238.138.226
host 178.238.138.226
object network obj-178.238.138.227
host 178.238.138.227
object network obj-184.173.146.49
host 184.173.146.49
object network obj-184.73.240.163
host 184.73.240.163
object network obj-194.90.228.56
subnet 194.90.228.56 255.255.255.248
object network obj-199.59.160.137
host 199.59.160.137
object network obj-199.59.160.140
host 199.59.160.140
object network obj-199.83.128.0
subnet 199.83.128.0 255.255.248.0
object network obj-204.188.219.130
host 204.188.219.130
object network obj-207.210.68.26
host 207.210.68.26
object network obj-213.229.77.79
host 213.229.77.79
object network obj-216.12.199.130
host 216.12.199.130
object network obj-46.19.140.58
host 46.19.140.58
object network obj-46.51.174.78
host 46.51.174.78
object network obj-50.22.48.231
host 50.22.48.231
object network obj-50.23.225.32
host 50.23.225.32
object network obj-50.7.161.114
host 50.7.161.114
object network obj-50.7.161.138
host 50.7.161.138
object network obj-67.212.80.68
host 67.212.80.68
object network obj-67.228.61.200
host 67.228.61.200
object network obj-67.228.61.202
host 67.228.61.202
object network obj-79.125.118.62
host 79.125.118.62
object network obj-93.174.93.108
host 93.174.93.108
object network obj-93.174.96.108
host 93.174.96.108
object network 10.1.0.0
subnet 10.1.0.0 255.255.0.0
description Powis Network
object-group service Media tcp-udp
port-object range 10000 20000
object-group network Bandwidth.com
network-object Bandwidth.com_0 255.255.255.255
network-object Bandwidth.com_1 255.255.255.255
network-object Bandwidth.com_2 255.255.255.255
object-group service UDPMedia udp
port-object range 10000 30000
object-group network Postini
description Postini Mail Servers
network-object 64.18.0.0 255.255.240.0
object-group network DM_INLINE_NETWORK_1
network-object object obj-131.179.96.240
network-object object obj-76.173.218.138
object-group network DM_INLINE_NETWORK_2
network-object object Insperity1
network-object object Insperity2
network-object object Insperity3
network-object object Insperity4
network-object object HRSmart4
object-group network DM_INLINE_NETWORK_3
network-object object Insperity1
network-object object Insperity2
network-object object Insperity3
network-object object Insperity4
object-group network DM_INLINE_NETWORK_4
network-object object Insperity1
network-object object Insperity2
network-object object Insperity3
network-object object Insperity4
object-group network BlockDos
network-object object obj-103.28.248.0
network-object object obj-122.248.247.129
network-object object obj-146.185.22.162
network-object object obj-149.126.72.0
network-object object obj-159.253.143.23
network-object object obj-173.203.97.38
network-object object obj-174.37.187.198
network-object object obj-174.37.194.147
network-object object obj-176.32.89.123
network-object object obj-178.238.138.226
network-object object obj-178.238.138.227
network-object object obj-184.173.146.49
network-object object obj-184.73.240.163
network-object object obj-194.90.228.56
network-object object obj-199.59.160.137
network-object object obj-199.59.160.140
network-object object obj-199.83.128.0
network-object object obj-204.188.219.130
network-object object obj-207.210.68.26
network-object object obj-213.229.77.79
network-object object obj-216.12.199.130
network-object object obj-46.19.140.58
network-object object obj-46.51.174.78
network-object object obj-50.22.48.231
network-object object obj-50.23.225.32
network-object object obj-50.7.161.114
network-object object obj-50.7.161.138
network-object object obj-67.212.80.68
network-object object obj-67.228.61.200
network-object object obj-67.228.61.202
network-object object obj-79.125.118.62
network-object object obj-93.174.93.108
network-object object obj-93.174.96.108
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp destination eq ftp
object-group network DM_INLINE_NETWORK_5
network-object 10.1.170.0 255.255.255.0
network-object 10.1.70.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.70.0 255.255.255.0
access-list untrust_cryptomap_dyn_20 extended deny udp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list HWVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list HWVPN_splitTunnelAcl remark HW Corp LAN
access-list HWVPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list HWVPN_splitTunnelAcl remark HW Corp LAN
access-list HWVPN_splitTunnelAcl standard permit 192.168.6.0 255.255.255.0
access-list RemoteDev_splitTunnelACL remark Gatlin Access
access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.15
access-list RemoteDev_splitTunnelACL remark Wesson Access
access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.11
access-list RemoteDev_splitTunnelACL remark Ruger Access
access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.8
access-list RemoteDev_splitTunnelACL standard permit host 192.168.1.71
access-list untrust_cryptomap extended permit ip 192.168.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_5
access-list HomePez standard permit host 192.168.1.60
access-list HomePez standard permit host 192.168.1.15
access-list untrust_cryptomap_dyn_60 extended permit ip any 192.168.2.0 255.255.255.0
access-list trust_access_in extended permit ip any any
access-list untrust_cryptomap_dyn_30 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list untrust_cryptomap_680_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.69.0 255.255.255.0
access-list trust_nat_0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list officeTOpeak10 extended permit ip 192.168.42.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list officeTOpeak10 extended permit ip any any
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.69.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.70.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.71.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.72.0 255.255.255.0
access-list office_lan_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 10.1.73.0 255.255.255.0
access-list untrust_cryptomap_260_2 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0
access-list xx extended permit ip 192.168.1.0 255.255.255.0 10.2.72.0 255.255.255.0
access-list untrust_cryptomap_360_1 extended permit ip 192.168.0.0 255.255.0.0 10.1.71.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list tst remark Full Ruger Access
access-list tst remark Full Ruger Access
access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.0 eq domain
access-list RemoteDevAccess remark All DNS Server Access
access-list RemoteDevAccess extended permit udp 192.168.2.0 255.255.255.0 host 192.168.1.0 eq domain
access-list RemoteDevAccess extended permit icmp 192.168.2.0 255.255.255.0 host 192.168.1.91
access-list RemoteDevAccess remark Access to Oracle Dev
access-list RemoteDevAccess remark CVS Access
access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.15 eq 2401
access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.91 eq sqlnet inactive
access-list RemoteDevAccess remark SSH Access
access-list RemoteDevAccess extended permit tcp any host 192.168.1.15 eq ssh
access-list RemoteDevAccess remark All DNS Server Access
access-list RemoteDevAccess remark Access to Oracle Dev
access-list RemoteDevAccess remark CVS Access
access-list RemoteDevAccess extended permit icmp 192.168.2.0 255.255.255.0 host 192.168.1.11
access-list RemoteDevAccess extended permit tcp any host 192.168.1.11 eq ssh
access-list RemoteDevAccess extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.11 eq 8081
access-list qa_access_in extended permit ip any any
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.55.0 255.255.255.0
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.70.0 255.255.255.0
access-list prod_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.1.69.0 255.255.255.0
access-list untrust_cryptomap_700 extended permit ip 192.168.0.0 255.255.0.0 10.1.51.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 9090
access-list untrust_access_in extended permit tcp object-group Postini host 192.168.1.8 eq smtp log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq ldap log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq www log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq https log
access-list untrust_access_in extended permit tcp any host 192.168.1.8 eq imap4 log
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.14 eq domain
access-list untrust_access_in extended permit udp any host 192.168.1.14 eq domain inactive
access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.17 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.15 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.161 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.151 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.9 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 8888
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 3306
access-list untrust_access_in extended permit tcp any host 192.168.1.40 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.41 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.90 eq www
access-list untrust_access_in extended permit icmp any any inactive
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq 9090
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.83 eq 9000
access-list untrust_access_in extended permit ip any interface trust
access-list untrust_access_in extended permit udp any host 192.168.1.11 eq domain inactive
access-list untrust_access_in extended permit tcp any host 192.168.1.11 eq domain
access-list untrust_access_in extended permit tcp any host 192.168.1.110 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.70 eq 5721
access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq 3389 inactive
access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.71 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.31 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.31 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.140 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ftp
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.40 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.41 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.90 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.178 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.17 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.70 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.71 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.110 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.189 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.140 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.30 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.92 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.95 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.10 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.1.60 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.5.12 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.181 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.182 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.183 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 host 192.168.6.184 eq ssh
access-list untrust_access_in extended permit tcp host 65.102.78.242 XX.XXX.XX.0 255.255.255.0 eq ssh
access-list untrust_access_in extended permit tcp any host 192.168.1.178 eq ssh
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq https
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 1935
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ftp
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq ssh
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8085
access-list untrust_access_in extended permit tcp any host 192.168.1.189 eq 8060
access-list untrust_access_in extended deny ip 210.163.43.0 255.255.255.0 any log warnings
access-list untrust_access_in extended permit tcp object-group BlockDos host 192.168.1.60 eq https
access-list untrust_access_in extended permit tcp object-group BlockDos host 192.168.1.60 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.30 eq www
access-list untrust_access_in extended permit tcp any host 192.168.1.95 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.1.92 eq 8080
access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq https
access-list untrust_access_in extended permit tcp any host 192.168.5.12 eq www
access-list untrust_access_in extended permit tcp any host 192.168.5.10 eq www
access-list untrust_access_in extended permit tcp any host 192.168.6.181 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.182 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.183 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.184 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.185 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.185 eq www
access-list untrust_access_in extended permit tcp any host 192.168.6.186 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.186 eq www
access-list untrust_access_in extended permit tcp any host 192.168.6.187 eq https
access-list untrust_access_in extended permit tcp any host 192.168.6.187 eq www
access-list untrust_access_in remark David Jurgens access to ssh on gatlin
access-list untrust_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 192.168.1.15 eq ssh
access-list untrust_access_in remark HRSmart Access to SFTP on bmusjaxweb01
access-list untrust_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.1.31 eq ssh
access-list untrust_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 host 192.168.1.31
access-list untrust_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 192.168.1.31 range 62000 64000
access-list untrust_access_in extended permit tcp any host 192.168.6.184 eq www
access-list capin extended permit tcp host 192.168.1.1 eq https host 10.1.55.150
access-list capin extended permit tcp host 10.1.55.150 host 192.168.1.1 eq https
access-list dmz_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.1.55.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging emblem
logging trap warnings
logging asdm informational
logging facility 16
logging host trust 192.168.1.16 format emblem
logging debug-trace
logging permit-hostdown
mtu untrust 1500
mtu prod 1500
mtu dmz 1500
mtu trust 1500
ip local pool HW-VPN-Pool 192.168.2.100-192.168.2.200 mask 255.255.255.0
ip audit name CompHosti info action alarm
ip audit name CompHost attack action alarm
ip audit interface trust CompHosti
ip audit interface trust CompHost
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
failover
failover lan unit primary
failover lan interface failoverlink Ethernet0/3
failover replication http
failover link failoverlink Ethernet0/3
failover interface ip failoverlink 192.168.2.1 255.255.255.0 standby 192.168.2.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup
nat (prod,untrust) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup
nat (prod,prod) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup
nat (prod,dmz) source static obj-192.168.5.0 obj-192.168.5.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup
nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
nat (trust,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp
nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.51.0 obj-10.1.51.0 no-proxy-arp
nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp
nat (trust,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp
nat (trust,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 route-lookup
nat (dmz,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.55.0 obj-10.1.55.0 no-proxy-arp route-lookup
nat (dmz,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.69.0 obj-10.1.69.0 no-proxy-arp route-lookup
nat (dmz,untrust) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.1.70.0 obj-10.1.70.0 no-proxy-arp route-lookup
!
object network obj-192.168.5.0
nat (prod,untrust) dynamic interface
object network obj-192.168.5.10
nat (prod,untrust) static XX.XXX.XX.XX
object network obj-192.168.5.12
nat (prod,untrust) static XX.XXX.XX.XX
object network obj_any
nat (prod,untrust) dynamic obj-0.0.0.0
object network obj_any-01
nat (prod,dmz) dynamic obj-0.0.0.0
object network obj-192.168.6.181
nat (dmz,untrust) static XX.XXX.XX.XX
object network obj-192.168.6.182
nat (dmz,untrust) static XX.XXX.XX.XX
object network obj-192.168.6.183
nat (dmz,untrust) static XX.XXX.XX.XX
object network obj-192.168.6.184
nat (dmz,untrust) static XX.XXX.XX.XX
object network obj-192.168.6.0
nat (dmz,untrust) dynamic interface
object network obj_any-02
nat (dmz,untrust) dynamic obj-0.0.0.0
object network obj-192.168.1.0
nat (trust,untrust) dynamic interface
object network obj-192.168.1.11
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.9
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.8
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.40
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.41
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.90
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.83
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.14
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.178
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.17
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.70
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.71
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.161
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.110
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.189
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.140
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.30
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.31
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.151
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.60
nat (trust,untrust) static XX.XXX.XX.XX
object network obj-192.168.1.15
nat (trust,untrust) static XX.XXX.XX.XX
object network obj_any-03
nat (trust,untrust) dynamic obj-0.0.0.0
object network obj_any-04
nat (trust,prod) dynamic obj-0.0.0.0
object network obj_any-05
nat (trust,dmz) dynamic obj-0.0.0.0
object network obj-192.168.6.185
nat (dmz,untrust) static XX.XXX.XX.XX
object network obj-192.168.6.186
nat (dmz,untrust) static XX.XXX.XX.XX
object network obj-192.168.6.187
nat (dmz,untrust) static XX.XXX.XX.XX
access-group untrust_access_in in interface untrust
access-group qa_access_in in interface prod
access-group dmz_access_in in interface dmz
access-group trust_access_in in interface trust
route untrust 0.0.0.0 0.0.0.0 XX.XXX.XX.XX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 10.1.69.0 255.255.255.0 untrust
http 74.167.160.132 255.255.255.255 untrust
http 192.168.1.0 255.255.255.0 trust
http 10.1.55.0 255.255.255.0 untrust
http 192.168.2.0 255.255.255.0 untrust
http 10.1.55.0 255.255.255.0 trust
snmp-server host trust 192.168.1.13 community *****
snmp-server host trust 192.168.1.14 community *****
snmp-server host trust 192.168.1.200 community ***** version 2c
snmp-server host trust 192.168.1.70 community *****
snmp-server location Peak10 A-4
snmp-server contact support@XXXXXXXXXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map untrust_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map untrust_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map untrust_dyn_map 60 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map untrust_dyn_map 80 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 1 match address untrust_cryptomap
crypto map untrust_map 1 set peer 69.180.83.93
crypto map untrust_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map untrust_map 600 match address untrust_cryptomap_600
crypto map untrust_map 600 set peer 70.91.144.153
crypto map untrust_map 600 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 680 match address untrust_cryptomap_680_1
crypto map untrust_map 680 set peer 76.106.137.57
crypto map untrust_map 680 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 700 match address untrust_cryptomap_700
crypto map untrust_map 700 set peer 174.65.109.36
crypto map untrust_map 700 set ikev1 transform-set ESP-3DES-SHA
crypto map untrust_map 65535 ipsec-isakmp dynamic untrust_dyn_map
crypto map untrust_map interface untrust
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable untrust
crypto ikev1 enable untrust
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 80
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet 192.168.1.0 255.255.255.0 trust
telnet 192.168.2.0 255.255.255.0 trust
telnet timeout 60
ssh 196.40.16.128 255.255.255.224 untrust
ssh 201.194.184.0 255.255.255.224 untrust
ssh 0.0.0.0 0.0.0.0 untrust
ssh 192.168.1.0 255.255.255.0 trust
ssh 192.168.2.0 255.255.255.0 trust
ssh 0.0.0.0 0.0.0.0 trust
ssh timeout 60
console timeout 0
management-access trust
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd dns 192.168.1.8 192.168.1.71
dhcpd wins 192.168.1.8
dhcpd domain artisit.com
!
dhcpd address 192.168.1.201-192.168.1.220 trust
dhcpd enable trust
!
priority-queue untrust
queue-limit 488
tx-ring-limit 8
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
internal-password enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
group-policy PSSGROUP internal
group-policy PSSGROUP attributes
split-tunnel-policy tunnelall
split-tunnel-all-dns enable
group-policy GroupPolicy_69.180.83.93 internal
group-policy GroupPolicy_69.180.83.93 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy RemoteDevGroup internal
group-policy RemoteDevGroup attributes
wins-server none
dns-server value 192.168.1.8 192.168.1.71
vpn-filter value RemoteDevAccess
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteDevAccess
default-domain value XXXXXXXXXX
group-policy HWVPN internal
group-policy HWVPN attributes
wins-server none
dns-server value 192.168.1.8 192.168.1.71
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value HWVPN_splitTunnelAcl
default-domain value XXXXXXXXXX
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LOCAL
default-group-policy RemoteDevGroup
authorization-required
username-from-certificate use-entire-name
tunnel-group HWVPN type remote-access
tunnel-group HWVPN general-attributes
address-pool HW-VPN-Pool
default-group-policy HWVPN
tunnel-group HWVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 69.180.83.93 type ipsec-l2l
tunnel-group 69.180.83.93 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group RemoveDevGroup type remote-access
tunnel-group RemoveDevGroup general-attributes
address-pool HW-VPN-Pool
default-group-policy RemoteDevGroup
tunnel-group RemoveDevGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 76.106.137.57 type ipsec-l2l
tunnel-group 76.106.137.57 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 174.65.109.36 type ipsec-l2l
tunnel-group 174.65.109.36 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 70.91.144.153 type ipsec-l2l
tunnel-group 70.91.144.153 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map Voice
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns migrated_dns_map_1
inspect pptp
inspect icmp
inspect ip-options
policy-map Voicepolicy
class Voice
priority
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ed6537d0d73c127c1f28a3d7b069710b
: end
05-16-2013 03:50 AM
I know I’m a little late and you’ve probably fixed the issue, but ..
Is the connection going through the load balancer or terminating on a virtual server on the load balancer?
If it is terminating on the load balancer via a virtual server the f5 is the cause, apply a profile to disable slow start and nagle and see if that fixes things for you.
Something like:
profile tcp tcp-wan-optimized {
defaults from tcp
selective acks enable
slow start disable
nagle disable
proxy buffer low 131072
proxy buffer high 131072
send buffer 65535
recv window 65535
}
Easily done via the GUI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide