Saturday, September 25, 2021

Interesting ASA VTI Behavior

So I have a 5506 running 9.12 with a route based VTI setup to an Azure Virtual Gateway. BGP is setup on the ASA and is peering with Azure. I see my routes and things seem alright.

My problem is from the ASA side, let’s say I send some ICMP traffic to the Virtual Gateway peer IP, I seem to have some weird route switching going on mid ping. I can reliably reproduce a 5 packet burst then drop. Using the ASA to ping, my first 10 repeat burst is fine, the next right after it clearly states no route to subnet. Then try and ping again and it’s good. Tunnel is up the entire time.

From the Azure VM I can reach on premises with no issue. From on premises is where this issue originated so with the ASA being the default gateway I’m assuming the issue lies in there somewhere.

I have a static route for my Azure subnets on a /16 versus individual /24s, sending to the an IP on the VTI subnet.

Inside is a 10.1.0.0/16, Azure is 10.0.0.0/16, so there’s no overlap. I’m not sure what I’m missing with this behavior, as it seems pretty unusual. If anyone has anything in mind to check in all ears, thanks for your time!



No comments:

Post a Comment