Hi all,
I've encountered an interesting issue during setting up a new site today, maybe someone can point me to some solution.
Topology is like this: https://pastebin.com/iPM89YNS
Problem:
There is an ASA that peers with the core switch(SW1), also has an interface in a vlan where unknown* devices are. If I try to ping from this subnet using the core switch as the def. gw. the pings fail.
My initial idea was that the issue is caused by the fact that the ASA has an interface in the source subnet but packet is coming in on a different interface, so I checked packet tracer: https://pastebin.com/XGs7htKV
There is also a debug icmp output that says my packet is translated in both directions, but packets don't get back to the test device. Based on this, I've shut the questionable interface on the ASA and as expected, it started working. I also changed the def. gw. to the ASA, again, it started working.
Setup:
There are more subnets and devices in the topology but I don't think they are relevant for now. The ASA acts as a default gw. for the core, they are peering through a subnet, running EIGRP. ASA is natting out the local subnets to it's external interface, there is a "permit ip any" access-list applied to the interfaces to avoid filtering problems as well as "icmp permit any...". Other subnets which are not present directly on the ASA are working fine.
*Background:
If anyone is wondering, why does that interface exist that faces clients when the ASA is not their default gateway: an old office is moved, this interface was present and is migrated to the new setup. There are devices in this subnet which are not managed by us(possibly not managed by anyone) and we are not even sure what those are, changing anything on them is practically impossible.
Possible solutions:
1, One workaround that comes to my mind is moving the IP from the ASA to the core and shutting that interface, therefore forcing every device on that subnet to use the core to go anywhere, independently from their individual def. gw. setting. Not sure what issues this would cause, can't think of any right now.
2, Reconfigure devices on the subnet to use the ASA as def. gw. This is not really possible as we don't have access, also this would possibly introduce other routing issues.
3,??
Question:
Does anyone know what exactly causes the issue? I still think the problem is asymmetry, but packet-tracer tells me otherwise. Is there a third, more easy way to solve this that I didn't think of?
No comments:
Post a Comment