[c-nsp] [Fwd: FWSM 3.1 and Servers with redundant cards]

varaillon j.varaillon at cosmoline.com
Mon Sep 3 03:55:55 EDT 2007

Thank you for your replies!

The problem is not so much the asymmetric of the traffic but more the change
of IP addresses source in the return flow:



The ASA algorithm checks the validity of the return flow based on:
-Src IP
-Src Port
-Dest IP
-Dest Port

In my case the IP source/destination are not matching so the return flow is

To go back to the advised command:

Given that I have only one FWSM, could this "asr-group" command work for me?

Cisco says that this command:
"causes incoming packets to be re-classified with the interface of the same
asr-group if a flow with the incoming interface cannot be found."

The above sounds good, but Cisco adds:
"If re-classification finds a flow with another interface, and the
associated context is in standby state, then the packet is forwarded to the
active unit for processing."

In my case, since I have only one FWSM, the flow will never be associated
with a context in standby state, so I suspect that the re-classification
will not occur, and the packets will be dropped.

Am I right? Or do I miss something here?



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Patrick McEvilly
Sent: Saturday, September 01, 2007 4:06 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] [Fwd: FWSM 3.1 and Servers with redundant cards]

The FWSM supports asymmetric traffic using the asr-group configuration.
I believe this will do what you want it to do.

>From the docs.

In some situations, return traffic for a session may be routed through a
different interface than it
originated from. In failover configurations, return traffic for a
connection that originated on one unit may
return through the peer unit. This most commonly occurs when two
interfaces on a single FWSM, or two
FWSMs in a failover pair, are connected to different service providers
and the outbound connection does
not use a NAT address. By default, the FWSM drops the return traffic
because there is no connection
information for the traffic.
You can prevent the return traffic from being dropped using the
asr-group command on interfaces where
this is likely to occur. When an interface configured with the asr-group
command receives a packet for
which it has no session information, it checks the session information
for the other interfaces that are in
the same group.
Note In failover configurations, you must enable Stateful Failover for
session information to be passed from
the standby unit or failover group to the active unit or failover group.
If it does not find a match, the packet is dropped. If it finds a match,
then one of the following actions
. If the incoming traffic originated on a peer unit in a failover
configuration, some or all of the layer
2 header is rewritten and the packet is redirected to the other unit.
This redirection continues as long
as the session is active.
. If the incoming traffic originated on a different interface on the
same unit, some or all of the layer
2 header is rewritten and the packet is re-injected into the stream.
Note Using the asr-group command to configure asymmetric routing support
is more secure than using the
static command with the nailed option.

Enter the following commands to add an interface to an asymmetric
routing group. Stateful Failover
must be enabled for asymmetric routing support to function properly
between units in failover
hostname/ctx1(config)# interface if
hostname/ctx1(config-if)# asr-group num
Valid values for num range from 1 to 32. You need to enter the command
for each interface that will
participate in the ASR group. You can view the number of ASR packets
transmitted, received, or dropped
by an interface using the show interface detail command.
You can create up to 32 ASR groups and assign a maximum of 8 interfaces
to each group.
Note The upstream and downstream routers must use one MAC address per
VLAN and have different MAC
addresses for different VLANs to allow for the redirection of packets
from a standby unit to an active
unit in failover configurations.


For redundancy reasons, we have a server with two network cards.

Each card belongs to a subnet and each subnet to a different DMZ.

The server has two default routes with different metrics, where the prefered
default route is in the DMZ_1.

| SERVER |                                  |  FWSM  |---OUTSIDE

The problem is that when we telnet from the outside to the ip destination, the server replies using the ip source

So the FWSM blocs, as it should, the SYN/ACK from the server:

Built inbound TCP connection 146242008855220280
for OUTSIDE: (
to DMZ_2: (

Deny TCP (no connection)
from to
flags SYN ACK  on interface DMZ_1

Given that we have one FWSM (so no exchange of states), is there anyway to
overcome that issue from the FWSM?

Would it help to bring each DMZ in its own context?

Any comment will be welcomed.

Thank you.


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

__________ NOD32 2498 (20070902) Information __________

This message was checked by NOD32 antivirus system.

More information about the cisco-nsp mailing list