Which two configurations are required on the Cisco ASAs so that the return traffic…?

Refer to the exhibit.

Which two configurations are required on the Cisco ASAs so that the return traffic from the
10.10.10.100 outside server back to the 10.20.10.100 inside client can be rerouted from the Active
Ctx B context in ASA Two to the Active Ctx A context in ASA One? (Choose two.)

Refer to the exhibit.

Which two configurations are required on the Cisco ASAs so that the return traffic from the
10.10.10.100 outside server back to the 10.20.10.100 inside client can be rerouted from the Active
Ctx B context in ASA Two to the Active Ctx A context in ASA One? (Choose two.)

A.
stateful active/active failover

B.
dynamic routing (EIGRP or OSPF or RIP)

C.
ASR-group

D.
no NAT-control

E.
policy-based routing

F.
TCP/UDP connections replication

Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html
Configuring Support for Asymmetrically Routed Packets When running in Active/Active failover, a
unit may receive a return packet for a connection that originated through its peer unit. Because the
ASA that receives the packet does not have any connection information for the packet, the packet
is dropped. This most commonly occurs when the two ASAs in an Active/Active failover pair are
connected to different service providers and the outbound connection does not use a NAT
address.
You can prevent the return packets from being dropped using the asr-group command on
interfaces where this is likely to occur. When an interface configured with the asr-group command
receives a packet for which it has no session information, it checks the session information for the
other interfaces that are in the same group. If it does not find a match, the packet is dropped. If it

finds a match, then one of the following actions occurs:
•If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and
the packet is redirected to the other unit. This redirection continues as long as the session is
active.
•If the incoming traffic originated on a different interface on the same unit, some or all of the layer
2 header is rewritten and the packet is reinjected into the stream.



Leave a Reply 0

Your email address will not be published. Required fields are marked *