Refer to the attached diagram for a conceptual diagram of the network.
Sorry for the long post - trying to get as many details in as possible.
ASA's have a tunnel between them. High speed cable network.
1841's connected in MPLS. 1.5mb T1's
All Internet-destined traffic must go out the MPLS routers (to 3rd party filtering host). Only inter-branch traffic over the ASA-ASA tunnel can leave the ASA's.
ASA's have an SLA monitor on the outside, with failover to the 1841.
route outside 0.0.0.0 0.0.0.0 <isp> 1 track 1
route inside 0.0.0.0 0.0.0.0 192.168.1.1 2
The 1841's are not in my control, and only route the internal LAN's.
The remote station (192.168.2.50) gateway points to the remote ASA inside (192.168.2.254).
The Terminal Server (192.168.1.10) has it's gateway set to the MPLS router, with static routes to specific remote IP's pointing to the ASA1 (route 192.168.2.50 255.255.255.255 19220.127.116.11), forcing traffic to the remote host over the ASA-ASA tunnel.
The problem is when the tunnel drops (e.g., either side loses connectivity to ISP).
The SLA is working, and the route outside is removed, leaving the default route set to the MPLS router.
However, the remote client cannot make an RDP connection to the server. I can ping in both directions just fine.
I believe the problem is described here (http://www.8-p.org/wiki/doku.php?id=asahairpinning
), basically, the ASA handles ICMP redirection, but non-ICMP packets are lost due to the path of the SYN packets.
That is - the remote client initiates a 3389tcp connection to 192.168.1.10 via 192.168.2.254 (ASA2)
ASA2's SLA monitor has dropped the route outside, and sends the packet to 1841-2, over the MPLS, and pops out on 1841-1 to hit the Server.
The Server, however, has a route to 192.168.2.50 directed to ASA1, so the return packet gets sent to ASA1.
ASA1 drops the packet since it never saw the first packet from the remote host.
If I change the default gateway on Server to ASA1, then Internet traffic goes out the ASA, which violates the corporate policy.
How can I achieve failover on the ASA tunnel, and still maintain connectivity.