https://community.cisco.com/t5/network-security/asa-session-check-in-asymmetric-routing/m-p/3882569#M5940 Something to consider is using TCP state bypass for your specific (interesting) vpn traffic. This basically alters the way sessions are established. It is similar to how a UDP connection is treated. See: <A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415</A> Mon, 01 Jul 2019 13:24:12 GMT Mike.Cifelli 2019-07-01T13:24:12Z https://community.cisco.com/t5/network-security/asa-session-check-in-asymmetric-routing/m-p/3882461#M5938 <P>I have a question regarding ASA session check</P><P>Imagen this situation</P><P>We have an ASA which is Building two VPNs (Site-to-Site) to the Cloud and in the Routing table there is a loadbalancing to the Destination in the Cloud over the two VPN connections.(Loadbalancing)</P><P>My question is lets if the first packet TCP,Syn sent over the first VPN and the answer&nbsp; TCP-ACK came over the second VPN will the ASA Drop this packet?</P><P>&nbsp;</P><P>ofcourse considring RPF is not being violated.</P> Fri, 21 Feb 2020 17:15:46 GMT https://community.cisco.com/t5/network-security/asa-session-check-in-asymmetric-routing/m-p/3882461#M5938 amhish@netfox.de 2020-02-21T17:15:46Z https://community.cisco.com/t5/network-security/asa-session-check-in-asymmetric-routing/m-p/3882569#M5940 Something to consider is using TCP state bypass for your specific (interesting) vpn traffic. This basically alters the way sessions are established. It is similar to how a UDP connection is treated. See: <A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415</A> Mon, 01 Jul 2019 13:24:12 GMT https://community.cisco.com/t5/network-security/asa-session-check-in-asymmetric-routing/m-p/3882569#M5940 Mike.Cifelli 2019-07-01T13:24:12Z https://community.cisco.com/t5/network-security/asa-session-check-in-asymmetric-routing/m-p/3885154#M5945 <P>Thank you for your respond.</P><P>Looks like loadbalancing over tunnels will stay out of reach&nbsp; on ASA.</P><P>TCP Bypass ist not supported on Tunnel interfaces.</P><P>we will need to install a router infront of the Firewall.</P><P>&nbsp;</P> Fri, 05 Jul 2019 09:48:05 GMT https://community.cisco.com/t5/network-security/asa-session-check-in-asymmetric-routing/m-p/3885154#M5945 amhish@netfox.de 2019-07-05T09:48:05Z