Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
5
Replies

How to create the VPN Tunnel session when the session is logout in ASA?

Hyeonseung Ko
Level 1
Level 1

‎06-17-2019 05:50 PM

Hello,

I want to ask some questions about ASA.

When the ASA L2L IPsec VPN is created and the VPN tunnel session is logout,

And here is the questions.

 

If the communications are start with the tcp packets, then some of tcp packets are drop?

And if the packets are not drop, then how to communicate it?

 

I want to know about the logic of ASA vpn tunnel creation.

I was test and saw the wireshark to see the packet, but SYN TCP Retransmission is not occured.

 

If anyone knows about the asa's logic, please tell me.

 

Thank you.

 

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎06-17-2019 07:06 PM

Hi

When your L2L tunnel goes down, as soon as "interesting" traffic (matching crypto acl) is seen by asa, the L2L comes back up.

If asa is configured in responder (answer) only mode, then the initiator has to send some traffic.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Hyeonseung Ko
Level 1
Level 1
In response to Francesco Molino

‎06-18-2019 12:55 AM

Thank you for reply.

 

Now i know the interesting traffic makes L2L tunnel up, but I still can't understand the process.

 

When the traffic is came from the peer, how to process the tunnel comes up?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Hyeonseung Ko

‎06-20-2019 01:53 PM

When you try to access a remote IP, the dataplane will check different features like nat, routing, ipsec.... And based on these it knows that it needs to forward traffic through the vpn tunnel. If it isn't yet mounted up, it will build it up starting with phase 1 (ikev1 and ikev2) and then phase 2 (ipsec).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Hyeonseung Ko
Level 1
Level 1
In response to Francesco Molino

‎06-20-2019 09:12 PM - edited ‎06-20-2019 09:13 PM

Thank you for repling but my question is little different.

 

I want to know the process how to connect when the vpn session is logout.

 

when the remote network's IP send the tcp traffic, it will be block first time and pass because the vpn session was down... but it's not.

 

I find some informations that the ASA is processing with stateful inspection and so it can remind the information about vpn peer and interesting traffic. is it right?

 

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Hyeonseung Ko

‎06-22-2019 09:09 PM

I'm not sure i understand your question this time. If the vpn is logged out for few hours, there are no more sessions opened and inspection here isn't doing anything.
The traffic is going over certain features called asa order of operations to found its egress interface how to reach the destination (as described very shortly before).
Here a Cisco live presentation that presents asa traffic flows:

https://clnv.s3.amazonaws.com/2018/usa/pdf/BRKSEC-3020.pdf


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents