Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1684
Views
0
Helpful
2
Replies

ASA session Check in Asymmetric Routing

Go to solution
amhish@netfox.de
Level 1
Level 1

‎07-01-2019 04:28 AM - edited ‎02-21-2020 09:15 AM

I have a question regarding ASA session check

Imagen this situation

We have an ASA which is Building two VPNs (Site-to-Site) to the Cloud and in the Routing table there is a loadbalancing to the Destination in the Cloud over the two VPN connections.(Loadbalancing)

My question is lets if the first packet TCP,Syn sent over the first VPN and the answer  TCP-ACK came over the second VPN will the ASA Drop this packet?

 

ofcourse considring RPF is not being violated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amhish@netfox.de
Level 1
Level 1
In response to Mike.Cifelli

‎07-05-2019 02:48 AM

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach  on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-01-2019 06:24 AM

Something to consider is using TCP state bypass for your specific (interesting) vpn traffic. This basically alters the way sessions are established. It is similar to how a UDP connection is treated. See: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415
0 Helpful

Go to solution
amhish@netfox.de
Level 1
Level 1
In response to Mike.Cifelli

‎07-05-2019 02:48 AM

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach  on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card