Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1902
Views
0
Helpful
3
Replies

Asymmetric Flow on ASA5506 VTI tunnel interfaces VPN

olivier.martin
Level 1
Level 1

‎04-08-2019 02:13 PM

Hi,

I've configured an ASA 5506X with 2 VTI tunnel interfaces to a cloud provider, and I'm getting asymmetric routing (which is to be expected at times). Now, the issue I would like to solve is to tell the ASA to be able to perform stateful inspection across two different VTI tunnels. I've thought that I could use this :https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-connlimits.html

for example to use a policy-map to do a TCP State Bypass, but what about UDP? And what about ICMP? Moreover, this doesn't work on VTI or at least I'm not sure how to do this on VTI interfaces. I'm using 9.8.x.

 

Any clue?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Mark Woollam
Level 1
Level 1

‎08-14-2019 05:08 AM

I have the same problem.

I'm thinking IP SLA or BGP rather than static routes so only one route is in the ASA's table at a time.

Would love to enable asymmetric across two VTI's though
0 Helpful

olivier.martin
Level 1
Level 1
In response to Mark Woollam

‎08-14-2019 05:42 AM

What I ended up doing is advertising a higher BGP cost over one tunnel versus the other (my scenario involved BGP so that worked for me). But it's IMO not ideal...

0 Helpful

perpey
Level 1
Level 1
In response to olivier.martin

‎07-14-2023 11:38 AM

Hi Oliver, what do you mean by higher cost. I guess you prepend the ASPATH on VTI-1 and leave the defaults on the VTI-2?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card