cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1805
Views
0
Helpful
2
Replies

ASA session Check in Asymmetric Routing

I have a question regarding ASA session check

Imagen this situation

We have an ASA which is Building two VPNs (Site-to-Site) to the Cloud and in the Routing table there is a loadbalancing to the Destination in the Cloud over the two VPN connections.(Loadbalancing)

My question is lets if the first packet TCP,Syn sent over the first VPN and the answer  TCP-ACK came over the second VPN will the ASA Drop this packet?

 

ofcourse considring RPF is not being violated.

1 Accepted Solution

Accepted Solutions

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach  on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.

 

View solution in original post

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni
Something to consider is using TCP state bypass for your specific (interesting) vpn traffic. This basically alters the way sessions are established. It is similar to how a UDP connection is treated. See: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach  on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.

 

Review Cisco Networking for a $25 gift card