cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

852
Views
0
Helpful
2
Replies
Highlighted

ASA session Check in Asymmetric Routing

I have a question regarding ASA session check

Imagen this situation

We have an ASA which is Building two VPNs (Site-to-Site) to the Cloud and in the Routing table there is a loadbalancing to the Destination in the Cloud over the two VPN connections.(Loadbalancing)

My question is lets if the first packet TCP,Syn sent over the first VPN and the answer  TCP-ACK came over the second VPN will the ASA Drop this packet?

 

ofcourse considring RPF is not being violated.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach  on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.

 

View solution in original post

2 REPLIES 2
Highlighted
VIP Engager

Something to consider is using TCP state bypass for your specific (interesting) vpn traffic. This basically alters the way sessions are established. It is similar to how a UDP connection is treated. See: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415
Highlighted

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach  on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.

 

View solution in original post

Content for Community-Ad