Solved: ASA session Check in Asymmetric Routing

amhish@netfox.de · ‎07-01-2019

I have a question regarding ASA session check

Imagen this situation

We have an ASA which is Building two VPNs (Site-to-Site) to the Cloud and in the Routing table there is a loadbalancing to the Destination in the Cloud over the two VPN connections.(Loadbalancing)

My question is lets if the first packet TCP,Syn sent over the first VPN and the answer TCP-ACK came over the second VPN will the ASA Drop this packet?

ofcourse considring RPF is not being violated.

amhish@netfox.de · ‎07-05-2019

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.

View solution in original post

Mike.Cifelli · ‎07-01-2019

Something to consider is using TCP state bypass for your specific (interesting) vpn traffic. This basically alters the way sessions are established. It is similar to how a UDP connection is treated. See: https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html#wp1088415

amhish@netfox.de · ‎07-05-2019

Thank you for your respond.

Looks like loadbalancing over tunnels will stay out of reach on ASA.

TCP Bypass ist not supported on Tunnel interfaces.

we will need to install a router infront of the Firewall.