Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1166
Views
0
Helpful
0
Replies

Cisco ASA IPsec site2site VPN tunnel for Riverbed SteelHead path selection

Network Diver
Level 1
Level 1

‎02-17-2016 06:13 AM - edited ‎03-12-2019 12:19 AM

Hi,

We have a remote office with two different internet connections and a Cisco ASA firewall on each uplink. Each firewall has a IPsec site2site VPN tunnel to our datacenter. Both sites have Riverbed a SteelHead appliance for WAN optimization.

For Riverbed SteelHead autodiscovery, the TCP options 76 through 78 must be allowed on the Cisco ASA firewalls using TCP maps and policy map as follows:

tcp-map riverbed
 tcp-options range 76 78 allow

policy-map global_policy
 ...
 class class-default
 set connection advanced-options riverbed

This works fine so far. However, for Riverbed path selection (a feature where one can have up to three active WAN uplinks and distribute/failover different application traffic) one must be able to transfer open TCP sessions from one VPN tunnel to another and also to permit asymmetric routing.

I thought of disabling TCP state inspection on the ASA firewall only for intranet traffic. Probably not a good idea as it adds CPU load to the firewall and makes protocol inspection impossible. I created an access-list that matches our intranet traffic going through the IPsec VPN tunnels and policy-map as follows:

access-list tcp_bypass extended permit tcp object-group Intranet1 object-group Intranet2 
 
class-map tcp_bypass
 match access-list tcp_bypass

policy-map global_policy
 class tcp_bypass
 set connection advanced-options tcp-state-bypass
 ...
 class class-default
 set connection advanced-options riverbed

Unfortunately a passing by TCP patches seems to match only the first matching class (in this case class-default). So the class tcp_bypass is not effective. From my understanding this is also the case if I use different policies for inside/outside interfaces.

It is also not possible to add the connection advanced-options tcp-state-bypass to the same class, because the firewall then complains "ERROR: This option cannot coexist with tcp-map option!".

A method from Riverbed to get around this TCP stage inspection by firewalls is to encapsulate the WAN traffic with GRE tunneling. This hides TCP state information from the firewall. This works, but in our environment has the following drawbacks:

  • One can no longer reach the firewall on the other site through the VPN tunnel for management.
  • Remote clients connected with Cisco AnyConnect cannot reach the site on the other end of the VPN tunnel.

That's because this traffic traverses only one but not both Riverbed SteelHead appliances and only one part of the traffic is GRE encapsulated.

So how can then this be accomplished? I want to allow TCP options 76-78 and disable TCP state inspection only for intranet traffic. 

Thanks in advance for any help.

Best regards,
Bernd

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card