01-23-2018 12:24 PM - edited 03-12-2019 04:56 AM
All
After adding to an existing encryption domain that uses object-groups to define interesting traffic, I have added new ip's/object to the object-group, as did the other side, without having to bounce tunnel.
Is this behavior normal?
Does using object-groups provide some protection when adding new devices toexisting encryption domain?
Solved! Go to Solution.
01-23-2018 01:27 PM
Hello @Steve Coady,
No, actually the only way to the SA created is sending traffic or issuing the command for the packet-tracer. Once you trigger the VPN tunnel they will check for its encryption domain and then the other side.
That´s not done automatically.
HTH
Gio
01-23-2018 12:56 PM
Hello @Steve Coady,
This is the normal behavior since you are not changing on the previous configuration of the object-groups and this works because you are just adding subnets/host and it creates new SA on the ASA.
But according to your second question, no they don´t offer some kind of protection for the information within.
HTH
Gio
01-23-2018 01:12 PM
01-23-2018 01:27 PM
Hello @Steve Coady,
No, actually the only way to the SA created is sending traffic or issuing the command for the packet-tracer. Once you trigger the VPN tunnel they will check for its encryption domain and then the other side.
That´s not done automatically.
HTH
Gio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide