Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
3
Replies

Cisco ASA 5545 x 9.6 code VPN encryption domain

Go to solution
Steve Coady
Level 1
Level 1

‎01-23-2018 12:24 PM - edited ‎03-12-2019 04:56 AM

All

 

After adding to an existing encryption domain that uses object-groups to define interesting traffic, I have added new ip's/object to the object-group, as did the other side, without having to bounce tunnel. 

 

Is this behavior normal?

Does using object-groups provide some protection when adding new devices toexisting encryption domain? 

sMc
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4
In response to Steve Coady

‎01-23-2018 01:27 PM

Hello @Steve Coady

 

No, actually the only way to the SA created is sending traffic or issuing the command for the packet-tracer. Once you trigger the VPN tunnel they will check for its encryption domain and then the other side. 

 

That´s not done automatically. 

 

HTH

Gio

View solution in original post

0 Helpful
3 Replies 3

Go to solution
GioGonza
Level 4
Level 4

‎01-23-2018 12:56 PM

Hello @Steve Coady,

 

This is the normal behavior since you are not changing on the previous configuration of the object-groups and this works because you are just adding subnets/host and it creates new SA on the ASA.

 

But according to your second question, no they don´t offer some kind of protection for the information within. 

 

HTH

Gio

0 Helpful

Go to solution
Steve Coady
Level 1
Level 1
In response to GioGonza

‎01-23-2018 01:12 PM

Thank you for the response.



The new SA is created automatically? Is there some sort of communication between the encryption domains that verifies they are the same but are different than before?


sMc
0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to Steve Coady

‎01-23-2018 01:27 PM

Hello @Steve Coady

 

No, actually the only way to the SA created is sending traffic or issuing the command for the packet-tracer. Once you trigger the VPN tunnel they will check for its encryption domain and then the other side. 

 

That´s not done automatically. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents