Such is VTI, when you configure it and a few minimal checks are fulfilled it's going to initiate IKE.
The alternative is usage of crypto maps, which (since ASA can connect to AWS) should work. Crypto maps only initiate traffic to remote peer if there is interesting traffic.
On IOS you a few knobs like idle-time on IPsec SAs which could help here.
Just thinking outside the box for a moment, if latency is not a problem why not have some central (or multiple locations) terminate the VPNs from multiple locations and then only the central locations having direct tunnels to AWS ... looks like something which could cost you a bit less.
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
To participate in this event, please use the button to ask your questions
Here’s your ch...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
Early Access introduces a...
This video features a step by step walk through of configuring Cisco AnyConnect on FTD managed by FMC. Timestamps included for certificate installation, Access Control, Licensing, NAT, and Deployment failures.
I am trying to solve a CSR signing issue in a home lab.Can someone clarify this theoretical point? According to Wikipedia: "Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The...
Threat Response integrates with Cisco's Web Security Appliance (WSA) to provide visibility into web-bourne threats. By adding a Web Security or SMA Web module to Threat Response, investigators will be able to search for domains, URLs, and file hashes th...