Multi-VTI connections and TCP-State-Bypass availability
I haven't seen this posted anywhere (yet) but wanted to reach out to the community to see if anyone has seen this in their environments, or if this is something anyone has successfully implemented. Long and short, I'm trying to build two separate tunnels between the same two locations, over two different ISP's. Getting the VTI's up was easy enough, and I have BGP running over them without any real issues. Routing is fine as well. The only issue I'm having is with TCP State Bypass on the VTI's specifically. In the event of traffic ingressing / egressing a secondary VTI, or in the event of wanting to ECMP across the two VTI's, I would need to leverage TCP state bypass. Only problem is, there doesn't seem to be a way to attach a policy-map (service-policy) to a VTI. Likewise, when I attempted to perform this functionality within the global policy, the result was the same; dropped traffic due to the first packet not being a SYN, etc.
Has anyone seen this type of deployment done before, or should I just chalk this up to a platform limitation for the time being? One other thing I thought of trying was to just drop those interfaces into traffic zones, but you can't apply the command under the VTI unfortunately.
I have seen this in working couple of months back and TCP state bypass was resolving the given that the match policy for class map is using VPN subnets for IN-to-OUT and another one which matches VPN traffic (ESP Traffic) OUT-to-IN.
Meet the Authors Event - CCIE Security and Practical Applications in Today’s Network: Zero Trust
(Live event – Thursday, 29th, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris)
This event will have place on Thursday 29th, October 2020 at 1...
My company uses Microsoft Azure AD, and I sign into all my applications using that account. Can I use that account when I sign in?
Yes - all applications that support SecureX sign-on allow direct login with your Microsoft Azure AD accou...
@Rob Ingram @balaji.bandi @Marius Gunnerud Hi Guys, Does ASA saves any logs by default? logs means if some sort suspicious activity happen within network and we want to see what Firewall saw at that time.I...
Attackers will always target the "low hanging fruit": devices that have passed end-of-software maintenance and end-of-support. A few years ago, Cisco described the evolution of attacks against infrastructure devices. All of the attacks discussed in t...
I somehow stumbled upon Cisco's IBNS 2.0 Auto Identity (AI) templates in my CML/VIRL IOSv layer2 image (IOS 15.2(6)).
I find these templates great, because these are the best practices that we tend to hard-code manually - e.g there are...