Hi, we have a situation that we need to run ASA as a router. Here is the situation, we have two sites connected via a private p2p link, we also have ASA5520 in each site and we have L2L IPsec tunnel over Internet, we want to failover to IPsec over Internet pipe in case p2p link fails. With BFD/OSPF this design works at L3 level. But we have problem to keep existing TCP connections when failover happens, the reason is, I believe, when ASA sees a new connection coming in without seeing SYNC flag in the packet, it will not create a connection entry and drop the packet unless a new connection is initiated from either side. So my question is, is there anyway I can configure ASA to behave more like a L3 device, ideally to turn off L4 checking for IPsec traffic? or what other option do I have?
The ASA is not meant to behave as a Router, however you can add some rules to let SYNC flag packets to pass through even if the session was not initiated from a known network.
ASA 8.2.X TCP State Bypass Feature Configuration Example
However, I am not sure if this will actually achieve your goal.
Keep me posted.
Please rate any post that you find helpful.
Thank you so much for the link, looks like this is exactly what I am looking for, I will update the thread after I try it out.
I totally agree with you that ASA is not meant to behave as a router, but when situation changes (in our case p2p link was added later), we want to utilize existing equipment as more as possible in stead of purchasing new equipment.
I wonder if you could mark this as an answered question for the time being.
I appreciate your time.
Please rate any post you find helpful.