VPN traffic question

Unanswered Question
May 13th, 2010

Hi all, I have a quick questions to ask that Im hoping someone will have a quick answer to..

I won't go in to the details of why this is required, but just want to know if it's possible (Im designing an optimised WAN VPN solution for a client using only ASAs).

If a TCP SYN packet goes out over 1 VPN to a remote host, and the ACK arrives back on the same interface but from a different VPN peer, will the connection be established or dropped?

Please let me know if the question still not clear.

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 05/13/2010 - 08:54

I *think* that the TCP handshake only looks at the sequence number and if that matches you should get the session established. I don't have a reference with me to verify though :-)

Panos Kampanakis Thu, 05/13/2010 - 09:02

Conn that are put in the connection table are between endpoints and port numbers and sequence numbers.

I don't think they are tied to tunnels themselves. After the SYN-ACK decryption, it should be matched against the connection table and match an existing conn.

So, I agree with Collin and believe it should work.

I hope it helps.


jacobs_son Thu, 05/13/2010 - 12:07

Hello all, thanks for the replies.

That was the general idea Jon. To give a little more info, I have 2 sets of dispersed sites in remote locations (20 sites in each country), and only 1 in each with very good connectivity. All sites must be able to talk to each other and I don't really want to have 39 L2L VPNs on each device. There is already a VPN network in place but it's a bit messy.

So the thought was to have a hub site in each location with a route to all other remote networks on each remote device via it's local hub. This would result in traffic being returned by a different route but would have the benefit of going via it's local site with very good connectivity.

The subnets are not split well so I would need 20 static routes or match statements on each device if I put a VPN to both hubs for traffic to be returned by the same route. There'd be a tunnel to each hub for redundancy of critical systems, but I wanted to avoid all the statics or acl entries.

Any thoughts appreciated. Thanks again.


Edit: Btw Jon, I had to reply here and view your reply in page source because the site doesnt seem to agree with IE8 anymore... (I can't read anyone's reply with the Hall of Fame badge)

Jon Marshall Thu, 05/13/2010 - 12:34


Firstly i'm having an issue displaying posts as well. If you go to Account -> Preferences and select Threaded view as opposed to Flat view this may help.

As for your setup, something keeps nagging me that it wont work but like Collin and PK i can't see a reason why it wouldn't. If the traffic could return by different tunnels though i think you would get caught out by the anti-replay feature of IPSEC because each tunnel would be keeping it's own sequence numbers. But if the traffic always comes via the same tunnel even if that is not the one that traffic went out on it may well work.


jacobs_son Fri, 05/14/2010 - 02:26

Thanks for the tip, doesn't seem to help much unfortunately. This morning I can't see any threads in the firewalling forum when using IE. Other browsers dont seem to have the problem at all.

Upon further investigation, it seems that the inter-site latency is not much different whether the traffic goes via the local or remote hub for any site. May I ask very briefly what your recommendation would be for the design of this network? I know you don't have all the details, but the bandwidth and hardware in place at the hub sites in sufficient for handling all of the internal traffic. The rest of the sites are mostly DSL, with a few T1s and 10Mb fibre circuits dotted around the place. There's an ASA 5510 or 20 at every site and the client don't want to purchase any more hardware..

Thanks again,


Jon Marshall Thu, 05/13/2010 - 09:25


Would the traffic flow for the entire connection always be the same ie. it goes out via tunnel1  and comes back via tunnel2 ?



This Discussion