×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

cisco ASA VPN remote access

Answered Question
Oct 14th, 2014
User Badges:

Hi Guys

 

I have couple of question in regards to remote access vpn and logging vpn traffic. Can someone please advise how can i capture decrypted traffic for remote access vpn client on firewall. right now firewall has any source any dest and any service access list associated with tunnel group (not interface access list) but the default group policy one. i don't know what kind of traffic is coming from remote vpn machine and i want to  capture and create more specfic acl and associate that with tunnel group via vpn filter so no any's are allowed.

I have also load balancing configured for vpn and i know if i add vpn filter via group policy and add it to default group it can cause downtime but since i have vpn load balancing configured it shoudnt affect remote client. Am i right ?

 

regards

F

Correct Answer by Karsten Iwen about 2 years 10 months ago

There is no load balancing with active/standby (standby really means "only standby"!). And there isn't even RA-VPN with active/active.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mohammad khan Tue, 10/14/2014 - 21:33
User Badges:

also can someone explian as in active standby only one is passing traffic so how vpn load balancing is supported as active active doesnt support vpn not atleast in 8.4......thanks

Mohammad khan Wed, 10/15/2014 - 12:08
User Badges:

Hi 

 

thanks for reply but still confuse how to achieve vpn load balancing with active standby or active active feature..thanks

Correct Answer
Karsten Iwen Wed, 10/15/2014 - 13:29
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

There is no load balancing with active/standby (standby really means "only standby"!). And there isn't even RA-VPN with active/active.

Karsten Iwen Tue, 10/14/2014 - 22:53
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

I don't think that you can capture based on the tunnel-group. You can configure your capture on the inside interface and restrict with capture-ACLs what you want to see.

For VPN load balancing:

On an active-standby pair, it's not possible to loadbalance traffic between the active and the standby unit. Load is only shared between the configured load-balancing members. But an active/standby pair can be used as a loadbalancing member. But for that member, only the active unit processes traffic. The benefit of this setup is that the client doesn't need to reconnect when the active unit fails. I normal VPN loadbalancing, all VPN sessions drop when the particular member fails.

Actions

This Discussion

Related Content