One of my cutomer is using CSA with VPN remote access. There is a rule module, witch deny all of the communication (except VPN ) utill the MC became reachable. Everything is working fine. The only problem is, that the Agent see the MC only 4-5 minutes after the VPN comes up. How can I speed up this connection chek process on the agent?
Rule modules consist of one or more rules. One or more rule modules are meant to be attached to a policy. This module of rules is generally configured for a particular "modular" purpose. It is in this manner that several rules can be moved together from one policy to another or exist as part of several policies.Rule module are generally OS specific while policies are not. This way, you can scale a great many rule modules to a lesser number of policies to simplify your basic product configuration view.I think that the Agent see the MC only 4-5 minutes after the VPN comes up and it is the normal time taken.
what polling interval is set to the clients which are using the VPN Policy?
... maybe 4..5 minutes?
One of our customer has the same issue. So whenever I come back to the internal network (and thus the CSA MC is reachable) the System State "MC reachable" doesn't change until the polling interval forces an update.
Which CSA MC version do you use? (6.0.209??)
Which Client Operating system do you use?
I have already opened a TAC case, but unfortunately there is no answer from the Cisco until yet :-(
I would suggest you use the DNS suffix check instead, or as an extra system state for your policy, the problem with using only MC Reachable, is that if your CSAMC server goes down, then you will never get any traffic out of your pc's even if the vpn is established, because it still won't see the MC.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...