Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

cisco ASA VPN remote access

Hi Guys

 

I have couple of question in regards to remote access vpn and logging vpn traffic. Can someone please advise how can i capture decrypted traffic for remote access vpn client on firewall. right now firewall has any source any dest and any service access list associated with tunnel group (not interface access list) but the default group policy one. i don't know what kind of traffic is coming from remote vpn machine and i want to  capture and create more specfic acl and associate that with tunnel group via vpn filter so no any's are allowed.

I have also load balancing configured for vpn and i know if i add vpn filter via group policy and add it to default group it can cause downtime but since i have vpn load balancing configured it shoudnt affect remote client. Am i right ?

 

regards

F

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

There is no load balancing

There is no load balancing with active/standby (standby really means "only standby"!). And there isn't even RA-VPN with active/active.

4 REPLIES
Community Member

also can someone explian as

also can someone explian as in active standby only one is passing traffic so how vpn load balancing is supported as active active doesnt support vpn not atleast in 8.4......thanks

Community Member

Hi  thanks for reply but

Hi 

 

thanks for reply but still confuse how to achieve vpn load balancing with active standby or active active feature..thanks

VIP Purple

There is no load balancing

There is no load balancing with active/standby (standby really means "only standby"!). And there isn't even RA-VPN with active/active.

VIP Purple

I don't think that you can

I don't think that you can capture based on the tunnel-group. You can configure your capture on the inside interface and restrict with capture-ACLs what you want to see.

For VPN load balancing:

On an active-standby pair, it's not possible to loadbalance traffic between the active and the standby unit. Load is only shared between the configured load-balancing members. But an active/standby pair can be used as a loadbalancing member. But for that member, only the active unit processes traffic. The benefit of this setup is that the client doesn't need to reconnect when the active unit fails. I normal VPN loadbalancing, all VPN sessions drop when the particular member fails.

132
Views
0
Helpful
4
Replies
CreatePlease to create content