Cisco Cisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption Guide De Dépannage
Related Products
This document can be used with these hardware and software versions:
Any ASA model
•
Any ASA code version
•
Background Information
When a user connects to the ASA as a remote access VPN concentrator, the ASA installs a host−based route
in the ASA routing table that routes traffic to that VPN client out of the outside interface (towards the
Internet). When that user disconnects, the route is removed from the table, and the packets on the inside
network (destined to that disconnected VPN user) might be looped between the ASA and an internal routing
device.
in the ASA routing table that routes traffic to that VPN client out of the outside interface (towards the
Internet). When that user disconnects, the route is removed from the table, and the packets on the inside
network (destined to that disconnected VPN user) might be looped between the ASA and an internal routing
device.
Another problem is that directed (network) broadcast packets (generated by the removal of the VPN clients)
might be forwarded by the ASA as a unicast frame towards the internal network. This might forward it back to
the ASA, which causes the packet to be looped until the Time to Live (TTL) expires.
might be forwarded by the ASA as a unicast frame towards the internal network. This might forward it back to
the ASA, which causes the packet to be looped until the Time to Live (TTL) expires.
This document explains these issues and shows what configuration techniques can be used in order to prevent
the problem.
the problem.
Problem: Packets Destined for a Disconnected VPN Client
Loop Inside Internal Network
Loop Inside Internal Network
When a remote access VPN user disconnects from an ASA firewall, the packets still present on the internal
network (destined for those disconnected users) and the assigned IP VPN address might become looped
within the internal network. These packet loops might cause the CPU usage on the ASA to increase until the
loop stops either due to the IP TTL value in the IP packet header decrementing to 0, or the user reconnects and
the IP address is re−assigned to a VPN client.
network (destined for those disconnected users) and the assigned IP VPN address might become looped
within the internal network. These packet loops might cause the CPU usage on the ASA to increase until the
loop stops either due to the IP TTL value in the IP packet header decrementing to 0, or the user reconnects and
the IP address is re−assigned to a VPN client.
In order to understand this scenario better, consider this topology:
In this example, the remote access client has been assigned the IP address of 10.255.0.100. The ASA in this
example is connected to the same inside network segment along with a router. The router has two additional
Layer 3 network segments connected to it. The relevant interface (routing) and VPN configurations of the
ASA and router are shown in the examples.
example is connected to the same inside network segment along with a router. The router has two additional
Layer 3 network segments connected to it. The relevant interface (routing) and VPN configurations of the
ASA and router are shown in the examples.
ASA configuration highlights are shown in this example:
interface GigabitEthernet0/0
nameif outside