有連線Azure上的VM , 必須要先PING Azure上的VM才可以連線 , 小編是用Windows 2012做
VPN Server , 目前VPN Server的連線方式有分二種 , 一種為Demand Dial ; 另一種為
Persistent Connection , 小編檢查實驗環境的Windows 2012設定 , 確實有這二個設定
因此小編用谷哥大神對Cisco ASA的VPN Connection Type進行查詢 , 發現確實可以針對VPN
設定Persistent Connection (Cisco稱為Persistent IPSec Tunneled Flows), 設定如下 :
sysopt connection preserve-vpn-flows
Cisco官網截錄部份文章如下 :
Configure
As shown in the network diagram, the branch office (BO) is connected to the head office (HO) through the site-to-site VPN. Consider an end user at the branch office attempting to download a big file from the server situated in the head office. The download lasts hours. The file transfer works fine until the VPN works fine. However, when the VPN is disrupted, the file transfer is hung and the user has to re-initiate the file transfer request again from the beginning after the tunnel is established.Network Diagram
This document uses this network setup:
This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.
This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel. The command is shown here:
sysopt connection preserve-vpn-flows
By default, this command is disabled. By enabling this, the Cisco
ASA will maintain the TCP state table information when the L2L VPN
recovers from the disruption and re-establish the tunnel.In this scenario, this command has to be enabled on both ends of the tunnel. If it is a non-Cisco device at the other end, enabling this command on the Cisco ASA should suffice. If the command is enabled when the tunnels were already active, the tunnels must be cleared and re-established for this command to take effect. For more details on clearing and re-establishing the tunnels, refer to Clear the Security Associations.
資 料來源 : http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html
沒有留言:
張貼留言