KB-1621 How to enable preservation of VPN flows on a Cisco ASA

Purpose

When the terminating endpoint on the remote side is a Cisco ASA that keeps track of persistent TCP connections over a tunnel, there is a chance that the device will terminate these connections during a short-lived tunnel drop. Data sources created in the Appian Administration Console rely on persistent TCP connections in a database connection pool.

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

The setting 'sysopt connection preserve-vpn-flows' should be set to allow persistent connections to the database. This will allow established connections to survive a short-lived tunnel drop (whatever the cause may be).

 A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005 

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Related
Recommended