KB-1621 How to enable preservation of VPN flows on a Cisco ASA

Parmida Borhani — Tue, 31 Jul 2018 23:21:18 GMT

Current Revision posted to Appian Knowledge Base by Parmida Borhani on 7/31/2018 11:21:18 PM

Purpose

When the terminating endpoint on the remote side is a Cisco ASA that keeps track of persistent TCP connections over a tunnel, there is a chance that the device will terminate these connections during a short-lived tunnel drop. Data sources created in the Appian Administration Console rely on persistent TCP connections in a database connection pool.

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

The setting 'sysopt connection preserve-vpn-flows' should be set to allow persistent connections to the database. This will allow established connections to survive a short-lived tunnel drop (whatever the cause may be).

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, how-to, Cloud, VPN

KB-1621 How to enable preservation of VPN flows on a Cisco ASA

Parmida Borhani — Tue, 31 Jul 2018 19:21:05 GMT

Revision 15 posted to Appian Knowledge Base by Parmida Borhani on 7/31/2018 7:21:05 PM

Purpose

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

KB-1621 How to enable preservation of VPN flows on a Cisco ASA

khalid.sharara — Tue, 31 Jul 2018 15:48:30 GMT

Revision 14 posted to Appian Knowledge Base by khalid.sharara on 7/31/2018 3:48:30 PM

Purpose

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

KB-XXXX How to enable preservation of VPN flows on a Cisco ASA

khalid.sharara — Tue, 31 Jul 2018 11:50:36 GMT

Revision 13 posted to Appian Knowledge Base by khalid.sharara on 7/31/2018 11:50:36 AM

Purpose

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

KB-1621 How to enable preservation of VPN flows on a Cisco ASA

khalid.sharara — Tue, 31 Jul 2018 11:47:54 GMT

Revision 12 posted to Appian Knowledge Base by khalid.sharara on 7/31/2018 11:47:54 AM

Purpose

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

KB-1620 How to enable preservation of VPN flows on a Cisco ASA

khalid.sharara — Tue, 31 Jul 2018 11:47:30 GMT

Revision 11 posted to Appian Knowledge Base by khalid.sharara on 7/31/2018 11:47:30 AM

Purpose

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

[DRAFT] KB-XXXX How to enable preservation of VPN flows on a Cisco ASA

khalid.sharara — Tue, 31 Jul 2018 11:45:25 GMT

Revision 10 posted to Appian Knowledge Base by khalid.sharara on 7/31/2018 11:45:25 AM

Purpose

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

[DRAFT] KB-XXXX How to enable preservation of VPN flows on a Cisco ASA

Vamsi Sunkara — Tue, 31 Jul 2018 09:23:40 GMT

Revision 9 posted to Appian Knowledge Base by Vamsi Sunkara on 7/31/2018 9:23:40 AM

Purpose

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

Instructions

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

[DRAFT] KB-XXXX How to enable preservation of VPN flows on a Cisco ASA

Parmida Borhani — Mon, 30 Jul 2018 21:39:15 GMT

Revision 8 posted to Appian Knowledge Base by Parmida Borhani on 7/30/2018 9:39:15 PM

Purpose

Instructions

Best Practice

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

[DRAFT] KB-XXXX How to enable preservation of VPN flows on a Cisco ASA

Parmida Borhani — Mon, 30 Jul 2018 21:35:07 GMT

Revision 7 posted to Appian Knowledge Base by Parmida Borhani on 7/30/2018 9:35:07 PM

Purpose

Instructions

Best Practice

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

KB-XXXX How to enable preservation of VPN flows on a Cisco ASA

Parmida Borhani — Mon, 30 Jul 2018 21:34:41 GMT

Revision 6 posted to Appian Knowledge Base by Parmida Borhani on 7/30/2018 9:34:41 PM

Purpose

Instructions

Best Practice

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, Cloud, VPN

KB-XXXX Enable Preservation of VPN Flows on Cisco ASA

Parmida Borhani — Mon, 30 Jul 2018 21:32:27 GMT

Revision 5 posted to Appian Knowledge Base by Parmida Borhani on 7/30/2018 9:32:27 PM

Best Practice

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

A more detailed discussions about this setting is below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Affected Versions

This article applies to all versions of Appian Cloud deployments that connect to a business data source over a VPN tunnel to a Cisco ASA.

Last Reviewed: July 2018

Tags: database, VPN

KB-XXXX Enable Preservation of VPN Flows on Cisco ASA

Vamsi Sunkara — Mon, 30 Jul 2018 14:53:09 GMT

Revision 1 posted to Appian Knowledge Base by Vamsi Sunkara on 7/30/2018 2:53:09 PM

Best Practice

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

The setting 'sysopt connection preserve-vpn-flows' should be set to allow persistent connections to the database. This will allow the connections to survive a tunnel drop (whatever the cause may be).

A more detailed discussions about this setting are below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

Components that rely on an on-premise database (such as records or reports) fail or perform poorly every time there is a VPN rekey. They fail with a generic error that says that "An Error Has Occurred". The system recovers itself in a few minutes after the failures occur.

This article applies to Appian Cloud deployments that connect to a secondary DS over the VPN

Last Reviewed: July 2018

Tags: database, VPN

KB-XXXX Enable Preservation of VPN Flows on Cisco ASA

Vamsi Sunkara — Mon, 30 Jul 2018 11:08:37 GMT

Revision 4 posted to Appian Knowledge Base by Vamsi Sunkara on 7/30/2018 11:08:37 AM

Best Practice

When the terminating endpoint on the remote side is a Cisco ASA that keeps track of persistent TCP connections over a tunnel, there is a chance that the device will terminate these connections during a short-lived tunnel drop. Datasources created in the Administration Console rely on persistent TCP connections in a database connection pool.

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

The setting 'sysopt connection preserve-vpn-flows' should be set to allow persistent connections to the database. This will allow established connections to survive a short-lived tunnel drop (whatever the cause may be).

A more detailed discussions about this setting are below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

This article applies to Appian Cloud deployments that connect to a secondary DS over the VPN

Last Reviewed: July 2018

Tags: database, VPN

KB-XXXX Enable Preservation of VPN Flows on Cisco ASA

Vamsi Sunkara — Mon, 30 Jul 2018 10:53:53 GMT

Revision 3 posted to Appian Knowledge Base by Vamsi Sunkara on 7/30/2018 10:53:53 AM

Best Practice

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

The setting 'sysopt connection preserve-vpn-flows' should be set to allow persistent connections to the database. This will allow the connections to survive a tunnel drop (whatever the cause may be).

A more detailed discussions about this setting are below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

This article applies to Appian Cloud deployments that connect to a secondary DS over the VPN

Last Reviewed: July 2018

Tags: database, VPN

KB-XXXX Enable Preservation of VPN Flows on Cisco ASA

Vamsi Sunkara — Mon, 30 Jul 2018 10:53:33 GMT

Revision 2 posted to Appian Knowledge Base by Vamsi Sunkara on 7/30/2018 10:53:33 AM

Best Practice

The feature that keeps track of the state of the connections should be turned off as TCP connections should ideally only be torn down by either of the endpoints.

The setting 'sysopt connection preserve-vpn-flows' should be set to allow persistent connections to the database. This will allow the connections to survive a tunnel drop (whatever the cause may be).

A more detailed discussions about this setting are below:

With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#ID-2994-00000e6b

This problem arises because of the built-in functionality on how the ASA works. The ASA monitors every connection that passes through it and maintains an entry in its state table according to the application inspection feature. The encrypted traffic details that pass through the VPN are maintained in the form of a security association (SA) database. For this document's scenario, it maintains two different traffic flows. One is the encrypted traffic between the VPN gateways and the other is the traffic flow between the Server at the head office and the end-user at the branch office. When the VPN is terminated, the flow details for this particular SA are deleted. However, the state table entry maintained by the ASA for this TCP connection becomes stale because of no activity, which hampers the download. This means the ASA will still retain the TCP connection for that particular flow while the user application terminates. However, the TCP connections will become stray and eventually timeout after the TCP idle-timer expires.

This problem has been resolved by introducing a feature called Persistent IPSec Tunneled Flows. A new command has been integrated into the Cisco ASA to retain the state table information at the re-negotiation of the VPN tunnel.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113014-asa-userapp-vpntunnel.html

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data continues flowing successfully because the security appliance still has access to the state information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/vpn/asdm-78-vpn-config/vpn-asdm-setup.html#ID-2188-00000005

This article applies to Appian Cloud deployments that connect to a secondary DS over the VPN

Last Reviewed: July 2018

Tags: database, VPN