Cisco ASA remote access VPN with Riverbed mobile client

Posted on 2011-10-17
Last Modified: 2012-05-12
hello all,

do you know if there is any limitation to using the Riverbed mobile client when our clients use remote access VPN through a Cisco ASA 5500? Clients use full IPSEC VPN client with Riverbed mobile client.. The ASA has an IPS module installed.

it seems that since we moved the clients over from using a standard VPN concentrator to this new ASA that the Riverbed mobile client no longer accelerates traffic.

has anybody worked with this before?

thanks in advance.
Question by:L-Plate
    LVL 34

    Expert Comment

    by:Istvan Kalmar

    Do you use ASA for the VPN server?

    Author Comment

    hi Ikalmar,

    yes, ASA 5510 is the VPN server for remote access VPN users. The ASA also has an AIP SSM IPS module installed.
    LVL 34

    Expert Comment

    by:Istvan Kalmar

    the "sh ver command" tells the IPSEC limitation of the ASA, and "sh cry isa sa" tells how many connections using...
    LVL 34

    Expert Comment

    by:Istvan Kalmar
    I think you ned to use riverbed for vpn server to accerate, or I advise to use SSL vpn or TCP over ipsec..

    Author Comment

    output from show version.

    Licensed features for this platform:
    Maximum Physical Interfaces  : Unlimited
    Maximum VLANs                : 150
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    Security Contexts            : 2
    GTP/GPRS                     : Disabled
    SSL VPN Peers                : 2
    Total VPN Peers              : 750
    Shared License               : Disabled
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    AnyConnect Essentials        : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Phone Proxy Sessions      : 2
    Total UC Proxy Sessions      : 2
    Botnet Traffic Filter        : Disabled

    This platform has an ASA 5520 VPN Plus license.
    LVL 10

    Expert Comment

    HI L,.

    I use Riverbed Steelhead Mobile with a Cisco ASA 5510.  It works just fine.

    Two things to check:

    1)  From a client connected via VPN, please make sure you can ping the SM unit and your in-path Steelhead.
    2) Make sure the ASA is not stripping the probes from the RVBD traffic.

    Please tell em the error you see on the SM Client and I can help narrow this down for you.

    Author Comment

    hi Wdurrett,

    i will check later to see if i can get any exact error messages when working from home.

    we can successfully make the requested pings from the client connected to VPN. How would i check if the ASA is stripping the probes from the RB traffic?
    LVL 10

    Accepted Solution

    Here are the config instructions for your ASA.

    For Steelhead Mobile to work with Cisco VPN Client with ASA 5500 series, you have to either configure an in-path fixed-target rule in the acceleration policy (as described in the Steelhead Management Console User Guide), or execute the following commands to configure Cisco ASA to allow TCP options in traffic:

    ciscoasa# config t
    ciscoasa(config)# access-list TCP extended permit tcp any any
    ciscoasa(config)# tcp-map tmap
    ciscoasa(config)# tcp-options range 76 78 allow
    ciscoasa(config)# class-map cmap
    ciscoasa(config)# match access-list TCP
    ciscoasa(config)# policy-map pmap
    ciscoasa(config)# class cmap
    ciscoasa(config)# set connection advanced-options tmap
    ciscoasa(config)# service-policy pmap global

    More Information
    If you see the following error from the last command:

    ERROR: Policy map global_policy is already configured as a service policy

    Investigate the configuration options from the running configuration and you will see that global_policy is already defined as the service policy.

    Use these commands to fix this error:

    ciscoasa(config)# policy-map global_policy
    ciscoasa(config-global_policy)# class cmap
    ciscoasa(config-global_policy-c)# set connection advanced-options tmap

    With these commands, instead of defining a policy map called pmap, you modify and use the existing policy map which is called global_policy. You can delete the policy map you created earlier called pmap if you want.

    Interface-specific service-policy
    Beside the global service-policy, there might be another service-policy assigned to a specific interface. Often, a service-policy applies bandwidth shaping on the external interface.


    ! assign another service-policy to the external interface
    service-policy External-policy interface External

    These interface-specific policies strip TCP options and need the same class applied as the global service-policy.

    Note: A service-policy on an external interface strips TCP options even inside an IPsec tunnel.

    Author Comment

    hi wdurrett,

    awesome explanation my friend, this has helped me a lot!

    thank -you.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now