Cisco ASA remote access VPN with Riverbed mobile client

Posted on 2011-10-17
Medium Priority
Last Modified: 2012-05-12
hello all,

do you know if there is any limitation to using the Riverbed mobile client when our clients use remote access VPN through a Cisco ASA 5500? Clients use full IPSEC VPN client with Riverbed mobile client.. The ASA has an IPS module installed.

it seems that since we moved the clients over from using a standard VPN concentrator to this new ASA that the Riverbed mobile client no longer accelerates traffic.

has anybody worked with this before?

thanks in advance.
Question by:L-Plate
  • 4
  • 3
  • 2
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 36978065

Do you use ASA for the VPN server?

Author Comment

ID: 36978161
hi Ikalmar,

yes, ASA 5510 is the VPN server for remote access VPN users. The ASA also has an AIP SSM IPS module installed.
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 36978313

the "sh ver command" tells the IPSEC limitation of the ASA, and "sh cry isa sa" tells how many connections using...
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 36978317
I think you ned to use riverbed for vpn server to accerate, or I advise to use SSL vpn or TCP over ipsec..

Author Comment

ID: 36978438
output from show version.

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 750
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5520 VPN Plus license.
LVL 10

Expert Comment

ID: 36979462
HI L,.

I use Riverbed Steelhead Mobile with a Cisco ASA 5510.  It works just fine.

Two things to check:

1)  From a client connected via VPN, please make sure you can ping the SM unit and your in-path Steelhead.
2) Make sure the ASA is not stripping the probes from the RVBD traffic.

Please tell em the error you see on the SM Client and I can help narrow this down for you.

Author Comment

ID: 36985490
hi Wdurrett,

i will check later to see if i can get any exact error messages when working from home.

we can successfully make the requested pings from the client connected to VPN. How would i check if the ASA is stripping the probes from the RB traffic?
LVL 10

Accepted Solution

wdurrett earned 2000 total points
ID: 36996456
Here are the config instructions for your ASA.

For Steelhead Mobile to work with Cisco VPN Client with ASA 5500 series, you have to either configure an in-path fixed-target rule in the acceleration policy (as described in the Steelhead Management Console User Guide), or execute the following commands to configure Cisco ASA to allow TCP options in traffic:

ciscoasa# config t
ciscoasa(config)# access-list TCP extended permit tcp any any
ciscoasa(config)# tcp-map tmap
ciscoasa(config)# tcp-options range 76 78 allow
ciscoasa(config)# class-map cmap
ciscoasa(config)# match access-list TCP
ciscoasa(config)# policy-map pmap
ciscoasa(config)# class cmap
ciscoasa(config)# set connection advanced-options tmap
ciscoasa(config)# service-policy pmap global

More Information
If you see the following error from the last command:

ERROR: Policy map global_policy is already configured as a service policy

Investigate the configuration options from the running configuration and you will see that global_policy is already defined as the service policy.

Use these commands to fix this error:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-global_policy)# class cmap
ciscoasa(config-global_policy-c)# set connection advanced-options tmap

With these commands, instead of defining a policy map called pmap, you modify and use the existing policy map which is called global_policy. You can delete the policy map you created earlier called pmap if you want.

Interface-specific service-policy
Beside the global service-policy, there might be another service-policy assigned to a specific interface. Often, a service-policy applies bandwidth shaping on the external interface.


! assign another service-policy to the external interface
service-policy External-policy interface External

These interface-specific policies strip TCP options and need the same class applied as the global service-policy.

Note: A service-policy on an external interface strips TCP options even inside an IPsec tunnel.

Author Comment

ID: 36999445
hi wdurrett,

awesome explanation my friend, this has helped me a lot!

thank -you.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question