Cisco ASA remote access VPN with Riverbed mobile client

hello all,

do you know if there is any limitation to using the Riverbed mobile client when our clients use remote access VPN through a Cisco ASA 5500? Clients use full IPSEC VPN client with Riverbed mobile client.. The ASA has an IPS module installed.

it seems that since we moved the clients over from using a standard VPN concentrator to this new ASA that the Riverbed mobile client no longer accelerates traffic.

has anybody worked with this before?

thanks in advance.
Who is Participating?
wdurrettConnect With a Mentor Commented:
Here are the config instructions for your ASA.

For Steelhead Mobile to work with Cisco VPN Client with ASA 5500 series, you have to either configure an in-path fixed-target rule in the acceleration policy (as described in the Steelhead Management Console User Guide), or execute the following commands to configure Cisco ASA to allow TCP options in traffic:

ciscoasa# config t
ciscoasa(config)# access-list TCP extended permit tcp any any
ciscoasa(config)# tcp-map tmap
ciscoasa(config)# tcp-options range 76 78 allow
ciscoasa(config)# class-map cmap
ciscoasa(config)# match access-list TCP
ciscoasa(config)# policy-map pmap
ciscoasa(config)# class cmap
ciscoasa(config)# set connection advanced-options tmap
ciscoasa(config)# service-policy pmap global

More Information
If you see the following error from the last command:

ERROR: Policy map global_policy is already configured as a service policy

Investigate the configuration options from the running configuration and you will see that global_policy is already defined as the service policy.

Use these commands to fix this error:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-global_policy)# class cmap
ciscoasa(config-global_policy-c)# set connection advanced-options tmap

With these commands, instead of defining a policy map called pmap, you modify and use the existing policy map which is called global_policy. You can delete the policy map you created earlier called pmap if you want.

Interface-specific service-policy
Beside the global service-policy, there might be another service-policy assigned to a specific interface. Often, a service-policy applies bandwidth shaping on the external interface.


! assign another service-policy to the external interface
service-policy External-policy interface External

These interface-specific policies strip TCP options and need the same class applied as the global service-policy.

Note: A service-policy on an external interface strips TCP options even inside an IPsec tunnel.
Istvan KalmarHead of IT Security Division Commented:

Do you use ASA for the VPN server?
L-PlateAuthor Commented:
hi Ikalmar,

yes, ASA 5510 is the VPN server for remote access VPN users. The ASA also has an AIP SSM IPS module installed.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Istvan KalmarHead of IT Security Division Commented:

the "sh ver command" tells the IPSEC limitation of the ASA, and "sh cry isa sa" tells how many connections using...
Istvan KalmarHead of IT Security Division Commented:
I think you ned to use riverbed for vpn server to accerate, or I advise to use SSL vpn or TCP over ipsec..
L-PlateAuthor Commented:
output from show version.

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 750
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5520 VPN Plus license.
HI L,.

I use Riverbed Steelhead Mobile with a Cisco ASA 5510.  It works just fine.

Two things to check:

1)  From a client connected via VPN, please make sure you can ping the SM unit and your in-path Steelhead.
2) Make sure the ASA is not stripping the probes from the RVBD traffic.

Please tell em the error you see on the SM Client and I can help narrow this down for you.
L-PlateAuthor Commented:
hi Wdurrett,

i will check later to see if i can get any exact error messages when working from home.

we can successfully make the requested pings from the client connected to VPN. How would i check if the ASA is stripping the probes from the RB traffic?
L-PlateAuthor Commented:
hi wdurrett,

awesome explanation my friend, this has helped me a lot!

thank -you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.