Stateless rules require anĮxplicit ingress security list rule for ICMP type 3 code 4 messages. The connections and automatically allows those messages. Need to ensure that your security list has an explicit rule to allow ICMP type 3Ĭode 4 messages because the Networking service tracks Stateful security list rules: If you're using stateful security list rules (for TCP, UDP, or ICMP traffic), you don't
See Encryption domains for policy-based tunnels for full details. The Oracle VPN headends use route-based tunnels, but can work with policy-based For more details about the appropriate configuration, contact your CPE vendor's Your CPE is configured to handle traffic coming from your VCN on any of the tunnels.įor example, you need to disable ICMP inspection, configure TCP state bypass, and so Multiple Tunnels If you have multiple tunnels up simultaneously, ensure that With policy-based configuration, you can configure only a single tunnel between yourĬisco ASA and your dynamic routing gateway (DRG). You upgrade to a software version that supports route-based configuration. For the best results, if your device allows it, Oracle recommends that The Cisco ASA does not support route-based configuration for software versions older To avoid interoperability issues and to achieve tunnel redundancy with a single CPE ConfigurationĬisco ASA: Policy Based: Oracle recommends using a route-based configuration
Maximum Transmission Unit (MTU): The standard internet MTU size is 1500 bytes.įor more information on how to determine your MTU please see Overview of MTU. For instructions, seeĬhanging the CPE IKE Identifier That Oracle Uses. Oracle expects the value to be either an IP address or a fully Provide the value either when you set up the IPSec connection, or later, by editing If you cannot, you must change the remote IKE ID in the Oracle Console to match your CPE's local IKE ID. Local IKE identifier: Some CPE platforms do not allow you to change the local If you want one IPSec connection as primary and another one as backup, configure more-specific routes for the primary connection and less-specific routes (or the default route of 0.0.0.0/0) on the backup connection. If both IPSec connections have only a default route (0.0.0.0/0) configured, traffic will route to either of those connections because Oracle uses asymmetric routing. Multiple IPSEC Connections: You can use two IPSec connections for redundancy. "IP SLA Configuration" in the Cisco ASA policy-based configuration template. For more information, see the section for Traffic running through the IPSec tunnels. CertainĬisco ASA versions require the SLA monitor to be configured, which keeps interesting Through the IPSec tunnels at all times if your CPE supports it. Times: In general, Oracle recommends having interesting traffic running
0 kommentar(er)
