cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3533
Views
0
Helpful
3
Replies

ASA 8.0(4) and TCP State Bypass

joerggrau
Level 1
Level 1

I run a number of 5510 and 5520 ASAs and it will be a while longer until I can get the memory to upgrade them to 8.3.  In the mean time I am trying ot understand the behavior under 8.0(4).

If I have a TCP timeout of 20 minutes and a socket has been silent for over 20 minutes, yet is not dropped on with of the end points, will the next data packet that is send on the socket be quietly discarded or will be allowed through, even though there is no established connection int he session table?

I understand that starting with 8.2 you can configure TCP State Bypass and a new session will be established even if the first packet of the new session is not a SYN.  But what happens in that kind of situation in 8.0?  I do not see drops in the firewall logs.

Thanks

Joerg Grau

3 Replies 3

David White
Cisco Employee
Cisco Employee

If the connection has been removed from the ASAs connection table, then when either host sends a TCP packet, the following syslog message should be logged:

   %ASA-6-106015: Deny TCP (no connection)...

Prior to introducing tcp state-bypass, you could use the 'nailed' option at the end of the static (Note: you also need to enable norandomseq on the static and failover timeout -1)  - which also implements tcp state-bypass.

Please let us know if this answered your question.


Sincerely,


David.

Hi David.

I have the same problem because i have some traffic that comes from a second gateway inside the network. Im receiving the %ASA-6-106015 messages.

Can you explain me better how to implement this 'nailed' and norandomseq work to implement the tcp state-bypass alternative.

Thanks for your time.

Paulo Pereira

Hi Paulo,

How about an example...

       static (inside,outside) 172.16.10.3 10.10.10.2 netmask 255.255.255.255 0 0 norandomseq,nailed
        failover timeout -1

The above will implement tcp-state-bypass for the internal host 10.10.10.2 (which happens to be translated to 172.16.10.3 on the outside).

Sincerely,


David.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: