Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Allowing Riverbed Option Sets

Hello-

I've created a policy map to allow TCP probe options 76 - 78 on the ASA Firewall for our Riverbed appliance. 

Here is the setup:

access-list tcp-traffic line 1 extended permit tcp any any 

class-map tcp-traffic
 match access-list tcp-traffic

tcp-map allow-probes

  tcp-options range 76 78 allow

policy-map global_policy

class inspection_default

  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ils
  inspect dns preset_dns_map
 class tcp-traffic
  set connection random-sequence-number disable
  set connection advanced-options allow-probes

 

 show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 87626, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 1, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: netbios, packet 2155, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: rtsp, packet 350078, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: sip , packet 2470, drop 0, reset-drop 0, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: ils, packet 190, drop 0, reset-drop 0, v6-fail-close 0
      Inspect: dns preset_dns_map, packet 19969072, drop 31696, reset-drop 0, v6-fail-close 0
    Class-map: tcp-traffic
      Set connection policy: random-sequence-number disable
        drop 0
      Set connection advanced-options: allow-probes
        Retransmission drops: 0                   TCP checksum drops : 0
        Exceeded MSS drops  : 0                   SYN with data drops: 0
        Invalid ACK drops   : 473                 SYN-ACK with data drops: 0
        Out-of-order (OoO) packets : 79504708     OoO no buffer drops: 206534
        OoO buffer timeout drops : 2590886        SEQ past window drops: 61463
        Reserved bit cleared: 0                   Reserved bit drops : 0
        IP TTL modified     : 0                   Urgent flag cleared: 0
        Window varied resets: 0
        TCP-options:
          Selective ACK cleared: 17               Timestamp cleared  : 130
          Window scale cleared : 1
          Other options cleared: 1060
            Opt 30: 792         Opt 38: 212         Opt 76: 56

          Other options drops: 0

 

Why am I seeing opt 76 showing up with 56 as the hit counts? I know most of the traffic is being optimized but some are showing in the Riverbed logs as being filtered on the option set. Some of the packets are being reset.  Opt 30 and 38 are not specified in the policy so I understand it being here. Can someone confirm my policy setup is correct?

ASA Software Version 9.1.(4)

Thanks in advance. 

John 

 

 

477
Views
0
Helpful
0
Replies
CreatePlease to create content