I run a number of 5510 and 5520 ASAs and it will be a while longer until I can get the memory to upgrade them to 8.3. In the mean time I am trying ot understand the behavior under 8.0(4).
If I have a TCP timeout of 20 minutes and a socket has been silent for over 20 minutes, yet is not dropped on with of the end points, will the next data packet that is send on the socket be quietly discarded or will be allowed through, even though there is no established connection int he session table?
I understand that starting with 8.2 you can configure TCP State Bypass and a new session will be established even if the first packet of the new session is not a SYN. But what happens in that kind of situation in 8.0? I do not see drops in the firewall logs.
If the connection has been removed from the ASAs connection table, then when either host sends a TCP packet, the following syslog message should be logged:
%ASA-6-106015: Deny TCP (no connection)...
Prior to introducing tcp state-bypass, you could use the 'nailed' option at the end of the static (Note: you also need to enable norandomseq on the static and failover timeout -1) - which also implements tcp state-bypass.
Please let us know if this answered your question.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...