Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.0(4) and TCP State Bypass

I run a number of 5510 and 5520 ASAs and it will be a while longer until I can get the memory to upgrade them to 8.3.  In the mean time I am trying ot understand the behavior under 8.0(4).

If I have a TCP timeout of 20 minutes and a socket has been silent for over 20 minutes, yet is not dropped on with of the end points, will the next data packet that is send on the socket be quietly discarded or will be allowed through, even though there is no established connection int he session table?

I understand that starting with 8.2 you can configure TCP State Bypass and a new session will be established even if the first packet of the new session is not a SYN.  But what happens in that kind of situation in 8.0?  I do not see drops in the firewall logs.

Thanks

Joerg Grau

Everyone's tags (5)
3 REPLIES
Silver

Re: ASA 8.0(4) and TCP State Bypass

If the connection has been removed from the ASAs connection table, then when either host sends a TCP packet, the following syslog message should be logged:

   %ASA-6-106015: Deny TCP (no connection)...

Prior to introducing tcp state-bypass, you could use the 'nailed' option at the end of the static (Note: you also need to enable norandomseq on the static and failover timeout -1)  - which also implements tcp state-bypass.

Please let us know if this answered your question.


Sincerely,


David.

New Member

Re: ASA 8.0(4) and TCP State Bypass

Hi David.

I have the same problem because i have some traffic that comes from a second gateway inside the network. Im receiving the %ASA-6-106015 messages.

Can you explain me better how to implement this 'nailed' and norandomseq work to implement the tcp state-bypass alternative.

Thanks for your time.

Paulo Pereira

Silver

Re: ASA 8.0(4) and TCP State Bypass

Hi Paulo,

How about an example...

       static (inside,outside) 172.16.10.3 10.10.10.2 netmask 255.255.255.255 0 0 norandomseq,nailed
        failover timeout -1

The above will implement tcp-state-bypass for the internal host 10.10.10.2 (which happens to be translated to 172.16.10.3 on the outside).

Sincerely,


David.

2812
Views
0
Helpful
3
Replies