Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Asymmetric Traffic Issue (TCP State Bypass)

Hi All,

I have traffic that flows the following way:

PC to Server (GW for PC is Core)

PC>Core>Server

Server to PC (GW for Server is ASA)

Server>ASA>Core>PC

Traffic is dropped and not reaching the server. After some investigation I noticed that the ASA is dropping the traffic because it is asymmetric.

I know that Cisco introduced a TCP State Bypass feature which allows this type of traffic flow

So I added the following config in the ASA:

Assuming PC:10.10.10.10 and Server: 20.20.20.20

and traffic is going in and out of inside interface

access-list tcp_bypass_test extended permit ip host 20.20.20.20 host 10.10.10.10

class-map tcp_bypass

match access-list tcp_bypass_test

policy-map tcp_bypass_policy

class tcp_bypass

  set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

I can see that the hit count is increasing for the ACL. But this is not working for some reason. Any idea how I can troubleshoot this further.

Thanks

8 REPLIES

ASA Asymmetric Traffic Issue (TCP State Bypass)

Hello Rami,

Do you already have the same-security-traffic permit intra-interface command?

What are the logs showing after you configured the TCP state bypass?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA Asymmetric Traffic Issue (TCP State Bypass)

Hi Julio,

Actually the same-security-traffic permit intra-interface is already configured, however when going through some documents, I noticed that I need to to some natting to make this work (hairpinning).

But it is still not clear to me why should I do NATing and for what.

Thanks

ASA Asymmetric Traffic Issue (TCP State Bypass)

Hello Rami,

Correct, but that if you are configuring hairpinning, in this case we configured TCP state bypass.

With TCP state bypass the communication can be biderectional with the other option, the directly connected to the ASAuser is the only one that can innitiate the communication.

Hope this helps,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA Asymmetric Traffic Issue (TCP State Bypass)

Hi,

Ill try to collect some logs to see where is the problem.

Thanks

Message was edited by: Rami Saber

New Member

ASA Asymmetric Traffic Issue (TCP State Bypass)

Hello,

I am mostly getting the following errors:

%ASA-3-305006: regular translation creation failed for icmp src inside:20.20.20.20 dst inside:10.10.10.10 (type 0, code 0)

20.20.20.20: server

10.10.10.10: user

While trying to ping from user to server

ASA Asymmetric Traffic Issue (TCP State Bypass)

Hello Rami,

Please post the configuration, we can troubleshoot from there

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ASA Asymmetric Traffic Issue (TCP State Bypass)

Hi Julio,

Actully the problem appears to be related to NATing.

We have a global NATing for the servers

global (outside) 10 interface

nat (inside) 10 20.20.0.0 255.255.0.0

I tried adding a static NAT

static (inside,inside) 20.20.20.20 20.20.20.20 255.255.255.255

Now I am able to communicate with the server (HTTP,...) but still cannot ping it.

But if we have a large subnet do I have to do a static nat for each server?

Re: ASA Asymmetric Traffic Issue (TCP State Bypass)

Hello Rami,

You can do the static with the whole subnet, that is not gonna cause any issues at all.

Regards,

Julio,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1196
Views
0
Helpful
8
Replies