Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 9.1(2) TCP State bypass

Hi Guys,

I have a two ASA firewalls at two seperate locations in place and both running in multicontext mode (Internal context and External Context) and i have configured TCP State bypass on the firewall interfaces on both the internal and external interfaces to accomodate asymmetric routing.  Now everything i have read from cisco and other places seems to suggest this will work but at the moment it doesnt

What i see is as follows,

TCP syn is sent From Source Device out through Firewall A Internal Context through Firewall A External Context to the destination device.

TCP syn Ack is received from destination device at Firewall B External Context and is dropped (deny no connection......)

the configuration i have applied is as per cisco documentation apart from my accesslist is ip any any

hostname(config)# access-list tcp_bypass extended permit ip any any

hostname(config)# class-map tcp_bypass

hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"

hostname(config-cmap)# match access-list tcp_bypass

hostname(config-cmap)# policy-map tcp_bypass_policy

hostname(config-pmap)# class tcp_bypass

hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass

hostname(config-pmap-c)# service-policy tcp_bypass_policy outside

So should this work should Firewall B external context just enforce the TCP State Bypass policy?  or Is my understanding of this feature wrong?

Thanks

Neil

Everyone's tags (6)
5 REPLIES
VIP Green

Cisco ASA 9.1(2) TCP State bypass

I believe the issue is with your ACL.  I had a similar issue, not with TCP Bypass but with allowing return traffic based on the state table.  The problem was that when using permit ip any any, the ASA did not track the state.  So if you give it a try by changing the ACL to:

access-list tcp_bypass extended permit tcp any any eq 80

And then test.  The unfortunate thing with this is that you need to specify all the TCP, UDP ports, but you can do that with a object group.  Just a hassel the first time you do it but much easier to manage.

Ofcourse you don't have to use port 80...it is just an example.

--

Pease rate all helpful posts

-- Please remember to rate and select a correct answer
New Member

Cisco ASA 9.1(2) TCP State bypass

Thanks for the reply Marius,

I did have a quick tinker with this earlier but I will try some variations of the above. 

Thanks

Neil

Silver

Cisco ASA 9.1(2) TCP State bypass


If you do this:

access-list tcp_bypass extended permit ip any any

You will kill the ASA´s resources at a certain point, you need to be specific. The reason you kill the device timeouts are ignored.

Also you need to check logs to see if this is being applied or the ASA is indicating so sort of failure, setup captures and look at how traffic is flowing.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Cisco ASA 9.1(2) TCP State bypass

thanks guys will rate once i have tried the suggestions

New Member

Cisco ASA 9.1(2) TCP State bypass

Hi All,

Just wanted to give an update on the above.

The TCP State Bypass feature was indeed working as configured,  the packets were being dropped with the message no connection Syn Ack because there was not a corresponding rule to allow the traffic.  This is rather annoying because the error deny message is not the message i would have expected to see. 

Some times you have to many rules and you cant see the wood for the trees.... 

Any how i tightened up the Match ACL to the specific traffic and added the rules required,  also dont forget sync acks reverse the source and destination ports so you need to ensure your rules take this into consideration..

Thanks again for your input.

Neil

2074
Views
10
Helpful
5
Replies