topic That is what out thoughts in Network Security

ASA TCP Bypass feature not functioning

bjamesdowning — Tue, 12 Mar 2019 08:05:38 GMT

Hello,

I am attempting to configure TCP-Bypass for a specific subset of traffic on an ASAv running Software Version 9.5(2)204. I have configured an ACL to match the source and destination specifically, set up a class map to reference the ACL, attached the class map to the default global policy with the 'set connection advanced-options tcp-state-bypass.' When generating the targeted traffic and issuing a 'show conn' no connection display a lowercase 'b' to indicate TCP bypass has been initiated. Additionally, when running a packet-tracer command, the traffic continues to fall back to the class-default regardless of how broad/specific the Class-Map ACL is. Below contains the ACL, Class-Map, and Policy-Map configs, as well as the ACL hit count, and output of the packet-tracer. The end result of the packet tracer is 'allow,' I just posted it to display the traffic hitting the default class rather than TEST_MAP.

ACL:

access-list TEST_ACL line 1 extended permit tcp host 1.1.1.1 any4 eq 1433
access-list TEST_ACL line 2 extended permit tcp host 1.1.1.1 any4 eq 1434
access-list TEST_ACL line 3 extended permit tcp host 1.1.1.1 any4 eq 9053

CLASS-MAP:

class-map TEST_MAP
match access-list TEST_ACL

POLICY-MAP:

policy-map global_policy
class inspection_default
inspect snmp
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dcerpc
inspect icmp
class TEST_MAP
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
class class-default
set connection timeout dcd

SERVICE-POLICY

service-policy global_policy global

PACKET-TRACER

packet-tracer input INTERNAL_TEST tcp 1.1.1.1 5764 2.2.2.2 1433 detailed

//relevant output:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection timeout idle 1193:00:00 dcd 0:00:15 5 embryonic 0:00:30 half-closed 0:10:00
DCD: enabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f663aa4c530, priority=7, domain=conn-set, deny=false
hits=17828, user_data=0x7f662417a3e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INTERNAL_TEST, output_ifc=any

No hits on ACL when actual traffic is generated:

access-list TEST_ACL; 3 elements; name hash: 0x4a5798e5
access-list TEST_ACL line 1 extended permit tcp host 1.1.1.1 any4 eq 1433 (hitcnt=0)
access-list TEST_ACL line 2 extended permit tcp host 1.1.1.1 any4 eq 1434 (hitcnt=0)
access-list TEST_ACL line 3 extended permit tcp host 1.1.1.1 any4 eq 9053 (hitcnt=0)

Hello,

Cristian Nilsson — Fri, 05 Aug 2016 11:45:39 GMT

Hello,

Could you proved output of:

show service-policy

And also test this:

service-policy TEST_MAP interface <INTERFACE>

//Cristian

Hi,

kvaldelo — Fri, 05 Aug 2016 20:19:33 GMT

Hi,

Remember you need to clear the local host connections for that traffic for the TCP state bypass take effect or the ASA will continue using the old connections entries and wont mark the "b" for bypass under the "show conn"

Hi,

Aditya Ganjoo — Sun, 07 Aug 2016 00:35:44 GMT

Hi,

Please change this TCP state bypass from global policy to interface based service-policy.

So create a new test policy map and bind it to the interface on which the traffic hits first.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thanks for the response. We

bjamesdowning — Wed, 10 Aug 2016 16:12:56 GMT

Thanks for the response. We have yet to try this, however is there any particular reason TCP Bypass will not function when applied to the Global Policy? It is my understanding that the Global Policy is already applied to all interfaces. Thanks

Hi,

kvaldelo — Wed, 10 Aug 2016 17:20:55 GMT

Hi,

TCP State bypass will work regardless if using global policy or applied to a specific interface

That is what out thoughts

bjamesdowning — Wed, 10 Aug 2016 17:55:08 GMT

That is what out thoughts were as well. And as you recommended, we did clear all connection states during an outage window and recreated sessions individually in an attempt to initiate TCP Bypass. Even then, it seems the class map was never attributed any hits. Cisco TAC simply advised us to upgrade our code to version 9.5(2)208 from 9.5(2)204.

Turns out placing the bypass

bjamesdowning — Mon, 15 Aug 2016 13:44:19 GMT

Turns out placing the bypass setting directly on the incoming interface seemed to work. There is now a bug report for the behavior submitted to the ASA developers. Thanks