https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274189#M347630 <P>Thanks for detailed information.</P><P>One question disturb me.</P><P>in my Cisco ASA &nbsp; byte always shown 1 in tcp state bypass connections .</P><P>&nbsp;</P><P>for example,&nbsp;</P><P>P outside 192.168.201.63:46746 inside 10.84.33.4:7099, idle 0:13:51, <STRONG>bytes 1</STRONG>, flags b<BR />TCP outside 192.168.201.63:46747 inside 10.84.33.4:7099, idle 0:13:51, <STRONG>bytes 1</STRONG>, flags b<BR />TCP outside 192.168.201.63:45905 inside 10.84.33.4:7099, idle 1:00:30, <STRONG>bytes 1</STRONG>, flags b</P><P>&nbsp;</P><P>Please help to clarify this case.</P><P>Thanks in advance.</P> Sat, 11 Oct 2014 20:40:16 GMT Samir Aliyev 2014-10-11T20:40:16Z https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274184#M347625 <P>Hi everyone,</P><P></P><P>I know the working of TCP state bypass and i have config under ASA&nbsp; under global policy.</P><P></P><P>class-map all-traffic</P><P> match any</P><P></P><P>policy-map global_policy</P><P></P><P>class all-traffic</P><P>&nbsp; set connection advanced-options tcp-state-bypass</P><P></P><P></P><P>This ASA&nbsp; connects to switch B which has HSRP connection with Switch A.</P><P></P><P>When i see the ASA&nbsp; log shows</P><P></P><P>Jun 21 2013 18:26:05: %ASA-6-302303: Built TCP state-bypass connection 7218 from outside:72.21.81.253/80 (72.21.81.253/80) to inside:192.168.52.9/9293 (192.168.11.2 /49248)</P><P>Jun 21 2013 18:26:06: %ASA-6-302304: Teardown TCP state-bypass connection 6282 from outside:24.244.4.14/80 to inside:192.168.52.9/8529 duration&nbsp; 1:02:12 bytes 4994733 Connection timeout</P><P>Jun 21 2013 18:26:08: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765</P><P>Jun 21 2013 18:26:10: %ASA-6-302304: Teardown TCP state-bypass connection 6286 from outside:24.244.4.14/80 to inside:192.168.52.9/8533 duration&nbsp; 1:00:05 bytes 2787 Connection timeout</P><P>Jun 21 2013 18:26:11: %ASA-6-302304: Teardown TCP state-bypass connection 6289 from outside:24.244.4.14/80 to inside:192.168.52.9/8536 duration&nbsp; 1:00:04 bytes 2787 Connection timeout</P><P>Jun 21 2013 18:26:11: %ASA-6-302304: Teardown TCP state-bypass connection 6288 from outside:24.244.4.14/80 to inside:192.168.52.9/8535 duration&nbsp; 1:00:05 bytes 2787 Connection timeout</P><P>Jun 21 2013 18:26:13: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765</P><P>Jun 21 2013 18:26:18: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765</P><P>Jun 21 2013 18:26:20: %ASA-6-302304: Teardown TCP state-bypass connection 6291 from outside:24.244.4.14/80 to inside:192.168.52.9/8538 duration&nbsp; 1:00:05 bytes 2787 Connection timeout</P><P>Jun 21 2013 18:26:23: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765</P><P>Jun 21 2013 18:26:27: %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.52.9/8529 to outside:192.168.11.2/39901 duration 1:02:33</P><P>Jun 21 2013 18:26:28: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765</P><P>Jun 21 2013 18:26:29: %ASA-6-302304: Teardown TCP state-bypass connection 6292 from outside:24.244.4.14/80 to inside:192.168.52.9/8539 duration&nbsp; 1:00:05 bytes 2787 Connection timeout</P><P></P><P></P><P>sh conn shows all the flags b</P><P></P><P></P><P></P><P>TCP outside 74.120.148.2:443 inside 192.168.52.9:9226, idle 0:20:01, bytes 4657, flags b</P><P>TCP outside 69.192.94.131:443 inside 192.168.52.9:9189, idle 0:18:33, bytes 2971, flags b</P><P>TCP outside 69.192.94.131:443 inside 192.168.52.9:9188, idle 0:18:12, bytes 2843, flags b</P><P>TCP outside 69.192.94.131:443 inside 192.168.52.9:9185, idle 0:18:23, bytes 10715, flags b</P><P>TCP outside 69.192.94.131:443 inside 192.168.52.9:9136, idle 0:18:13, bytes 58935, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9205, idle 0:19:57, bytes 0, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9204, idle 0:18:07, bytes 34927, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9203, idle 0:18:07, bytes 35412, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9195, idle 0:19:57, bytes 0, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9194, idle 0:18:08, bytes 4738, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9193, idle 0:19:57, bytes 0, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9192, idle 0:18:07, bytes 8139, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9148, idle 0:18:09, bytes 8953, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9084, idle 0:39:19, bytes 551, flags b</P><P>TCP outside 173.194.33.60:80 inside 192.168.52.9:9083, idle 0:41:09, bytes 0, flags b</P><P>TCP outside 72.21.91.29:80 inside 192.168.52.9:9263, idle 0:06:41, bytes 3768, flags b</P><P>ciscoasa#</P><P></P><P></P><P>Need to confirm on the current setup where traffic is entering and leaving via same ASA&nbsp; is the TCP&nbsp; bypass working or not?</P><P></P><P>Regards</P><P></P><P>MAhesh</P> Tue, 12 Mar 2019 02:01:37 GMT https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274184#M347625 mahesh18 2019-03-12T02:01:37Z https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274185#M347626 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>Yes, your TCP State Bypass configuration has been applied to each of the connections above.</P><P></P><P>This flag explanantion can be seen with the command <STRONG>"show conn detail"</STRONG></P><P></P><P><STRONG> b - TCP state-bypass or nailed</STRONG></P><P></P><P>So you wont be seeing any other TCP flag with connections if you have set this to apply to all connections.</P><P></P><P>- Jouni</P></BODY></HTML> Sat, 22 Jun 2013 11:28:15 GMT https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274185#M347626 Jouni Forss 2013-06-22T11:28:15Z https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274186#M347627 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Thanks for confirming my thoughts.</P><P>It was strange that even thoug traffic goes back and forth via single ASA i see all TCP flags --b</P><P>Seem this is default behaviour right?</P><P>Regards</P><P></P><P>Mahesh</P></BODY></HTML> Sat, 22 Jun 2013 16:55:17 GMT https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274186#M347627 mahesh18 2013-06-22T16:55:17Z https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274187#M347628 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This should be normal as you apply the TCP State Bypass to all traffic going through the ASA. Since the TCP State check is now bypassed, like the configuration says, the ASA essentially doesnt care about the flags/state of the TCP connection anymore and should to my understanding let all TCP traffic through that is allowed by the ACLs.</P><P></P><P>If you want to try, you could always create an ACL that defines only traffic between certain IP addresses and attach this ACL to the <STRONG>"class-map"</STRONG>&nbsp; that you have configured. Then the TCP State Bypass would only be applied to the traffic/connections specified in the ACL.</P><P></P><P>After this you could try to generate TCP traffic that matches that ACL and also generate TCP traffic that doesnt match it and check the ASAs connection table while the connections are still there. You should see the other TCP connection with the flag <STRONG>"b"</STRONG> and the other with some other TCP flags that you might be used to seing when looking with <STRONG>"show conn"</STRONG> or <STRONG>"show conn detail"</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Sat, 22 Jun 2013 17:20:35 GMT https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274187#M347628 Jouni Forss 2013-06-22T17:20:35Z https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274188#M347629 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Thanks for Explaining it in more detail.I got it now.</P><P></P><P>Best Regards</P><P>MAhesh</P></BODY></HTML> Sat, 22 Jun 2013 17:39:53 GMT https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274188#M347629 mahesh18 2013-06-22T17:39:53Z https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274189#M347630 <P>Thanks for detailed information.</P><P>One question disturb me.</P><P>in my Cisco ASA &nbsp; byte always shown 1 in tcp state bypass connections .</P><P>&nbsp;</P><P>for example,&nbsp;</P><P>P outside 192.168.201.63:46746 inside 10.84.33.4:7099, idle 0:13:51, <STRONG>bytes 1</STRONG>, flags b<BR />TCP outside 192.168.201.63:46747 inside 10.84.33.4:7099, idle 0:13:51, <STRONG>bytes 1</STRONG>, flags b<BR />TCP outside 192.168.201.63:45905 inside 10.84.33.4:7099, idle 1:00:30, <STRONG>bytes 1</STRONG>, flags b</P><P>&nbsp;</P><P>Please help to clarify this case.</P><P>Thanks in advance.</P> Sat, 11 Oct 2014 20:40:16 GMT https://community.cisco.com/t5/network-security/verification-of-tcp-state-bypass-on-network/m-p/2274189#M347630 Samir Aliyev 2014-10-11T20:40:16Z