cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
295
Views
5
Helpful
0
Replies

ASA FW allowing packets with wrong seq and ack numbers

nino1
Level 1
Level 1

Hello community,

I have a strange issue with openldap server connecting to a host on the internet using secure ldap.

Initially ldap queries are working, what we noticed is that after some time that connection from server to that host on the internet is idle (ldap is not closing connection but it is trying to re-use them)  openldap is trying again to connect to that host on the internet but it actually does not resume the open session. It rather tries to re-use the existing connection but sets seq=1 and ack=1. And here is where we see the difference.

When ldap server is hosted on-prem the traffic is passing through Cisco ASA 5500. Asa sends reset to ldap and ldap starts new session (with SYN flag). So all works fine here

When hosted in cloud the traffic goes via vASA. Ldap behaves the same way but ASA does not. It just allows this packet with SEQ=1 and ACK=1 but there is never response to it from the other side which is expected. TCP BYPASS has been configured on this FW but only for very specific traffic against an ACL. While we know the problem is in LDAP due to its odd behaviour we would as well like to understand why is FW allowing this traffic instead of blocking it and issuing RST signal as physical ASA does.

Regards

Nino

0 Replies 0