Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4633
Views
10
Helpful
5
Replies

Cisco ASA 9.1(2) TCP State bypass

CSCO11095844
Level 1
Level 1

‎11-22-2013 06:24 AM - edited ‎03-11-2019 08:08 PM

Hi Guys,

I have a two ASA firewalls at two seperate locations in place and both running in multicontext mode (Internal context and External Context) and i have configured TCP State bypass on the firewall interfaces on both the internal and external interfaces to accomodate asymmetric routing.  Now everything i have read from cisco and other places seems to suggest this will work but at the moment it doesnt

What i see is as follows,

TCP syn is sent From Source Device out through Firewall A Internal Context through Firewall A External Context to the destination device.

TCP syn Ack is received from destination device at Firewall B External Context and is dropped (deny no connection......)

the configuration i have applied is as per cisco documentation apart from my accesslist is ip any any

hostname(config)# access-list tcp_bypass extended permit ip any any

hostname(config)# class-map tcp_bypass

hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"

hostname(config-cmap)# match access-list tcp_bypass

hostname(config-cmap)# policy-map tcp_bypass_policy

hostname(config-pmap)# class tcp_bypass

hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass

hostname(config-pmap-c)# service-policy tcp_bypass_policy outside

So should this work should Firewall B external context just enforce the TCP State Bypass policy?  or Is my understanding of this feature wrong?

Thanks

Neil

Labels:
0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎11-22-2013 06:39 AM

I believe the issue is with your ACL.  I had a similar issue, not with TCP Bypass but with allowing return traffic based on the state table.  The problem was that when using permit ip any any, the ASA did not track the state.  So if you give it a try by changing the ACL to:

access-list tcp_bypass extended permit tcp any any eq 80

And then test.  The unfortunate thing with this is that you need to specify all the TCP, UDP ports, but you can do that with a object group.  Just a hassel the first time you do it but much easier to manage.

Ofcourse you don't have to use port 80...it is just an example.

--

Pease rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

CSCO11095844
Level 1
Level 1
In response to Marius Gunnerud

‎11-22-2013 06:45 AM

Thanks for the reply Marius,

I did have a quick tinker with this earlier but I will try some variations of the above. 

Thanks

Neil

0 Helpful

jumora
Level 7
Level 7
In response to CSCO11095844

‎11-22-2013 06:56 AM


If you do this:

access-list tcp_bypass extended permit ip any any

You will kill the ASA´s resources at a certain point, you need to be specific. The reason you kill the device timeouts are ignored.

Also you need to check logs to see if this is being applied or the ASA is indicating so sort of failure, setup captures and look at how traffic is flowing.

Value our effort and rate the assistance!

Value our effort and rate the assistance!

CSCO11095844
Level 1
Level 1
In response to jumora

‎11-22-2013 07:48 AM

thanks guys will rate once i have tried the suggestions

0 Helpful

CSCO11095844
Level 1
Level 1
In response to CSCO11095844

‎12-09-2013 12:57 AM

Hi All,

Just wanted to give an update on the above.

The TCP State Bypass feature was indeed working as configured,  the packets were being dropped with the message no connection Syn Ack because there was not a corresponding rule to allow the traffic.  This is rather annoying because the error deny message is not the message i would have expected to see. 

Some times you have to many rules and you cant see the wood for the trees.... 

Any how i tightened up the Match ACL to the specific traffic and added the rules required,  also dont forget sync acks reverse the source and destination ports so you need to ensure your rules take this into consideration..

Thanks again for your input.

Neil

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card