cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


479
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cisco ASA with reload-framing - REsource LOcation And Discovery Framing

Hi,

I have a problem with allowing this "RELOAD" framing through and ASA. I can get it working if I disable TCP-STATE checking.

Can anyone confirm if this "protocol" is something that the ASA is capable of interpreting?

I have attached some captures of both working and failing scenarios.

DST Port is 2000. The end device is supposed to respond to a tcp payload of  "01 08 00 00 00 00 00 00 F6"

The pass has state bypassing in enabled.

Thanks in Advance.

Mark Tegg

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cisco ASA with reload-framing - REsource LOcation And Discovery

Mark,

AFAIR we're using TCP proxy mostly for inspected flows (to make sure that packets are processed in order etc).

I'm not aware you need to disable it once inspection is disabled.

Would you mind opening a TAC case so we can get more information.

As one of the step we need to get trace details captures to see what exactly is going wrong.

M.

View solution in original post

4 REPLIES 4
Cisco Employee

Cisco ASA with reload-framing - REsource LOcation And Discovery

Mark,

Truth be told I have little-to-no knowledge on RELOAD protocol, but I do know that by default TCP/2000 is used by skinny.

Enabling TCP state bypass has added benefit of bypassing inspection engines (maybe you had skinny inspection on before?)

In any case you can always open up a TAC case so we can dig into this.

M.

Beginner

Cisco ASA with reload-framing - REsource LOcation And Discovery

Thanks Marcin,

I did have Skinny inspect active. I have attempted to disable it , but still have issue.

With skinny inspect enabled it seems to hang in the tcp-proxy buffer and once connection closed it drops the packets.

Before connect

tcp-proxy: bytes in buffer 0, bytes dropped 0

During connect

tcp-proxy: bytes in buffer 9, bytes dropped 0

After disconnect

tcp-proxy: bytes in buffer 0, bytes dropped 9

I assume that with inspect for skinny disabled that it is still using tcp-proxy (no stats though)

Is there a way to disable this tcp-proxy?

Thanks again.

Mark

Cisco Employee

Cisco ASA with reload-framing - REsource LOcation And Discovery

Mark,

AFAIR we're using TCP proxy mostly for inspected flows (to make sure that packets are processed in order etc).

I'm not aware you need to disable it once inspection is disabled.

Would you mind opening a TAC case so we can get more information.

As one of the step we need to get trace details captures to see what exactly is going wrong.

M.

View solution in original post

Beginner

Cisco ASA with reload-framing - REsource LOcation And Discovery

I will do , thanks

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here