Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
918
Views
0
Helpful
4
Replies

Cisco ASA with reload-framing - REsource LOcation And Discovery Framing

Go to solution
mark.tegg
Level 1
Level 1

‎11-06-2012 01:59 AM - edited ‎03-11-2019 05:19 PM

Hi,

I have a problem with allowing this "RELOAD" framing through and ASA. I can get it working if I disable TCP-STATE checking.

Can anyone confirm if this "protocol" is something that the ASA is capable of interpreting?

I have attached some captures of both working and failing scenarios.

DST Port is 2000. The end device is supposed to respond to a tcp payload of  "01 08 00 00 00 00 00 00 F6"

The pass has state bypassing in enabled.

Thanks in Advance.

Mark Tegg

Labels:
138013-fail.pcap.zip
138012-pass.pcap.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to mark.tegg

‎11-07-2012 01:09 AM

Mark,

AFAIR we're using TCP proxy mostly for inspected flows (to make sure that packets are processed in order etc).

I'm not aware you need to disable it once inspection is disabled.

Would you mind opening a TAC case so we can get more information.

As one of the step we need to get trace details captures to see what exactly is going wrong.

M.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-06-2012 08:02 AM

Mark,

Truth be told I have little-to-no knowledge on RELOAD protocol, but I do know that by default TCP/2000 is used by skinny.

Enabling TCP state bypass has added benefit of bypassing inspection engines (maybe you had skinny inspection on before?)

In any case you can always open up a TAC case so we can dig into this.

M.

0 Helpful

Go to solution
mark.tegg
Level 1
Level 1
In response to Marcin Latosiewicz

‎11-06-2012 06:39 PM

Thanks Marcin,

I did have Skinny inspect active. I have attempted to disable it , but still have issue.

With skinny inspect enabled it seems to hang in the tcp-proxy buffer and once connection closed it drops the packets.

Before connect

tcp-proxy: bytes in buffer 0, bytes dropped 0

During connect

tcp-proxy: bytes in buffer 9, bytes dropped 0

After disconnect

tcp-proxy: bytes in buffer 0, bytes dropped 9

I assume that with inspect for skinny disabled that it is still using tcp-proxy (no stats though)

Is there a way to disable this tcp-proxy?

Thanks again.

Mark

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to mark.tegg

‎11-07-2012 01:09 AM

Mark,

AFAIR we're using TCP proxy mostly for inspected flows (to make sure that packets are processed in order etc).

I'm not aware you need to disable it once inspection is disabled.

Would you mind opening a TAC case so we can get more information.

As one of the step we need to get trace details captures to see what exactly is going wrong.

M.

0 Helpful

Go to solution
mark.tegg
Level 1
Level 1
In response to Marcin Latosiewicz

‎11-07-2012 08:27 PM

I will do , thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card