Hello-
I've created a policy map to allow TCP probe options 76 - 78 on the ASA Firewall for our Riverbed appliance.
Here is the setup:
access-list tcp-traffic line 1 extended permit tcp any any
class-map tcp-traffic
match access-list tcp-traffic
tcp-map allow-probes
tcp-options range 76 78 allow
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ils
inspect dns preset_dns_map
class tcp-traffic
set connection random-sequence-number disable
set connection advanced-options allow-probes
show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 87626, drop 0, reset-drop 0, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 1, drop 0, reset-drop 0, v6-fail-close 0
Inspect: netbios, packet 2155, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rsh, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: rtsp, packet 350078, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: sip , packet 2470, drop 0, reset-drop 0, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0, v6-fail-close 0
Inspect: ils, packet 190, drop 0, reset-drop 0, v6-fail-close 0
Inspect: dns preset_dns_map, packet 19969072, drop 31696, reset-drop 0, v6-fail-close 0
Class-map: tcp-traffic
Set connection policy: random-sequence-number disable
drop 0
Set connection advanced-options: allow-probes
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Invalid ACK drops : 473 SYN-ACK with data drops: 0
Out-of-order (OoO) packets : 79504708 OoO no buffer drops: 206534
OoO buffer timeout drops : 2590886 SEQ past window drops: 61463
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 17 Timestamp cleared : 130
Window scale cleared : 1
Other options cleared: 1060
Opt 30: 792 Opt 38: 212 Opt 76: 56
Other options drops: 0
Why am I seeing opt 76 showing up with 56 as the hit counts? I know most of the traffic is being optimized but some are showing in the Riverbed logs as being filtered on the option set. Some of the packets are being reset. Opt 30 and 38 are not specified in the policy so I understand it being here. Can someone confirm my policy setup is correct?
ASA Software Version 9.1.(4)
Thanks in advance.
John