ASA Asymmetric Traffic Issue (TCP State Bypass)

rami.saber · ‎01-19-2012

Hi All,

I have traffic that flows the following way:

PC to Server (GW for PC is Core)

PC>Core>Server

Server to PC (GW for Server is ASA)

Server>ASA>Core>PC

Traffic is dropped and not reaching the server. After some investigation I noticed that the ASA is dropping the traffic because it is asymmetric.

I know that Cisco introduced a TCP State Bypass feature which allows this type of traffic flow

So I added the following config in the ASA:

Assuming PC:10.10.10.10 and Server: 20.20.20.20

and traffic is going in and out of inside interface

access-list tcp_bypass_test extended permit ip host 20.20.20.20 host 10.10.10.10

class-map tcp_bypass

match access-list tcp_bypass_test

policy-map tcp_bypass_policy

class tcp_bypass

set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

I can see that the hit count is increasing for the ACL. But this is not working for some reason. Any idea how I can troubleshoot this further.

Thanks

Julio Carvajal · ‎01-19-2012

Hello Rami,

Do you already have the same-security-traffic permit intra-interface command?

What are the logs showing after you configured the TCP state bypass?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rami.saber · ‎01-19-2012

Hi Julio,

Actually the same-security-traffic permit intra-interface is already configured, however when going through some documents, I noticed that I need to to some natting to make this work (hairpinning).

But it is still not clear to me why should I do NATing and for what.

Thanks

Julio Carvajal · ‎01-20-2012

Hello Rami,

Correct, but that if you are configuring hairpinning, in this case we configured TCP state bypass.

With TCP state bypass the communication can be biderectional with the other option, the directly connected to the ASAuser is the only one that can innitiate the communication.

Hope this helps,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rami.saber · ‎01-20-2012

Hi,

Ill try to collect some logs to see where is the problem.

Thanks

Message was edited by: Rami Saber

rami.saber · ‎01-21-2012

Hello,

I am mostly getting the following errors:

%ASA-3-305006: regular translation creation failed for icmp src inside:20.20.20.20 dst inside:10.10.10.10 (type 0, code 0)

20.20.20.20: server

10.10.10.10: user

While trying to ping from user to server

Julio Carvajal · ‎01-21-2012

Hello Rami,

Please post the configuration, we can troubleshoot from there

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rami.saber · ‎01-25-2012

Hi Julio,

Actully the problem appears to be related to NATing.

We have a global NATing for the servers

global (outside) 10 interface

nat (inside) 10 20.20.0.0 255.255.0.0

I tried adding a static NAT

static (inside,inside) 20.20.20.20 20.20.20.20 255.255.255.255

Now I am able to communicate with the server (HTTP,...) but still cannot ping it.

But if we have a large subnet do I have to do a static nat for each server?

Julio Carvajal · ‎01-25-2012

Hello Rami,

You can do the static with the whole subnet, that is not gonna cause any issues at all.

Regards,

Julio,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC