Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2237
Views
0
Helpful
7
Replies

ASA TCP Bypass feature not functioning

Go to solution
bjamesdowning
Level 1
Level 1

‎08-04-2016 08:45 AM - edited ‎03-12-2019 01:05 AM

Hello,

I am attempting to configure TCP-Bypass for a specific subset of traffic on an ASAv running Software Version 9.5(2)204. I have configured an ACL to match the source and destination specifically, set up a class map to reference the ACL, attached the class map to the default global policy with the 'set connection advanced-options tcp-state-bypass.' When generating the targeted traffic and issuing a 'show conn' no connection display a lowercase 'b' to indicate TCP bypass has been initiated. Additionally, when running a packet-tracer command, the traffic continues to fall back to the class-default regardless of how broad/specific the Class-Map ACL is. Below contains the ACL, Class-Map, and Policy-Map configs, as well as the ACL hit count, and output of the packet-tracer. The end result of the packet tracer is 'allow,' I just posted it to display the traffic hitting the default class rather than TEST_MAP. 

ACL:

access-list TEST_ACL line 1 extended permit tcp host 1.1.1.1 any4 eq 1433
access-list TEST_ACL line 2 extended permit tcp host 1.1.1.1 any4 eq 1434
access-list TEST_ACL line 3 extended permit tcp host 1.1.1.1 any4 eq 9053

CLASS-MAP:

class-map TEST_MAP
match access-list TEST_ACL

POLICY-MAP:

policy-map global_policy
class inspection_default
inspect snmp
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dcerpc
inspect icmp
class TEST_MAP
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
class class-default
set connection timeout dcd

SERVICE-POLICY

service-policy global_policy global


PACKET-TRACER

packet-tracer input INTERNAL_TEST tcp 1.1.1.1 5764 2.2.2.2 1433 detailed

//relevant output:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
     class-map class-default
        match any
policy-map global_policy
     class class-default
        set connection timeout idle 1193:00:00 dcd 0:00:15 5 embryonic 0:00:30 half-closed 0:10:00
        DCD: enabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f663aa4c530, priority=7, domain=conn-set, deny=false
hits=17828, user_data=0x7f662417a3e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INTERNAL_TEST, output_ifc=any

No hits on ACL when actual traffic is generated:

access-list TEST_ACL; 3 elements; name hash: 0x4a5798e5
access-list TEST_ACL line 1 extended permit tcp host 1.1.1.1 any4 eq 1433 (hitcnt=0)
access-list TEST_ACL line 2 extended permit tcp host 1.1.1.1 any4 eq 1434 (hitcnt=0)
access-list TEST_ACL line 3 extended permit tcp host 1.1.1.1 any4 eq 9053 (hitcnt=0)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-06-2016 05:35 PM

Hi,

Please change this TCP state bypass from global policy to interface based service-policy.

So create a new test policy map and bind it to the interface on which the traffic hits first.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Cristian Nilsson
Level 1
Level 1

‎08-05-2016 04:45 AM

Hello,

Could you proved output of:

show service-policy

And also test this:

service-policy TEST_MAP interface <INTERFACE>

//Cristian

0 Helpful

Go to solution
kvaldelo
Level 1
Level 1

‎08-05-2016 01:19 PM

Hi,

Remember you need to clear the local host connections for that traffic for the TCP state bypass take effect or the ASA will continue using the old connections entries and wont mark the "b" for bypass under the "show conn"

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-06-2016 05:35 PM

Hi,

Please change this TCP state bypass from global policy to interface based service-policy.

So create a new test policy map and bind it to the interface on which the traffic hits first.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
bjamesdowning
Level 1
Level 1
In response to Aditya Ganjoo

‎08-10-2016 09:12 AM

Thanks for the response. We have yet to try this, however is there any particular reason TCP Bypass will not function when applied to the Global Policy? It is my understanding that the Global Policy is already applied to all interfaces. Thanks

0 Helpful

Go to solution
kvaldelo
Level 1
Level 1
In response to bjamesdowning

‎08-10-2016 10:20 AM

Hi,

TCP State bypass will work regardless if using global policy or applied to a specific interface 

0 Helpful

Go to solution
bjamesdowning
Level 1
Level 1
In response to kvaldelo

‎08-10-2016 10:55 AM

That is what out thoughts were as well. And as you recommended, we did clear all connection states during an outage window and recreated sessions individually in an attempt to initiate TCP Bypass. Even then, it seems the class map was never attributed any hits. Cisco TAC simply advised us to upgrade our code to version 9.5(2)208 from 9.5(2)204. 

0 Helpful

Go to solution
bjamesdowning
Level 1
Level 1
In response to bjamesdowning

‎08-15-2016 06:44 AM

Turns out placing the bypass setting directly on the incoming interface seemed to work. There is now a bug report for the behavior submitted to the ASA developers. Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card