11-22-2013 06:24 AM - edited 03-11-2019 08:08 PM
Hi Guys,
I have a two ASA firewalls at two seperate locations in place and both running in multicontext mode (Internal context and External Context) and i have configured TCP State bypass on the firewall interfaces on both the internal and external interfaces to accomodate asymmetric routing. Now everything i have read from cisco and other places seems to suggest this will work but at the moment it doesnt
What i see is as follows,
TCP syn is sent From Source Device out through Firewall A Internal Context through Firewall A External Context to the destination device.
TCP syn Ack is received from destination device at Firewall B External Context and is dropped (deny no connection......)
the configuration i have applied is as per cisco documentation apart from my accesslist is ip any any
hostname(config)# access-list tcp_bypass extended permit ip any any
hostname(config)# class-map tcp_bypass
hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"
hostname(config-cmap)# match access-list tcp_bypass
hostname(config-cmap)# policy-map tcp_bypass_policy
hostname(config-pmap)# class tcp_bypass
hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass
hostname(config-pmap-c)# service-policy tcp_bypass_policy outside
So should this work should Firewall B external context just enforce the TCP State Bypass policy? or Is my understanding of this feature wrong?
Thanks
Neil
11-22-2013 06:39 AM
I believe the issue is with your ACL. I had a similar issue, not with TCP Bypass but with allowing return traffic based on the state table. The problem was that when using permit ip any any, the ASA did not track the state. So if you give it a try by changing the ACL to:
access-list tcp_bypass extended permit tcp any any eq 80
And then test. The unfortunate thing with this is that you need to specify all the TCP, UDP ports, but you can do that with a object group. Just a hassel the first time you do it but much easier to manage.
Ofcourse you don't have to use port 80...it is just an example.
--
Pease rate all helpful posts
11-22-2013 06:45 AM
Thanks for the reply Marius,
I did have a quick tinker with this earlier but I will try some variations of the above.
Thanks
Neil
11-22-2013 06:56 AM
If you do this:
access-list tcp_bypass extended permit ip any any
You will kill the ASA´s resources at a certain point, you need to be specific. The reason you kill the device timeouts are ignored.
Also you need to check logs to see if this is being applied or the ASA is indicating so sort of failure, setup captures and look at how traffic is flowing.
Value our effort and rate the assistance!
11-22-2013 07:48 AM
thanks guys will rate once i have tried the suggestions
12-09-2013 12:57 AM
Hi All,
Just wanted to give an update on the above.
The TCP State Bypass feature was indeed working as configured, the packets were being dropped with the message no connection Syn Ack because there was not a corresponding rule to allow the traffic. This is rather annoying because the error deny message is not the message i would have expected to see.
Some times you have to many rules and you cant see the wood for the trees....
Any how i tightened up the Match ACL to the specific traffic and added the rules required, also dont forget sync acks reverse the source and destination ports so you need to ensure your rules take this into consideration..
Thanks again for your input.
Neil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide