Showing results for 
Search instead for 
Did you mean: 


Cisco ASA 9.1(2) TCP State bypass

Hi Guys,

I have a two ASA firewalls at two seperate locations in place and both running in multicontext mode (Internal context and External Context) and i have configured TCP State bypass on the firewall interfaces on both the internal and external interfaces to accomodate asymmetric routing.  Now everything i have read from cisco and other places seems to suggest this will work but at the moment it doesnt

What i see is as follows,

TCP syn is sent From Source Device out through Firewall A Internal Context through Firewall A External Context to the destination device.

TCP syn Ack is received from destination device at Firewall B External Context and is dropped (deny no connection......)

the configuration i have applied is as per cisco documentation apart from my accesslist is ip any any

hostname(config)# access-list tcp_bypass extended permit ip any any

hostname(config)# class-map tcp_bypass

hostname(config-cmap)# description "TCP traffic that bypasses stateful firewall"

hostname(config-cmap)# match access-list tcp_bypass

hostname(config-cmap)# policy-map tcp_bypass_policy

hostname(config-pmap)# class tcp_bypass

hostname(config-pmap-c)# set connection advanced-options tcp-state-bypass

hostname(config-pmap-c)# service-policy tcp_bypass_policy outside

So should this work should Firewall B external context just enforce the TCP State Bypass policy?  or Is my understanding of this feature wrong?



Marius Gunnerud
VIP Advisor

I believe the issue is with your ACL.  I had a similar issue, not with TCP Bypass but with allowing return traffic based on the state table.  The problem was that when using permit ip any any, the ASA did not track the state.  So if you give it a try by changing the ACL to:

access-list tcp_bypass extended permit tcp any any eq 80

And then test.  The unfortunate thing with this is that you need to specify all the TCP, UDP ports, but you can do that with a object group.  Just a hassel the first time you do it but much easier to manage.

Ofcourse you don't have to use port is just an example.


Pease rate all helpful posts

Please remember to select a correct answer and rate helpful posts

Thanks for the reply Marius,

I did have a quick tinker with this earlier but I will try some variations of the above. 



If you do this:

access-list tcp_bypass extended permit ip any any

You will kill the ASA´s resources at a certain point, you need to be specific. The reason you kill the device timeouts are ignored.

Also you need to check logs to see if this is being applied or the ASA is indicating so sort of failure, setup captures and look at how traffic is flowing.

Value our effort and rate the assistance!

Value our effort and rate the assistance!

thanks guys will rate once i have tried the suggestions

Hi All,

Just wanted to give an update on the above.

The TCP State Bypass feature was indeed working as configured,  the packets were being dropped with the message no connection Syn Ack because there was not a corresponding rule to allow the traffic.  This is rather annoying because the error deny message is not the message i would have expected to see. 

Some times you have to many rules and you cant see the wood for the trees.... 

Any how i tightened up the Match ACL to the specific traffic and added the rules required,  also dont forget sync acks reverse the source and destination ports so you need to ensure your rules take this into consideration..

Thanks again for your input.


Content for Community-Ad