Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1043
Views
0
Helpful
4
Replies

Cisco ASA and industry X.224 (ISO 8073) protocol

Martin Kyrc
Level 3
Level 3

‎06-13-2016 02:56 PM - edited ‎03-12-2019 12:52 AM

Hello,

I'd like to ask you what is necessary to configure for processing industry standard X.224 (ISO 8073) protocol.

We have trouble with this type of communication protocol and scenario is for each tcp flow like this:
- TCP is established between client and server (3-way handshake)
- Connect Request (CR TPDU) from server side
- Connect Confirm (CC TPDU) from client side
- 30sec without any communication
- then 10x TCP ZeroWindow (tcp keep-alive) packets *
- after no answer from server side, client sends TCP Reset. this Reset is visible also on egress interface

* I can see tcp zerowindow packet on ingress interface but no packet on egress port. There is no access list, no restriction on the interface. all communication is tcp based on port 102. no log record, nothing.

What special can I configure for processing this industry protocol? How can I troubleshoot this issue?

thanks for reply,

martin

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-13-2016 04:57 PM

What ASA are you using, and what version are you running?

If you plug the client into a LAN segment so it can talk directly to the server does it work?

0 Helpful

Martin Kyrc
Level 3
Level 3
In response to Philip D'Ath

‎06-14-2016 05:52 AM

sorry for that:

- ASA 5585-x SSP-10, sw version 9.5.2

- when client is bypassing ASA (over old network environment including non-cisco firewall) everything is running ok.

in attachment you can find two captures: ingress and egress. you can see there keepalive packet on the ingress side (after 30sec) but this keepalive is not going to egress interface. after 10-times is client sending R that is going to egress side. I have no connection table from this time but I thing connection on the asa is created because R is forwared. also I can't see any drop for this client/server ip in the log.

in the ingress side you can see packets #8-18 there seq nr is out of order (seq 34, it should be 35?). when I'm right, ASA is not processing to egress side that's correct processing. I'm right?

maybe this helps:

class-map CM-PLC
  match access-list CM-PLC

policy-map global_policy
 class CM-PLC
  set connection advanced-options tcp-state-bypass
 
service-policy global_policy global
scp2-filtered_0.zip
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Martin Kyrc

‎06-14-2016 01:30 PM

Are you using Firepower at all?

I had some issues with the earlier 9.5(2) train, so I am a bit "shy" of it now.  9.6(1) has been working good for me.  Perhaps you could try that release?

0 Helpful

Martin Kyrc
Level 3
Level 3
In response to Philip D'Ath

‎06-14-2016 02:14 PM

Hi Phil,

I think, it's not issue with 9.5(2). based on capture it looks like an issue with communication between client and server application (it's PLC from industry environment and some years ago customer has the same issue with non-cisco firewall). I will try bypass tcp state and test the communication.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card