Solved: Re: How to support TCP Fast Open (RFC 7413) on ASA-Firewalls?

CaB · ‎08-09-2018

Hi,

how do I enable the support for TFO (RFC 7413) in Cisco Adaptive Security Appliance Software Version 9.2 ?

It seems not to work out of the box, i.e. normal connection establishment (handshake without application data bytes) works well while TFO (syn,syn-ack with application data bytes) connection establishment is rejected.

Regards,

CaB

Jerome BERTHIER · ‎08-09-2018

Hi

ASA can do TCP normalization :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html#69801

You can modify it with TCP map :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html#53790

but as far as I see, per default, SYN with data is supported but not SYN/ACK with data:

synack-data { allow | drop }

Sets the action for TCP SYNACK packets that contain data.

The allow keyword allows TCP SYNACK packets that contain data.

(Default) The drop keyword drops TCP SYNACK packets that contain data.

syn-data { allow | drop }

Sets the action for SYN packets with data.

(Default) The allow keyword allows SYN packets with data.

The drop keyword drops SYN packets with data.

Regards

View solution in original post

#Mat · ‎08-09-2018

Hi, I don't see this RFC supported by ASA

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

As workaround/test I think you could try with TCP state bypass.

Regards.-

.

Jerome BERTHIER · ‎08-09-2018

Hi

ASA can do TCP normalization :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html#69801

You can modify it with TCP map :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall/asa-firewall-cli/conns-connlimits.html#53790

but as far as I see, per default, SYN with data is supported but not SYN/ACK with data:

synack-data { allow | drop }

Sets the action for TCP SYNACK packets that contain data.

The allow keyword allows TCP SYNACK packets that contain data.

(Default) The drop keyword drops TCP SYNACK packets that contain data.

syn-data { allow | drop }

Sets the action for SYN packets with data.

(Default) The allow keyword allows SYN packets with data.

The drop keyword drops SYN packets with data.

Regards

CaB · ‎08-10-2018

Hi Jerome,

that was a very helpfull hint. I have started to modify the tcp normalization by allowing data in syn-acks.

syn-ack allow

As this did not fix the problem I configured the tcp map to be most liberal, i.e.:

tcp-map tcp-map-test
synack-data allow
invalid-ack allow
tcp-options range 6 7 allow
tcp-options range 9 255 allow
urgent-flag allow

Next week I will try to figure out which of the options are necessary in order to allow TFO.

Regards,

CaB

patoberli · ‎02-15-2019

@CaB

Did you ever get this to work, or is it maybe anyway supported now?

CaB · ‎02-18-2019

Hi patoberli,

yes, I got it to work. Here are the code snippets:

tcp-map tcp-map-fastopen
  synack-data allow
  tcp-options range 6 7 allow
  tcp-options range 9 255 allow

You will need a class map to match the tcp stream:

class-map TCP
 match port tcp range 1 65535

And you have to apply it in the policy section:

policy-map global_policy
 class inspection_default
 inspect ftp
 ...
 inspect dns dns-map-60
 class TCP
 set connection random-sequence-number disable
 set connection advanced-options tcp-map-fastopen

So the example above will apply the support for tcp fastopen to all tcp connections as the class map (TCP) matches any tcp port.

Regards,

CaB

patoberli · ‎02-18-2019

Thanks a lot for your detailed answer!