Hi Vibhor,

Thanks for the reply.

So you mean to say that ASA is dropping the packet having TCP Opt 76.

I have gone through some Riverbed docs also and there its recommended to allow TCP Opt range 76-78 on ASA. However, I just want to clarify a bit more on this. First, In the capture results the SYN packet is also having the TCP-76 then why ASA is letting it pass through and making the other end to respond with SYN-ACK.

Second, the default behaviour of ASA is to clear the packets having TCP Opt range 9 - 255 and that means to clear the relevant option and allows the packet, then what's causing ASA to drop the packet even it is not configured to drop.

Third, help me to understand your comment "This is not a successful transfer".

Thanks,

Rakesh Kumar

Hi,

By default , the ASA should clear the option in the TCP header as you pointed out. You need to use the "allow" keyword in the TCP MAP specifically to allow these options through the ASA device.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/t1.html#pgfId-1561309

I am not sure if the ASA is letting this through as i am not sure on which interface  were the above capture taken on ?

What i meant by successful transfer was that this connection failed on the Control connection itself i.e. TCP 3-way handshake. Data did not even start to transfer.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

146.27.92.178 ---> Int_core---ASA1--Int_share----> Internet--->ASA2----> 144.5.15.33

Below are the traffic captures on Interface share of ASA1:

6 packets captured

   1: 14:29:11.751792 146.27.92.178.51571 > 144.5.15.33.135: S 2448573496:2448573496(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK,opt-76:0101921b6e4e0005,opt-76:0c01,nop,eol>
   2: 14:29:11.751868 144.5.15.33.135 > 146.27.92.178.51571: S 20020520:20020520(0) ack 2448573497 win 8192 <opt-76:0c01,nop,nop,nop,eol>
   3: 14:29:11.758215 144.5.15.33.135 > 146.27.92.178.51571: S 20020520:20020520(0) ack 2448573497 win 8192 <opt-76:1111921b6e4e90050eee1e78,opt-76:0e3d,nop,eol>
   4: 14:29:12.160132 146.27.92.178.51571 > 144.5.15.33.135: S 2448573496:2448573496(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   5: 14:29:14.746757 146.27.92.178.51571 > 144.5.15.33.135: S 2448573496:2448573496(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   6: 14:29:20.746787 146.27.92.178.51571 > 144.5.15.33.135: S 2448573496:2448573496(0) win 8192 <mss 1380,nop,nop,sackOK>
6 packets shown

As we see that the host 144.5.15.33.135 is responding with SYN-ACK, it means that the ASA1 is letting the SYN pass through with TCP option 76.

On both of the ASAs, TCP options 76 and 78 are allowed, however, still the TCP handshake is not completed. We tried by allowing the TCP option 77 also but it's not working.

Hi,

To be honest , i don't think this might be something that might be caused due to the ASA device. You can also apply the ASP captures and see if you see any packets from the test traffic in there as that would mean the traffic is being dropped on this ASA device:-

capture asp type asp-drop all buffer 3333333

Also , did you try to check the debugging syslog for this traffic and see what you see in there ?

Thanks and Regards,

Vibhor Amrodia

I have already tried asp-drop but I didn't get any relevant output. I can't enable the console logging because it would generate a numerous messages on the console that might result in higher cpu utilization.

I tried by monitoring the real time traffic with a tool, however, didn't see any traffic coming to firewall, don't know why? or might be because I am not familiar with the tool. But using that tool doesn't require much expertise, it's quite simple. It's showing a lot of logs at the end device but nothing on the ASA. Even logging is already enabled on ASA.

Hi,

I was pointing at ASDM logging and checking the logs on the ASDM using a filter.

Enable this command:-

logging asdm debugging

Then open ASDM , go to monitoring >> Logging and then click on show logs..

Apply the filter with the IP address and check the logs.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

Thanks for the reply.

We don't have ASDM login configured on ASAs.

Regards,

Rakesh Kumar

Hi,

I think it would be easier if you can check the logs from ASDM.

Also , if you have a logging server , You cans end the logs there as well.

Thanks and Regards,

Vibhor Amrodia

Hi,

Did you ever find out if your options 76 were getting through? It seems from the capture it was getting through, but something was prohibiting the 3-way handshake.

Hi Dustin,

As I commented before in my previous replies:

"As we see that the host 144.5.15.33.135 is responding with SYN-ACK, it means that the ASA1 is letting the SYN pass through with TCP option 76.

On both of the ASAs, TCP options 76 and 78 are allowed, however, still the TCP handshake is not completed. We tried by allowing the TCP option 77 also but it's not working."

I didn't find what's causing the traffic drop, however, from the capture output its clear that ASA is letting the traffic pass through and something else in the path is prohibiting the 3-way handshake. We will continue with finding the issue and involve the NA team (who handles the routers/switches) in the troubleshooting.

Thanks,

Rakesh Kumar

Hi,

Did you ever find out if your options 76 were getting through? It seems from the capture it was getting through, but something was prohibiting the 3-way handshake.

Hello,

Did you find out if your TCP options were getting through? It seems from the capture they were indeed getting through from the "SACK" but something else was prohibiting the connection from completing the 3-way handshake.