Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9647
Views
10
Helpful
4
Replies

RFC1323 - TCP Timestamps

tirowi007
Level 1
Level 1

‎04-18-2018 08:23 AM - edited ‎02-21-2020 07:38 AM

Hi 

 

I need to turn off TCP Timestamps on my ASA - does anyone know how to do this on ASDM? 

After a security test it came back failed 

 

NVT: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

Summary

The remote host implements TCP timestamps and therefore allows to compute   the uptime.

Vulnerability Detection Result

It was detected that the host implements RFC1323.

 

Any help would be grateful 

 
1 person had this problem
Labels:
4 Replies 4

Ajay Saini
Level 7
Level 7

‎04-18-2018 10:22 PM

Hello,

 

Below link can help you disable the TCP timestamp:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/conns_connlimits.html

 

You would have to play with tcp normalization to achieve this.

 

-

HTH
AJ

tirowi007
Level 1
Level 1
In response to Ajay Saini

‎04-19-2018 01:25 AM

Thanks

 

Do you now if this can be done in the ASDM? 

 

Ajay Saini
Level 7
Level 7
In response to tirowi007

‎04-19-2018 09:06 AM

Please follow the below link to configure tcp normalizer related changes:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/firewall/asdm-78-firewall-config/conns-connlimits.html

 

HTH

AJ

rockstar24x7
Level 1
Level 1

‎08-11-2018 02:33 PM - edited ‎08-11-2018 02:42 PM

At present, there is no option to switch off the tcp time-stamp for to-the-box ASA https traffic.

1) The ASA does NOT include a Timestamp option for SSH traffic.

2) The ASA DOES include a Timestamp option for HTTPs traffic (this is be design).

3) The ASA does NOT initialize the counter to zero at boot time, but uses a
random value between reload/reboot (also by design).

Hence, while indeed the ASA includes a TCP Timestamp option on HTTPs traffic, that option cannot be used to determine device uptime. And no, a tcp-map will not clear the Timestamp option being added to traffic generated by the ASA itself.

If you are concerned about TCP Timestamps traversing the ASA - then it would be best to add a tcp-map to your global policy using the clear option.  The following article shows how to perform this task easily.  http://secureitnetworks.net/index.php/2015/08/21/how-to-remove-tcp-time-stamp-from-packets-on-cisco-asa/

Once you have the tcp-map in place, use the sho service-policy command to show the timestamps cleared.

EXAMPLE:
ciscoasa# sho service-policy

Global policy:
  Service-policy: global_policy
    Class-map: timestamp_class_map
      Set connection policy:         drop 0
      Set connection advanced-options: timestamp_tcp_map
        Retransmission drops: 0                   TCP checksum drops : 0
        Exceeded MSS drops  : 0                   SYN with data drops: 0
        Invalid ACK drops   : 0                   SYN-ACK with data drops: 0
        Out-of-order (OoO) packets : 0            OoO no buffer drops: 0
        OoO buffer timeout drops : 0              SEQ past window drops: 0
        Reserved bit cleared: 0                   Reserved bit drops : 0
        IP TTL modified     : 0                   Urgent flag cleared: 0
        Window varied resets: 0
        TCP-options:
          Selective ACK cleared: 0                Timestamp cleared  : 6763
          Window scale cleared : 0
          Other options cleared: 0
          Other options drops: 0

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card