Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7846
Views
5
Helpful
4
Replies

RFC1323 - TCP Timestamps

tirowi007
Level 1
Level 1

‎04-18-2018 08:23 AM - edited ‎02-21-2020 07:38 AM

Hi 

 

I need to turn off TCP Timestamps on my ASA - does anyone know how to do this on ASDM? 

After a security test it came back failed 

 

NVT: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

Summary

The remote host implements TCP timestamps and therefore allows to compute   the uptime.

Vulnerability Detection Result

It was detected that the host implements RFC1323.

 

Any help would be grateful 

 
Labels:
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎04-18-2018 10:22 PM

Hello,

 

Below link can help you disable the TCP timestamp:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/conns_connlimits.html

 

You would have to play with tcp normalization to achieve this.

 

-

HTH
AJ

0 Helpful

tirowi007
Level 1
Level 1
In response to Ajay Saini

‎04-19-2018 01:25 AM

Thanks

 

Do you now if this can be done in the ASDM? 

 

0 Helpful

Ajay Saini
Level 7
Level 7
In response to tirowi007

‎04-19-2018 09:06 AM

Please follow the below link to configure tcp normalizer related changes:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/firewall/asdm-78-firewall-config/conns-connlimits.html

 

HTH

AJ

0 Helpful

rockstar24x7
Level 1
Level 1

‎08-11-2018 02:33 PM - edited ‎08-11-2018 02:42 PM

At present, there is no option to switch off the tcp time-stamp for to-the-box ASA https traffic.

1) The ASA does NOT include a Timestamp option for SSH traffic.

2) The ASA DOES include a Timestamp option for HTTPs traffic (this is be design).

3) The ASA does NOT initialize the counter to zero at boot time, but uses a
random value between reload/reboot (also by design).

Hence, while indeed the ASA includes a TCP Timestamp option on HTTPs traffic, that option cannot be used to determine device uptime. And no, a tcp-map will not clear the Timestamp option being added to traffic generated by the ASA itself.

If you are concerned about TCP Timestamps traversing the ASA - then it would be best to add a tcp-map to your global policy using the clear option.  The following article shows how to perform this task easily.  http://secureitnetworks.net/index.php/2015/08/21/how-to-remove-tcp-time-stamp-from-packets-on-cisco-asa/

Once you have the tcp-map in place, use the sho service-policy command to show the timestamps cleared.

EXAMPLE:
ciscoasa# sho service-policy

Global policy:
  Service-policy: global_policy
    Class-map: timestamp_class_map
      Set connection policy:         drop 0
      Set connection advanced-options: timestamp_tcp_map
        Retransmission drops: 0                   TCP checksum drops : 0
        Exceeded MSS drops  : 0                   SYN with data drops: 0
        Invalid ACK drops   : 0                   SYN-ACK with data drops: 0
        Out-of-order (OoO) packets : 0            OoO no buffer drops: 0
        OoO buffer timeout drops : 0              SEQ past window drops: 0
        Reserved bit cleared: 0                   Reserved bit drops : 0
        IP TTL modified     : 0                   Urgent flag cleared: 0
        Window varied resets: 0
        TCP-options:
          Selective ACK cleared: 0                Timestamp cleared  : 6763
          Window scale cleared : 0
          Other options cleared: 0
          Other options drops: 0

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card