Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12089
Views
10
Helpful
16
Replies

Unexpected TCP timestamp option cleared in server's response

Go to solution
bwallander
Level 1
Level 1

‎11-10-2010 08:37 AM - edited ‎03-11-2019 12:07 PM

Hello,

I have a question about the functionality of the ASA firewall in regards to TCP option handling which I've yet to find any relavant documentation or known bugs for.

Consider the following scenario:

ASA 5520 - 8.0(4)

An HTTP client (outside) is making a simple port 80/tcp connection to an HTTP server hosted behind the ASA (inside). The client is specifically configured NOT to include the TCP timestamp value in it's initial SYN request to the server. The server however has a unique requirement where the timestamp option MUST be populated and included in it's SYN-ACK TCP header response to all clients, regardless of whether or not the client intially sent one. An iptables rule on the linux server is enforcing this requirement.

My question is, in the above scenario, will the ASA allow the TCP timestamp option (8) to pass back to the client in the SYN-ACK response, containing it's TCP options? Or will the ASA clear the option since the client did not send a timpestamp in it's initial SYN?

Based on our tests the latter appears to be occuring. The ASA looks to be silently clearing this option in the header of the response from the server, possibly because of the RFC violation or some other similar reason. By default, the TCP normalization engine on the ASA should allow the timestamp option to pass ("tcp-options timestamp allow").

An actual tcpdump from the client's perspective:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:26.137565 IP client-machine.local.42788 > www-server.www: Flags [S], seq 3692322182, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
00:00:26.392831 IP www-server.www > client-machine.local.42788: Flags [S.], seq 2550944951, ack 3692322183, win 5792, options [mss 1380,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 7], length 0
00:00:26.392844 IP client-machine.local.42788 > www-server.www: Flags [.], ack 1, win 46, length 0
00:00:26.392902 IP client-machine.local.42788 > www-server.www: Flags [F.], seq 1, ack 1, win 46, length 0
00:00:26.646815 IP www-server.www > client-machine.local.42788: Flags [F.], seq 1, ack 2, win 46, options [nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop], length 0
00:00:26.646826 IP client-machine.local.42788 > www-server.www: Flags [.], ack 2, win 46, length 0

Labels:
0 Helpful
16 Replies 16

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Andrew Ossipov

‎11-11-2010 03:37 PM

Good find Andrew ! Again !

-KS

0 Helpful

Go to solution
bwallander
Level 1
Level 1
In response to Andrew Ossipov

‎11-12-2010 08:01 AM

Perfect, thank you Andrew. This is exactly what I was looking for. We're planning for an upgrade to 8.2(2) however it might take a few weeks to get clearance approval. Will let you know however.

Thank you to EVERYONE for your help!

-Buck

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card