Solved: Thanks for detailed

mahesh18 · ‎06-21-2013

Hi everyone,

I know the working of TCP state bypass and i have config under ASA under global policy.

class-map all-traffic

match any

policy-map global_policy

class all-traffic

set connection advanced-options tcp-state-bypass

This ASA connects to switch B which has HSRP connection with Switch A.

When i see the ASA log shows

Jun 21 2013 18:26:05: %ASA-6-302303: Built TCP state-bypass connection 7218 from outside:72.21.81.253/80 (72.21.81.253/80) to inside:192.168.52.9/9293 (192.168.11.2 /49248)

Jun 21 2013 18:26:06: %ASA-6-302304: Teardown TCP state-bypass connection 6282 from outside:24.244.4.14/80 to inside:192.168.52.9/8529 duration 1:02:12 bytes 4994733 Connection timeout

Jun 21 2013 18:26:08: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765

Jun 21 2013 18:26:10: %ASA-6-302304: Teardown TCP state-bypass connection 6286 from outside:24.244.4.14/80 to inside:192.168.52.9/8533 duration 1:00:05 bytes 2787 Connection timeout

Jun 21 2013 18:26:11: %ASA-6-302304: Teardown TCP state-bypass connection 6289 from outside:24.244.4.14/80 to inside:192.168.52.9/8536 duration 1:00:04 bytes 2787 Connection timeout

Jun 21 2013 18:26:11: %ASA-6-302304: Teardown TCP state-bypass connection 6288 from outside:24.244.4.14/80 to inside:192.168.52.9/8535 duration 1:00:05 bytes 2787 Connection timeout

Jun 21 2013 18:26:13: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765

Jun 21 2013 18:26:18: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765

Jun 21 2013 18:26:20: %ASA-6-302304: Teardown TCP state-bypass connection 6291 from outside:24.244.4.14/80 to inside:192.168.52.9/8538 duration 1:00:05 bytes 2787 Connection timeout

Jun 21 2013 18:26:23: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765

Jun 21 2013 18:26:27: %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.52.9/8529 to outside:192.168.11.2/39901 duration 1:02:33

Jun 21 2013 18:26:28: %ASA-7-710005: UDP request discarded from 192.168.52.9/7765 to inside:255.255.255.255/7765

Jun 21 2013 18:26:29: %ASA-6-302304: Teardown TCP state-bypass connection 6292 from outside:24.244.4.14/80 to inside:192.168.52.9/8539 duration 1:00:05 bytes 2787 Connection timeout

sh conn shows all the flags b

TCP outside 74.120.148.2:443 inside 192.168.52.9:9226, idle 0:20:01, bytes 4657, flags b

TCP outside 69.192.94.131:443 inside 192.168.52.9:9189, idle 0:18:33, bytes 2971, flags b

TCP outside 69.192.94.131:443 inside 192.168.52.9:9188, idle 0:18:12, bytes 2843, flags b

TCP outside 69.192.94.131:443 inside 192.168.52.9:9185, idle 0:18:23, bytes 10715, flags b

TCP outside 69.192.94.131:443 inside 192.168.52.9:9136, idle 0:18:13, bytes 58935, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9205, idle 0:19:57, bytes 0, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9204, idle 0:18:07, bytes 34927, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9203, idle 0:18:07, bytes 35412, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9195, idle 0:19:57, bytes 0, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9194, idle 0:18:08, bytes 4738, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9193, idle 0:19:57, bytes 0, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9192, idle 0:18:07, bytes 8139, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9148, idle 0:18:09, bytes 8953, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9084, idle 0:39:19, bytes 551, flags b

TCP outside 173.194.33.60:80 inside 192.168.52.9:9083, idle 0:41:09, bytes 0, flags b

TCP outside 72.21.91.29:80 inside 192.168.52.9:9263, idle 0:06:41, bytes 3768, flags b

ciscoasa#

Need to confirm on the current setup where traffic is entering and leaving via same ASA is the TCP bypass working or not?

Regards

MAhesh

Jouni Forss · ‎06-22-2013

Hi Mahesh,

Yes, your TCP State Bypass configuration has been applied to each of the connections above.

This flag explanantion can be seen with the command "show conn detail"

b - TCP state-bypass or nailed

So you wont be seeing any other TCP flag with connections if you have set this to apply to all connections.

- Jouni

View solution in original post

Jouni Forss · ‎06-22-2013

Hi,

This should be normal as you apply the TCP State Bypass to all traffic going through the ASA. Since the TCP State check is now bypassed, like the configuration says, the ASA essentially doesnt care about the flags/state of the TCP connection anymore and should to my understanding let all TCP traffic through that is allowed by the ACLs.

If you want to try, you could always create an ACL that defines only traffic between certain IP addresses and attach this ACL to the "class-map" that you have configured. Then the TCP State Bypass would only be applied to the traffic/connections specified in the ACL.

After this you could try to generate TCP traffic that matches that ACL and also generate TCP traffic that doesnt match it and check the ASAs connection table while the connections are still there. You should see the other TCP connection with the flag "b" and the other with some other TCP flags that you might be used to seing when looking with "show conn" or "show conn detail"

- Jouni

View solution in original post

Jouni Forss · ‎06-22-2013

Hi Mahesh,

Yes, your TCP State Bypass configuration has been applied to each of the connections above.

This flag explanantion can be seen with the command "show conn detail"

b - TCP state-bypass or nailed

So you wont be seeing any other TCP flag with connections if you have set this to apply to all connections.

- Jouni

mahesh18 · ‎06-22-2013

Hi Jouni,

Thanks for confirming my thoughts.

It was strange that even thoug traffic goes back and forth via single ASA i see all TCP flags --b

Seem this is default behaviour right?

Regards

Mahesh

Jouni Forss · ‎06-22-2013

Hi,

This should be normal as you apply the TCP State Bypass to all traffic going through the ASA. Since the TCP State check is now bypassed, like the configuration says, the ASA essentially doesnt care about the flags/state of the TCP connection anymore and should to my understanding let all TCP traffic through that is allowed by the ACLs.

If you want to try, you could always create an ACL that defines only traffic between certain IP addresses and attach this ACL to the "class-map" that you have configured. Then the TCP State Bypass would only be applied to the traffic/connections specified in the ACL.

After this you could try to generate TCP traffic that matches that ACL and also generate TCP traffic that doesnt match it and check the ASAs connection table while the connections are still there. You should see the other TCP connection with the flag "b" and the other with some other TCP flags that you might be used to seing when looking with "show conn" or "show conn detail"

- Jouni

mahesh18 · ‎06-22-2013

Hi Jouni,

Thanks for Explaining it in more detail.I got it now.

Best Regards

MAhesh

Samir Aliyev · ‎10-11-2014

Thanks for detailed information.

One question disturb me.

in my Cisco ASA byte always shown 1 in tcp state bypass connections .

for example,

P outside 192.168.201.63:46746 inside 10.84.33.4:7099, idle 0:13:51, bytes 1, flags b
TCP outside 192.168.201.63:46747 inside 10.84.33.4:7099, idle 0:13:51, bytes 1, flags b
TCP outside 192.168.201.63:45905 inside 10.84.33.4:7099, idle 1:00:30, bytes 1, flags b

Please help to clarify this case.

Thanks in advance.

Verification of TCP state bypass on Network