cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

Internet access and downloads hang or fail completely through the PIX/ASA Firewall

1271
Views
0
Helpful
0
Comments

Core issue

This issue is due to the presence of Cisco bug ID CSCsh83148.

In this issue, http connections through the firewall can be slow, stall or fail completely. This problem is also seen with TCP traffic that is re-ordered by the firewall such as:

  • Traffic subjected to url filtering

  • Traffic that matches any inspection on the firewall

  • Traffic that is sent to a service module (AIP or CSC module)

Out-of-order packets can be received on the outside, which causes packets to be reordered by the ASA TCP normalizer before they are processed further. The reordered packet(s) can have the Timestamp Value incorrectly set to 0, and the connection can be discarded on the CSC.

Resolution

The workaround of this issue is to use Moduler Policy Framework (MPF) in order to clear the tcp timestamp option. Complete these required steps in order to accomplish this task:

  1. Create an extended access-list in order to define the traffic.

  2. Create a class map and bind access-list to it.

  3. Create a new policy-map or use a policy-map that currently exists to bind the class-map with it.

  4. Apply the policy-map globaly.

Refer to this configuration example:

access-list www_traffic extended permit tcp any any eq www
!
class-map www_class
match access-list www_traffic
!
tcp-map tcp_timestamp_clear
tcp-options timestamp clear
!
policy-map global_policy
class www_class
set connection advanced-options tcp_timestamp_clear
!
service-policy global_policy global

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here