The ASA has a feature called TCP normalization which helps to protect from possible attacks.
For example the ASA can allow, drop, or clear a packet or an option within the packet.
The default configuration includes the following actions and settings:
no check-retransmission
no checksum-verification
exceed-mss allow
queue-limit 0 timeout 4
reserved-bits allow
syn-data allow
synack-data drop
invalid-ack drop
seq-past-window drop
tcp-options range 6 7 clear
tcp-options range 9 255 clear >>>>>>> TCP option 76 is part of this range
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
ttl-evasion-protection
urgent-flag clear
window-variation allow-connection
In this case Riverbed uses TCP option 76 which on the ASA configuration is set to be cleared by default out of the packet causing the connection to fail.
Here is a configuration example to allow tcp-option 76 through 78.
access-list riverbed_tcp extended permit tcp any any
class-map tcp-traffic
match access-list riverbed_tcp
tcp-map allow-probes
tcp-options range 76 78 allow
policy-map global_policy
class tcp-traffic
set connection advanced-options allow-probes
service-policy global_policy global
Here is the Cisco documentation that confirms TCP normalization behavior:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.html#wp1088337
Here is another document that I found that is not Cisco but that gives out an example on how to do this over CSM:
http://danpol.net/index.php/cisco/firewalls/riverbed-probes-asa/
On this document you can even see how it should show up on a wireshark display and understand a little more about TCP options:
http://mccltd.net/blog/?p=1491