Hi,

sanchezvictor · ‎02-26-2016

In ASA5520 with version 9.1(5), the TCP connection is established for an instant but after 1 minute this is down.

the application is a database, connection between the server and the client must remain set for hours.

VPN site-to-side IPsec

----client ---> inside --> ASA-->outside ---------------------------------------------------> AZURe Server

The VPN is ok

- log when it's working

Built outbound TCP connection 3962244 for outside: 172.16.144.6/1433(172.16.144.6/1433) to INSIDE: 172.16.48.40/53448 (172.16.48.40/53448)

- logs when it's down

TeardownTCP connection 3962244 for outside:172.16.144.6/1433 to INSIDE:172.16.48.40/53448 duration 0:00:44 bytes 372486 Tunnel has been torn down

Deny TCP (no connection) from 172.146.48.40/53448 to 172.16.144.6/1433flags PSH ACK on interface INSIDE

Deny TCP (no connection) from 172.16.144.6/1433 to 172.146.48.40/53448flags PSH ACK on interface outside

I apply the following configuration TCP bypass

!

access-list tcpbypass-acl extended permit ip host 172.16.48.40 host 172.16.144.6
!
class-map tcpbypass-cmap
match access-list tcpbypass-acl
!
policy-map global_policy
class tcpbypass-cmap
set connection advanced-options tcp-state-bypass
!

The connection with this configuration is established but about 20 minutes the application is inhibited and the following logs appear:

I appreciate the help you can give me

Regards,

Victor

Aditya Ganjoo · ‎02-26-2016

Hi,

Please share the packet captures on the ASA's inside and outside interface for the concerned traffic.

We need to know what is causing this failure.

Since you have turned on TCP state bypass that would have taken care of any asymmetric routing and bypasses the stateful inspection of TCP sessions for traffic that we explicitly define.