[c-nsp] ASA tcp-state-bypass error/bug?

Adam Greene maillist at webjogger.net
Thu Jan 27 11:41:14 EST 2011


Hi all,

I've opened a new thread for this issue (was: "asymmetric multihoming & 
nat").

Having an issue on an ASA device (8.2(4)) with tcp-state-bypass enabled. 
Despite these configs:

access-list tcp_state_bypass_acl extended permit ip any host 12.0.1.28
access-list tcp_state_bypass_acl extended permit ip host 12.0.1.28 any
!
class-map tcp_state_bypass
  match access-list tcp_state_bypass_acl
!
policy-map global_policy
class tcp_state_bypass
   set connection advanced-options tcp-state-bypass
!
service-policy global_policy global

(note that these configs are for test traffic, hence referencing only a 
single host)

I am still seeing the logs

2011-01-26 16:53:59    Local4.Debug    10.10.30.3    %ASA-7-609001: 
Built local-host outside:12.0.1.28
2011-01-26 16:53:59    Local4.Info    10.10.30.3    %ASA-6-106015: Deny 
TCP (no connection) from 12.0.1.28/23 to 204.8.80.5/54015 flags SYN ACK  
on interface outside
2011-01-26 16:53:59    Local4.Debug    10.10.30.3    %ASA-7-609002: 
Teardown local-host outside:12.0.1.28 duration 0:00:00

Supposedly configuring tcp-state-bypass on the ASA should allow this 
traffic, but it doesn't seem to be working.

I'm not seeing hits on the ACL either:

access-list tcp_state_bypass_acl line 1 extended permit ip any host 
12.0.1.28 (hitcnt=0)
access-list tcp_state_bypass_acl line 2 extended permit ip host 
12.0.1.28 any (hitcnt=0)

Could this be a bug? Am I missing something obvious?

I even added

tcp-map synackallow
   synack-data allow
   invalid-ack allow
!
class syn_ack_allow
   set connection advanced-options synackallow
!
policy-map global_policy
  class syn_ack_allow
   set connection advanced-options synackallow

in case that would help. Nope, it did not.

Thanks,
Adam






More information about the cisco-nsp mailing list