[c-nsp] ASA tcp-state-bypass error/bug?
Adam Greene
maillist at webjogger.net
Thu Jan 27 11:41:14 EST 2011
Hi all,
I've opened a new thread for this issue (was: "asymmetric multihoming &
nat").
Having an issue on an ASA device (8.2(4)) with tcp-state-bypass enabled.
Despite these configs:
access-list tcp_state_bypass_acl extended permit ip any host 12.0.1.28
access-list tcp_state_bypass_acl extended permit ip host 12.0.1.28 any
!
class-map tcp_state_bypass
match access-list tcp_state_bypass_acl
!
policy-map global_policy
class tcp_state_bypass
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
(note that these configs are for test traffic, hence referencing only a
single host)
I am still seeing the logs
2011-01-26 16:53:59 Local4.Debug 10.10.30.3 %ASA-7-609001:
Built local-host outside:12.0.1.28
2011-01-26 16:53:59 Local4.Info 10.10.30.3 %ASA-6-106015: Deny
TCP (no connection) from 12.0.1.28/23 to 204.8.80.5/54015 flags SYN ACK
on interface outside
2011-01-26 16:53:59 Local4.Debug 10.10.30.3 %ASA-7-609002:
Teardown local-host outside:12.0.1.28 duration 0:00:00
Supposedly configuring tcp-state-bypass on the ASA should allow this
traffic, but it doesn't seem to be working.
I'm not seeing hits on the ACL either:
access-list tcp_state_bypass_acl line 1 extended permit ip any host
12.0.1.28 (hitcnt=0)
access-list tcp_state_bypass_acl line 2 extended permit ip host
12.0.1.28 any (hitcnt=0)
Could this be a bug? Am I missing something obvious?
I even added
tcp-map synackallow
synack-data allow
invalid-ack allow
!
class syn_ack_allow
set connection advanced-options synackallow
!
policy-map global_policy
class syn_ack_allow
set connection advanced-options synackallow
in case that would help. Nope, it did not.
Thanks,
Adam
More information about the cisco-nsp
mailing list