[c-nsp] ASA tcp-state-bypass error/bug?

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Thu Jan 27 14:05:29 EST 2011


I put a basic config together in a lab and do not see any issues. 
Ensure that you have permitted the traffic on your outside interface
ACL. Without a permit for the traffic I get the same "Deny TCP (no
connection)" messages that you listed. 
Use the packet tracer feature on the ASA to verify that the traffic is
being permitted by your firewall security policy. 

----------------------
asa5505-1# sho ver

Cisco Adaptive Security Appliance Software Version 8.2(4)
----------------------

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside extended permit icmp any any 
access-list outside extended permit tcp host 1.1.1.1 host 2.2.2.2 
----------------------
access-list state-byp extended permit tcp host 1.1.1.1 host 2.2.2.2 
access-list state-byp extended permit tcp host 2.2.2.2 host 1.1.1.1
----------------------
class-map class-state-byp
 match access-list state-byp
----------------------
policy-map global_policy
 class class-state-byp
  set connection advanced-options tcp-state-bypass
----------------------
asa5505-1# show access-li
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside; 2 elements; name hash: 0x1a47dec4
access-list outside line 1 extended permit icmp any any (hitcnt=0)
0x390a154c 
access-list outside line 2 extended permit tcp host 1.1.1.1 host 2.2.2.2
(hitcnt=2) 0x487c7639 
access-list state-byp; 2 elements; name hash: 0x85668841
access-list state-byp line 1 extended permit tcp host 1.1.1.1 host
2.2.2.2 (hitcnt=1) 0x3b6e8bc3 
access-list state-byp line 2 extended permit tcp host 2.2.2.2 host
1.1.1.1 (hitcnt=0) 0xe49de108
----------------------
Jan 27 2011 10:34:38: %ASA-6-302303: Built TCP state-bypass connection 3
from outside:1.1.1.1/23 (1.1.1.1/23) to inside:2.2.2.2/56353 (2.2.2.2
/56353)
----------------------
Without an interface ACL permit:
Jan 27 2011 10:38:59: %ASA-6-106015: Deny TCP (no connection) from
1.1.1.1/23 to 2.2.2.2/19821 flags SYN ACK  on interface outside
Jan 27 2011 10:39:01: %ASA-6-106015: Deny TCP (no connection) from
1.1.1.1/23 to 2.2.2.2/19821 flags SYN ACK  on interface outside
Jan 27 2011 10:39:01: %ASA-6-106015: Deny TCP (no connection) from
1.1.1.1/23 to 2.2.2.2/19821 flags ACK  on interface outside

asa5505-1# packet input outside tcp 1.1.1.1 telnet 2.2.2.2 4500

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
----------------------
With an interface ACL permit:
asa5505-1# packet input outside tcp 1.1.1.1 telnet 2.2.2.2 4500

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
----------------------

Vijay Ramcharan 
 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Adam Greene
> Sent: Thursday, January 27, 2011 11:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA tcp-state-bypass error/bug?
> 
> Hi all,
> 
> I've opened a new thread for this issue (was: "asymmetric multihoming
&
> nat").
> 
> Having an issue on an ASA device (8.2(4)) with tcp-state-bypass
enabled.
> Despite these configs:
> 
> access-list tcp_state_bypass_acl extended permit ip any host 12.0.1.28
> access-list tcp_state_bypass_acl extended permit ip host 12.0.1.28 any
> !
> class-map tcp_state_bypass
>   match access-list tcp_state_bypass_acl
> !
> policy-map global_policy
> class tcp_state_bypass
>    set connection advanced-options tcp-state-bypass
> !
> service-policy global_policy global
> 
> (note that these configs are for test traffic, hence referencing only
a
> single host)
> 
> I am still seeing the logs
> 
> 2011-01-26 16:53:59    Local4.Debug    10.10.30.3    %ASA-7-609001:
> Built local-host outside:12.0.1.28
> 2011-01-26 16:53:59    Local4.Info    10.10.30.3    %ASA-6-106015:
Deny
> TCP (no connection) from 12.0.1.28/23 to 204.8.80.5/54015 flags SYN
ACK
> on interface outside
> 2011-01-26 16:53:59    Local4.Debug    10.10.30.3    %ASA-7-609002:
> Teardown local-host outside:12.0.1.28 duration 0:00:00
> 
> Supposedly configuring tcp-state-bypass on the ASA should allow this
> traffic, but it doesn't seem to be working.
> 
> I'm not seeing hits on the ACL either:
> 
> access-list tcp_state_bypass_acl line 1 extended permit ip any host
> 12.0.1.28 (hitcnt=0)
> access-list tcp_state_bypass_acl line 2 extended permit ip host
> 12.0.1.28 any (hitcnt=0)
> 
> Could this be a bug? Am I missing something obvious?
> 
> I even added
> 
> tcp-map synackallow
>    synack-data allow
>    invalid-ack allow
> !
> class syn_ack_allow
>    set connection advanced-options synackallow
> !
> policy-map global_policy
>   class syn_ack_allow
>    set connection advanced-options synackallow
> 
> in case that would help. Nope, it did not.
> 
> Thanks,
> Adam
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list