[c-nsp] ASA tcp-state-bypass error/bug?

Adam Greene maillist at webjogger.net
Thu Jan 27 16:57:43 EST 2011 

Hi Vijay,

Thanks, that was very helpful.

With the help of the troubleshooting tools you suggested, we finally 
determined the culprit.

In addition to the configs I shared, we also had:

----------------------
class-map connection_limits
  match any
!
policy-map outside_policy
  class connection_limits
   set connection per-client-max 10000
!
service-policy outside_policy interface outside
----------------------

By messing around with the policy-maps, we discovered that the 
connection_limits class of the policy-map on the outside interface was 
trumping the tcp_state_bypass class of the global policy-map.

We resolved the issue by modifying the policy-map on the outside 
interface as follows:

----------------------
policy-map outside_policy
  class tcp_state_bypass
   set connection per-client-max 10000
   set connection advanced-options tcp-state-bypass
  class connection_limits
   set connection per-client-max 10000
----------------------

We have two ASA firewalls, and the problem is still happening on the 
other one. I suspect that the default inspection class of the global 
policy is trumping the tcp_state_bypass class, but we have to run some 
tests during off-hours to be sure.

I'll post the results here.

Thanks so much.

Adam








On 1/27/2011 2:05 PM, Ramcharan, Vijay A wrote:
> I put a basic config together in a lab and do not see any issues.
> Ensure that you have permitted the traffic on your outside interface
> ACL. Without a permit for the traffic I get the same "Deny TCP (no
> connection)" messages that you listed.
> Use the packet tracer feature on the ASA to verify that the traffic is
> being permitted by your firewall security policy.
>
> ----------------------
> asa5505-1# sho ver
>
> Cisco Adaptive Security Appliance Software Version 8.2(4)
> ----------------------
>
> same-security-traffic permit inter-interface
> same-security-traffic permit intra-interface
> access-list outside extended permit icmp any any
> access-list outside extended permit tcp host 1.1.1.1 host 2.2.2.2
> ----------------------
> access-list state-byp extended permit tcp host 1.1.1.1 host 2.2.2.2
> access-list state-byp extended permit tcp host 2.2.2.2 host 1.1.1.1
> ----------------------
> class-map class-state-byp
>   match access-list state-byp
> ----------------------
> policy-map global_policy
>   class class-state-byp
>    set connection advanced-options tcp-state-bypass
> ----------------------
> asa5505-1# show access-li
> access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
>              alert-interval 300
> access-list outside; 2 elements; name hash: 0x1a47dec4
> access-list outside line 1 extended permit icmp any any (hitcnt=0)
> 0x390a154c
> access-list outside line 2 extended permit tcp host 1.1.1.1 host 2.2.2.2
> (hitcnt=2) 0x487c7639
> access-list state-byp; 2 elements; name hash: 0x85668841
> access-list state-byp line 1 extended permit tcp host 1.1.1.1 host
> 2.2.2.2 (hitcnt=1) 0x3b6e8bc3
> access-list state-byp line 2 extended permit tcp host 2.2.2.2 host
> 1.1.1.1 (hitcnt=0) 0xe49de108
> ----------------------
> Jan 27 2011 10:34:38: %ASA-6-302303: Built TCP state-bypass connection 3
> from outside:1.1.1.1/23 (1.1.1.1/23) to inside:2.2.2.2/56353 (2.2.2.2
> /56353)
> ----------------------
> Without an interface ACL permit:
> Jan 27 2011 10:38:59: %ASA-6-106015: Deny TCP (no connection) from
> 1.1.1.1/23 to 2.2.2.2/19821 flags SYN ACK  on interface outside
> Jan 27 2011 10:39:01: %ASA-6-106015: Deny TCP (no connection) from
> 1.1.1.1/23 to 2.2.2.2/19821 flags SYN ACK  on interface outside
> Jan 27 2011 10:39:01: %ASA-6-106015: Deny TCP (no connection) from
> 1.1.1.1/23 to 2.2.2.2/19821 flags ACK  on interface outside
>
> asa5505-1# packet input outside tcp 1.1.1.1 telnet 2.2.2.2 4500
>
> Result:
> input-interface: outside
> input-status: up
> input-line-status: up
> output-interface: inside
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
> ----------------------
> With an interface ACL permit:
> asa5505-1# packet input outside tcp 1.1.1.1 telnet 2.2.2.2 4500
>
> Result:
> input-interface: outside
> input-status: up
> input-line-status: up
> output-interface: inside
> output-status: up
> output-line-status: up
> Action: allow
> ----------------------
>
> Vijay Ramcharan
>
>
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Adam Greene
>> Sent: Thursday, January 27, 2011 11:41 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA tcp-state-bypass error/bug?
>>
>> Hi all,
>>
>> I've opened a new thread for this issue (was: "asymmetric multihoming
> &
>> nat").
>>
>> Having an issue on an ASA device (8.2(4)) with tcp-state-bypass
> enabled.
>> Despite these configs:
>>
>> access-list tcp_state_bypass_acl extended permit ip any host 12.0.1.28
>> access-list tcp_state_bypass_acl extended permit ip host 12.0.1.28 any
>> !
>> class-map tcp_state_bypass
>>    match access-list tcp_state_bypass_acl
>> !
>> policy-map global_policy
>> class tcp_state_bypass
>>     set connection advanced-options tcp-state-bypass
>> !
>> service-policy global_policy global
>>
>> (note that these configs are for test traffic, hence referencing only
> a
>> single host)
>>
>> I am still seeing the logs
>>
>> 2011-01-26 16:53:59    Local4.Debug    10.10.30.3    %ASA-7-609001:
>> Built local-host outside:12.0.1.28
>> 2011-01-26 16:53:59    Local4.Info    10.10.30.3    %ASA-6-106015:
> Deny
>> TCP (no connection) from 12.0.1.28/23 to 204.8.80.5/54015 flags SYN
> ACK
>> on interface outside
>> 2011-01-26 16:53:59    Local4.Debug    10.10.30.3    %ASA-7-609002:
>> Teardown local-host outside:12.0.1.28 duration 0:00:00
>>
>> Supposedly configuring tcp-state-bypass on the ASA should allow this
>> traffic, but it doesn't seem to be working.
>>
>> I'm not seeing hits on the ACL either:
>>
>> access-list tcp_state_bypass_acl line 1 extended permit ip any host
>> 12.0.1.28 (hitcnt=0)
>> access-list tcp_state_bypass_acl line 2 extended permit ip host
>> 12.0.1.28 any (hitcnt=0)
>>
>> Could this be a bug? Am I missing something obvious?
>>
>> I even added
>>
>> tcp-map synackallow
>>     synack-data allow
>>     invalid-ack allow
>> !
>> class syn_ack_allow
>>     set connection advanced-options synackallow
>> !
>> policy-map global_policy
>>    class syn_ack_allow
>>     set connection advanced-options synackallow
>>
>> in case that would help. Nope, it did not.
>>
>> Thanks,
>> Adam
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list