This document describes how to configure the TCP state bypass feature, which allows the outbound and inbound traffic to flow through separate Cisco ASA 5500 Series Adaptive Security Appliances (ASAs).
The Cisco ASA must have at least the base license installed before you can proceed with the configuration that is described in this document.
The information in this document is based on the Cisco ASA 5500 Series that runs software Version 9.x.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
This section provides an overview of the TCP state bypass feature and the related support information.
By default, all of the traffic that passes through the ASA is inspected via the Adaptive Security Algorithm and is either allowed through or dropped based on the security policy. In order to maximize the Firewall performance, the ASA checks the state of each packet (for example, it checks whether it is a new connection or an established connection) and assigns it to either the session management path (a new connection Synchronize (SYN) packet), the fast path (an established connection), or the control plane path (advanced inspection).
The TCP packets that match the current connections in the fast path can pass through the ASA without a recheck of every aspect of the security policy. This feature maximizes performance. However, the method that is used in order to establish the session in the fast path (which uses the SYN packet) and the checks that occur in the fast path (such as the TCP sequence number) can stand in the way of asymmetrical routing solutions; both the outbound and inbound flows of a connection must pass through the same ASA.
For example, a new connection goes to ASA 1. The SYN packet passes through the session management path, and an entry for the connection is added to the fast path table. If subsequent packets on this connection go through ASA 1, the packets match the entry in the fast path and are passed through. If subsequent packets go to ASA 2, where there was not a SYN packet that went through the session management path, then there is no entry in the fast path for the connection, and the packets are dropped.
If you have asymmetric routing configured on the upstream routers, and traffic alternates between two ASAs, then you can configure the TCP state bypass feature for specific traffic. The TCP state bypass feature alters the way that sessions are established in the fast path and disables the fast path checks. This feature treats TCP traffic much as it treats a UDP connection: when a non-SYN packet that matches the specified networks enters the ASA, and there is no fast path entry, then the packet goes through the session management path in order to establish the connection in the fast path. Once in the fast path, the traffic bypasses the fast path checks.
This image provides an example of asymmetric routing, where the outbound traffic goes through a different ASA than the inbound traffic:
This section describes the support information for the TCP state bypass feature.
These features are not supported when you use the TCP state bypass feature:
This section describes how to configure the TCP state bypass feature on the ASA 5500 Series in two different scenarios.
This is the topology that is used for the first scenario:
Complete these steps in order to configure the TCP state bypass feature:
ASA(config)#class-map tcp_bypass
ASA(config)#class-map tcp_bypass
ASA(config-cmap)#match access-list tcp_bypass
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-pmap)#class tcp_bypass
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-pmap)#class tcp_bypass
ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass
ASA(config-pmap-c)#service-policy tcp_bypass_policy outside
Here is an example configuration for the TCP state bypass feature on ASA1:
!--- Configure the access list to specify the TCP traffic
!--- that needs to by-pass inspection to improve the performance.
ASA1(config)#access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.0
172.16.1.0 255.255.255.0
!--- Configure the class map and specify the match parameter for the
!--- class map to match the interesting traffic.
ASA1(config)#class-map tcp_bypass
ASA1(config-cmap)#description "TCP traffic that bypasses stateful firewall"
ASA1(config-cmap)#match access-list tcp_bypass
!--- Configure the policy map and specify the class map
!--- inside this policy map for the class map.
ASA1(config-cmap)#policy-map tcp_bypass_policy
ASA1(config-pmap)#class tcp_bypass
!--- Use the set connection advanced-options tcp-state-bypass
!--- command in order to enable TCP state bypass feature.
ASA1(config-pmap-c)#set connection advanced-options tcp-state-bypass
!--- Use the service-policy policymap_name [ global | interface intf ]
!--- command in global configuration mode in order to activate a policy map
!--- globally on all interfaces or on a targeted interface.
ASA1(config-pmap-c)#service-policy tcp_bypass_policy outside
!--- NAT configuration
ASA1(config)#object network obj-10.1.1.0
ASA1(config-network-object)#subnet 10.1.1.0 255.255.255.0
ASA1(config-network-object)#nat(inside,outside) static 192.168.1.0
Here is an example configuration for the TCP state bypass feature on ASA2:
!--- Configure the access list to specify the TCP traffic
!--- that needs to by-pass inspection to improve the performance.
ASA2(config)#access-list tcp_bypass extended permit tcp 172.16.1.0 255.255.255.0
10.1.1.0 255.255.255.0
!--- Configure the class map and specify the match parameter for the
!--- class map to match the interesting traffic.
ASA2(config)#class-map tcp_bypass
ASA2(config-cmap)#description "TCP traffic that bypasses stateful firewall"
ASA2(config-cmap)#match access-list tcp_bypass
!--- Configure the policy map and specify the class map
!--- inside this policy map for the class map.
ASA2(config-cmap)#policy-map tcp_bypass_policy
ASA2(config-pmap)#class tcp_bypass
!--- Use the set connection advanced-options tcp-state-bypass
!--- command in order to enable TCP state bypass feature.
ASA2(config-pmap-c)#set connection advanced-options tcp-state-bypass
!--- Use the service-policy policymap_name [ global | interface intf ]
!--- command in global configuration mode in order to activate a policy map
!--- globally on all interfaces or on a targeted interface.
ASA2(config-pmap-c)#service-policy tcp_bypass_policy outside
!--- NAT configuration
ASA2(config)#object network obj-10.1.1.0
ASA2(config-network-object)#subnet 10.1.1.0 255.255.255.0
ASA1(config-network-object)#nat(inside,outside) static 192.168.1.0
This section describes how to configure the TCP state bypass feature on the ASA for scenarios that use asymmetric routing, where the traffic enters and leaves the ASA from same interface (u-turning).
Here is the topology that is used in this scenario:
Complete these steps in order to configure the TCP state bypass feature:
ASA(config)#access-list tcp_bypass extended permit tcp 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
ASA(config)#class-map tcp_bypass
ASA(config)#class-map tcp_bypass
ASA(config-cmap)#match access-list tcp_bypass
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-pmap)#class tcp_bypass
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-pmap)#class tcp_bypass
ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass
ASA(config-pmap-c)#service-policy tcp_bypass_policy inside
ASA(config)#same-security-traffic permit intra-interface
Here is an example configuration for the TCP state bypass feature on the ASA:
!--- Configure the access list to specify the TCP traffic
!--- that needs to bypass inspection to improve the performance.
ASA(config)#access-list tcp_bypass extended permit tcp 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
!--- Configure the class map and specify the match parameter for the
!--- class map to match the interesting traffic.
ASA(config)#class-map tcp_bypass
ASA(config-cmap)#description "TCP traffic that bypasses stateful firewall"
ASA(config-cmap)#match access-list tcp_bypass
!--- Configure the policy map and specify the class map
!--- inside this policy map for the class map.
ASA(config-cmap)#policy-map tcp_bypass_policy
ASA(config-pmap)#class tcp_bypass
!--- Use the set connection advanced-options tcp-state-bypass
!--- command in order to enable TCP state bypass feature.
ASA(config-pmap-c)#set connection advanced-options tcp-state-bypass
!--- Use the service-policy policymap_name [ global | interface intf ]
!--- command in global configuration mode in order to activate a policy map
!--- globally on all interfaces or on a targeted interface.
ASA(config-pmap-c)#service-policy tcp_bypass_policy inside
!--- Permit same security level traffic on the ASA to support U-turning
ASA(config)#same-security-traffic permit intra-interface
Enter the show conn command in order to view the number of active TCP and UDP connections and information about the connections of various types. In order to display the connection state for the designated connection type, enter the show conn command in privileged EXEC mode.
Here is an example output:
ASA(config)show conn
1 in use, 3 most used
TCP tcp 10.1.1.1:49525 tcp 172.16.1.1:21, idle 0:01:10, bytes 230, flags b
There is no specific troubleshooting information for this feature. Refer to these documents for general connectivity troubleshooting information:
The ASA displays this error message even after the TCP state bypass feature is enabled:
%PIX|ASA-4-313004:Denied ICMP type=icmp_type, from source_address oninterface
interface_name to dest_address:no matching session
The Internet Control Message Protocol (ICMP) packets are dropped by the ASA because of the security checks that are added by the stateful ICMP feature. These are usually either ICMP echo replies without a valid echo request already passed across the ASA, or ICMP error messages that are not related to any TCP, UDP, or ICMP session currently established in the ASA.
The ASA displays this log even if the TCP state bypass feature is enabled because the disablement of this functionality (that is, checks of the ICMP return entries for Type 3 in the connection table) is not possible. However, the TCP state bypass feature works correctly.
Enter this command in order to prevent the appearance of these messages:
hostname(config)#no logging message 313004
Revision | Publish Date | Comments |
---|---|---|
1.0 |
15-Jun-2015 |
Initial Release |