TCP State bypass on a Cisco ASA

We have a few remote sites that directly connect to the primary data centre with fibre optic cables. A backup connection is provided using MPLS.

StateLess

If the fibre optic cable is cut (thankfully a not too common event) traffic is rerouted through the managed MPLS network and enters the data centre through an ASA firewall. Because the ASA has no information in its state table about in-flight connections, the TCP packets are dropped, temporarily disrupting the operation of the remote site.

For this scenario and for others where asymmetric traffic flow can occur it is possible to configure the ASA to bypass TCP state checking. Note that the traffic still has to be allowed by access-lists.

Step 1 – Identify the traffic

The first step is to identify the traffic for which you want to bypass TCP state inspection. This is done by creating an access list. In this example traffic flowing between subnets 10.1.0.0/16 and 10.2.0.0/16 is identified:

access-list StatelessTraffic remark Outbound Traffic
access-list StatelessTraffic extended permit tcp 10.1.0.0 255.255.0.0 10.12.0.0 255.255.0.0 log disable
access-list StatelessTraffic remark Inbound Traffic
access-list StatelessTraffic extended permit tcp 10.2.0.0 255.255.0.0 10.1.0.0 255.255.0.0 log disable

Step 2 – Create a class map

A class map is created to match traffic using the access-list created in step 1

class-map tcp_bypass
  match access-list StatelessTraffic

Step 3 – Create the policy maps

A policy map defines the actions to be taken for traffic matching specified class maps. The policy map is applied to one or more interfaces or can be applied as a global policy. In this example two policy maps are used, one for the outgoing traffic (entering the Inside interface) and one for the incoming traffic (entering the MPLS interface):

policy-map Inside-policy
  class tcp_bypass 
    set connection timeout idle 0:15:00  
    set connection advanced-options tcp-state-bypass

policy-map MPLS-policy
  class tcp_bypass 
    set connection timeout idle 0:15:00  
    set connection advanced-options tcp-state-bypass

The two policies apply two settings for matching traffic. The first set statement modifies the idle timeout from the default (usually one hour) to 15 minutes (see below). The second set statement requests that state inspection of matching TCP traffic be bypassed.

Step 4 – Apply the policy maps to the interfaces

The last step is to apply the policy maps to the appropriate interfaces, in this case Inside and MPLS:

service-policy Inside-policy interface Inside
service-policy MPLS-policy interface MPLS

Idle Timeout Interval

The idle timeout interval is used to remove entries from the ASA state table for any connections which have been idle for a specified time, usually one hour. Normally TCP entries will be deleted when the ASA sees that the connection has been terminated (FIN or RST). However when TCP state bypass is enabled, this check is not done and all TCP sessions will remain in the state table until the idle timeout is reached. Reducing the idle timeout to 15 minutes will delete closed sessions earlier and reduce memory requirements.

Limitations

There are a number of limitations introduced when TCP bypass is enabled on an ASA. You should refer to the latest Cisco documentation to understand how they may impact your security before using this feature. In our case we only enable TCP bypass for traffic in  fairly rare and short lived cases and accept the limitations to provide a seamless failover to our remote users.

One thought on “TCP State bypass on a Cisco ASA”

  1. Hi, thank you for the information, it sure is helpfull, though I hadn’t any encounter with this scenario, but I’m sure I will in the future. Keep this in my Cisco ASA bookmark folder 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *