collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ASA FirePOWER TCP state bypass  (Read 5177 times)

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
    • View Profile
  • Certification: N/A
ASA FirePOWER TCP state bypass
« on: March 24, 2016, 11:42:29 AM »
 To accommodate for asymmetric traffic in our network we had to enable TCP state bypass on the ASA Firepower. At the same time we are applying the SFR forwarding policy (configuration below).
Is this a supported setup, and would FirePOWER be able to see the respective traffic?


wka00acw1/pri/act#         sh run class-map
!
class-map alltraffic
 match any

class-map tcp-traffic
 match access-list riverbed_tcp
class-map inspection_default
 match default-inspection-traffic
!
wka00acw1/pri/act# sh run poli
wka00acw1/pri/act# sh run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
 class alltraffic
  set connection advanced-options tcp-state-bypass
  sfr fail-open monitor-only
 class tcp-traffic
  set connection advanced-options allow-probes

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ASA FirePOWER TCP state bypass
« Reply #1 on: March 24, 2016, 08:54:00 PM »
Firepower needs to see bidirectional traffic for it to work properly. Not sure what would happen if it only see one half, traffic may or may not be blocked as expected. Even though certain feature may work but you can probably expected odd behaviors.

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
    • View Profile
  • Certification: N/A
Re: ASA FirePOWER TCP state bypass
« Reply #2 on: March 25, 2016, 05:38:49 PM »
When I do "show connections" the TCP connections show with a flag "b" for bypass. There is no "X" flag for "inspect". However ICMP and UDP traffic is flagged with "X" and shows in the FirePOWER logs. Also when TCP state bypass is enabled on all traffic as I showed in the config, all the FirewPOWER dashboards go blank ( i.e. the top applications seen etc). When TCP state checking is enabled everything works properly... I was expecting that symmetric traffic will still get inspected properly with the policy map I've configured but it's not the case.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ASA FirePOWER TCP state bypass
« Reply #3 on: March 27, 2016, 10:07:13 PM »
Are you saying that even when you have bidirectional traffic passing through the same ASA, but with state-bypass enabled for all TCP, FP fails to see the traffic, in the connection log etc. If so, may be the ASA might not even redirect traffic to FP for those that are state-bypassed.
For ICMP and UDP, the behavior you saw is expected since they are connectionless. Even though they show up on the log, I doubt certain features may not work, AVC for example that requires FP to see bidirectional traffic.

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
    • View Profile
  • Certification: N/A
Re: ASA FirePOWER TCP state bypass
« Reply #4 on: March 28, 2016, 01:44:36 AM »
Yes, with TCP state-bypass the ASA does not forward any of the TCP traffic to FirePOWER even if my policy map applies to all traffic. Even for symmetric "bypassed" traffic. It makes sense to me, I doubt we will use this in PROD as failover is impacted as well - for example if I have 5000 concurrent connections on ASA 1 ( all bypassed) and I failover to the standby ASA 2, all of these are gone. Obviously as there is no real state to maintain and these are just half open or whatever the ASA saw. Speaking with Cisco one work around would be to use the ASA clustering across data centers to avoid asymmetric issues like this. The problem is we do not have OTV or Layer 2 between DC's but that is another topic.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ASA FirePOWER TCP state bypass
« Reply #5 on: March 31, 2016, 08:43:42 PM »
If you decide to cluster ASA across the DC, keep in mind that all of your asymmetric traffic will be forwarded across the DC interconnect link used for ASA cluster link. You need to make sure the link capacity and quality meet what Cisco recommend otherwise performance might be jeopardized.

Offline gvoden

  • Cisco Newbie
  • *
  • Posts: 23
  • Reputation: 4
    • View Profile
  • Certification: N/A
Re: ASA FirePOWER TCP state bypass
« Reply #6 on: April 01, 2016, 02:23:52 PM »
Thanks for pointing that out. It came up in our discussions with Cisco. Not sure if management will be willing to swallow the monthly cost for 2 x 10Gig dark fiber circuits or associated OTV routers (currently our DCI link is Layer 3, may be a hard sell unless we can get separate layer 2 just for this cluster). Do you know if QinQ tunneling is supported in the ASA cluster?

thank you

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ASA FirePOWER TCP state bypass
« Reply #7 on: April 04, 2016, 08:13:24 PM »
As far as I know, ASA cluster links have very stringent requirements, BW, latency etc. You might able to get them to communicate whether with L2VPN or DC interconnect technology but who knows how reliable it will be. It will also depend on geographic separation of your two datacenter (ie. same side vs cross country. Whatever you come up with, it is certainly best to get Cisco blessing.

 

Related Topics

  Subject / Started by Replies Last post
6 Replies
6643 Views
Last post July 20, 2015, 07:48:48 AM
by amsa
1 Replies
2487 Views
Last post November 06, 2015, 04:57:48 PM
by MC
9 Replies
8056 Views
Last post August 16, 2016, 11:25:04 PM
by MC
4 Replies
2793 Views
Last post March 09, 2016, 11:14:56 PM
by MC
4 Replies
1654 Views
Last post February 05, 2018, 01:40:43 PM
by amsa

SimplePortal 2.3.5 © 2008-2012, SimplePortal