Filter
Top Products
56-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 56 Configuring Service Policy Rules on Firewall Devices
About TCP State Bypass
About TCP State Bypass
By default, all traffic that enters an ASA or FWSM is inspected using the Adaptive Security Algorithm,
and is either allowed through or dropped based on the security policy. The device maximizes its firewall
performance by checking the state of each packet—to determine whether this a new connection, or an
established connection—and assigning it to the session management path (if it is a new connection SYN
packet), the fast path (if it is an established connection), or the control-plane path (for advanced
inspection).
Note TCP State Bypass is available on FWSM 3.2+ and ASA 8.2+ devices only.
TCP packets that match existing connections in the fast path can pass through the appliance without
every aspect of the security policy being rechecked. This feature maximizes performance. However, the
method of establishing the session in the fast path using the SYN packet, and the checks that occur in
the fast path (such as TCP sequence number), require that both outbound and inbound flows for a
connection pass through the same device, which is not the case in asymmetric routing environments.
For example, assume a new connection is assigned to security device 1. The SYN packet goes through
the session management path, and an entry for the connection is added to the fast path table. If
subsequent packets of this connection go through device 1, then the packets match the entry in the fast
path, and are passed through. But if subsequent packets go to device 2, where a SYN packet did not go
through the session management path, there is no entry in the fast path for the connection, and the
packets are dropped.
Thus, if you have asymmetric routing configured on upstream routers, and traffic alternates between two
security devices, enable TCP state bypass for those specific traffic flows. TCP state bypass alters the way
sessions are established in the fast path and disables the fast path checks. TCP traffic is then treated much
as a UDP connection is treated: when a non-SYN packet matching the specified networks enters the
security device, and there is not a fast path entry, then the packet goes through the session management
path to establish a connection in the fast path. Once in the fast path, the traffic bypasses the fast path
checks.
Unsupported Features
The following features are not supported when you enable TCP state bypass:
• Application inspection – Application inspection requires both inbound and outbound traffic to go
through the same security device, so application inspection is not supported with TCP state bypass.
• AAA authenticated sessions – When a user authenticates with one security device, traffic returning
via the other security device will be denied because the user did not authenticate with that device.
• TCP Intercept, Maximum Embryonic Connections limit, TCP sequence number randomization – If
TCP state bypass is enabled, the device does not keep track of the state of the connection, so these
features are not applicable.
• Cisco CSC SSM (Content Security and Control Security Services Module) – SSM and SSC
functionality cannot be used with TCP state bypass.
Compatibility with NAT
Because the translation session is established separately for each security device, be sure to configure
static NAT on both devices for TCP state bypass traffic; if you use dynamic NAT, the address chosen for
the session on device 1 will differ from the address chosen for the session on device 2.