Cisco Cisco ASA 5515-X Adaptive Security Appliance - No Payload Encryption Manual Técnica
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
This section provides an overview of the TCP state bypass feature and the related support information.
TCP State Bypass Feature Overview
By default, all of the traffic that passes through the ASA is inspected via the Adaptive Security Algorithm and
is either allowed through or dropped based on the security policy. In order to maximize the Firewall
performance, the ASA checks the state of each packet (for example, it checks whether it is a new connection
or an established connection) and assigns it to either the session management path (a new connection
Synchronize (SYN) packet), the fast path (an established connection), or the control plane path (advanced
inspection).
is either allowed through or dropped based on the security policy. In order to maximize the Firewall
performance, the ASA checks the state of each packet (for example, it checks whether it is a new connection
or an established connection) and assigns it to either the session management path (a new connection
Synchronize (SYN) packet), the fast path (an established connection), or the control plane path (advanced
inspection).
The TCP packets that match the current connections in the fast path can pass through the ASA without a
recheck of every aspect of the security policy. This feature maximizes performance. However, the method that
is used in order to establish the session in the fast path (which uses the SYN packet) and the checks that occur
in the fast path (such as the TCP sequence number) can stand in the way of asymmetrical routing solutions;
both the outbound and inbound flows of a connection must pass through the same ASA.
recheck of every aspect of the security policy. This feature maximizes performance. However, the method that
is used in order to establish the session in the fast path (which uses the SYN packet) and the checks that occur
in the fast path (such as the TCP sequence number) can stand in the way of asymmetrical routing solutions;
both the outbound and inbound flows of a connection must pass through the same ASA.
For example, a new connection goes to ASA 1. The SYN packet passes through the session management path,
and an entry for the connection is added to the fast path table. If subsequent packets on this connection go
through ASA 1, the packets match the entry in the fast path and are passed through. If subsequent packets go to
ASA 2, where there was not a SYN packet that went through the session management path, then there is no
entry in the fast path for the connection, and the packets are dropped.
and an entry for the connection is added to the fast path table. If subsequent packets on this connection go
through ASA 1, the packets match the entry in the fast path and are passed through. If subsequent packets go to
ASA 2, where there was not a SYN packet that went through the session management path, then there is no
entry in the fast path for the connection, and the packets are dropped.
If you have asymmetric routing configured on the upstream routers, and traffic alternates between two ASAs,
then you can configure the TCP state bypass feature for specific traffic. The TCP state bypass feature alters
the way that sessions are established in the fast path and disables the fast path checks. This feature treats TCP
traffic much as it treats a UDP connection: when a non−SYN packet that matches the specified networks
enters the ASA, and there is no fast path entry, then the packet goes through the session management path in
order to establish the connection in the fast path. Once in the fast path, the traffic bypasses the fast path
checks.
then you can configure the TCP state bypass feature for specific traffic. The TCP state bypass feature alters
the way that sessions are established in the fast path and disables the fast path checks. This feature treats TCP
traffic much as it treats a UDP connection: when a non−SYN packet that matches the specified networks
enters the ASA, and there is no fast path entry, then the packet goes through the session management path in
order to establish the connection in the fast path. Once in the fast path, the traffic bypasses the fast path
checks.
This image provides an example of asymmetric routing, where the outbound traffic goes through a different
ASA than the inbound traffic:
ASA than the inbound traffic: