Cisco Cisco ASA 5515-X Adaptive Security Appliance - No Payload Encryption Manual Técnica

Note: The TCP state bypass feature is disabled by default on the Cisco ASA 5500 Series. Additionally, the
TCP state bypass configuration can cause a high number of connections if it is not properly implemented.

This section describes the support information for the TCP state bypass feature.

Context Mode  The TCP state bypass feature is supported in single and multiple context modes.

• 

Firewall Mode  The TCP state bypass feature is supported in routed and transparent modes.

• 

Failover  The TCP state bypass feature supports failover.

• 

These features are not supported when you use the TCP state bypass feature:

Application inspection  Application inspection requires that both the inbound and outbound traffic
passes through the same ASA, so application inspection is not supported with the TCP state bypass
feature.

• 

Authentication, Authorization, and Accounting (AAA) authenticated sessions  When a user
authenticates with one ASA, the traffic that returns via the other ASA is denied because the user did
not authenticate with that ASA.

• 

TCP intercept, maximum embryonic connection limit, TCP sequence number randomization  The
ASA does not track of the state of the connection, so these features are not applied.

• 

TCP normalization  The TCP normalizer is disabled.

• 

Security Services Module (SSM) and Security Services Card (SSC) functionality  You cannot use
the TCP state bypass feature with any applications that run on an SSM or SSC, such as IPS or Content
Security (CSC).

• 

Note: Because the translation session is established separately for each ASA, ensure that you configure static
Network Address Translation (NAT) on both of the ASAs for the TCP state bypass traffic. If you use dynamic
NAT, the address that is chosen for the session on ASA 1 will differ from the address that is chosen for the
session on ASA 2.