Cisco Systems and the ASA Services Module Manual De Usuario
22-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 22 Configuring Connection Settings
Guidelines and Limitations
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent mode.
Failover Guidelines
Failover is supported.
TCP State Bypass
Unsupported Features
The following features are not supported when you use TCP state bypass:
•
Application inspection—Application inspection requires both inbound and outbound traffic to go
through the same ASA, so application inspection is not supported with TCP state bypass.
through the same ASA, so application inspection is not supported with TCP state bypass.
•
AAA authenticated sessions—When a user authenticates with one ASA, traffic returning via the
other ASA will be denied because the user did not authenticate with that ASA.
other ASA will be denied because the user did not authenticate with that ASA.
•
TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The
ASA does not keep track of the state of the connection, so these features are not applied.
ASA does not keep track of the state of the connection, so these features are not applied.
•
TCP normalization—The TCP normalizer is disabled.
•
SSM and SSC functionality—You cannot use TCP state bypass and any application running on an
SSM or SSC, such as IPS or CSC.
SSM or SSC, such as IPS or CSC.
TCP State Bypass
NAT Guidelines
Because the translation session is established separately for each ASA, be sure to configure static NAT
on both ASAs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session
on ASA 1 will differ from the address chosen for the session on ASA 2.
on both ASAs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session
on ASA 1 will differ from the address chosen for the session on ASA 2.
Maximum Concurrent and Embryonic Connection Guidelines
Depending on the number of CPU cores on your ASA model, the maximum concurrent and embryonic
connections may exceed the configured numbers due to the way each core manages connections. In the
worst case scenario, the ASA allows up to n-1 extra connections and embryonic connections, where n is
the number of cores. For example, if your model has 4 cores, if you configure 6 concurrent connections
and 4 embryonic connections, you could have an additional 3 of each type. To determine the number of
cores for your model, enter the show cpu core command.
connections may exceed the configured numbers due to the way each core manages connections. In the
worst case scenario, the ASA allows up to n-1 extra connections and embryonic connections, where n is
the number of cores. For example, if your model has 4 cores, if you configure 6 concurrent connections
and 4 embryonic connections, you could have an additional 3 of each type. To determine the number of
cores for your model, enter the show cpu core command.
Default Settings
TCP State Bypass
TCP state bypass is disabled by default.
TCP Normalizer
The default configuration includes the following settings: