Руководство По Устранению Ошибки для Cisco Cisco ASA 5505 Adaptive Security Appliance
receive a response, this can cause other devices in−line with this network stream to drop the TCP traffic.
Packet loss must occur on the network causing TCP segments to go missing, which triggers the problem.
Packet loss must occur on the network causing TCP segments to go missing, which triggers the problem.
This is not a bug, but a side effect of both packet loss on the network and the fact that cTCP is not a real TCP.
The cTCP tries to emulate the TCP protocol by wrapping the IPsec packets within a TCP header, but that is
the extent of the protocol.
The cTCP tries to emulate the TCP protocol by wrapping the IPsec packets within a TCP header, but that is
the extent of the protocol.
This issue typically occurs when network administrators implement an ASA with an IPS, or do some sort of
application inspection on the ASA that causes the firewall to act as a full TCP proxy of the connection. If
there is packet loss, the ASA will ACK for the missing data on behalf of the cTCP server or client, but the
VPN client will never respond. Since the ASA never receives the data it is expecting, communication cannot
continue. As a result, the connection fails.
application inspection on the ASA that causes the firewall to act as a full TCP proxy of the connection. If
there is packet loss, the ASA will ACK for the missing data on behalf of the cTCP server or client, but the
VPN client will never respond. Since the ASA never receives the data it is expecting, communication cannot
continue. As a result, the connection fails.
Solution
In order to resolve this problem, perform any of these actions:
Switch from IPsec over TCP to IPsec over UDP, or native encapsulation with the ESP protocol.
•
Switch to the AnyConnect client for VPN termination, which uses a fully implemented TCP protocol
stack.
stack.
•
Configure the ASA to apply tcp−state−bypass for these specific IPsec/TCP flows. This essentially
disables all security checks for the connections that match the tcp−state−bypass policy, but will allow
the connections to work until another resolution from this list can be implemented. For more
information, refer to TCP State Bypass Guidelines and Limitations.
disables all security checks for the connections that match the tcp−state−bypass policy, but will allow
the connections to work until another resolution from this list can be implemented. For more
information, refer to TCP State Bypass Guidelines and Limitations.
•
Identify the source of the packet loss, and take corrective action in order to prevent the IPsec/TCP
packets from dropping on the network. This is usually impossible or extremely difficult since the
trigger to the issue is usually packet loss on the Internet, and the drops cannot be prevented.
packets from dropping on the network. This is usually impossible or extremely difficult since the
trigger to the issue is usually packet loss on the Internet, and the drops cannot be prevented.
•
Related Information
Technical Support & Documentation − Cisco Systems
•
Contacts & Feedback | Help | Site Map
© 2014 − 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
© 2014 − 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Jun 26, 2012
Document ID: 113578