Licensing requirements for connection settings – Cisco ASA 5505 User Manual
Page 1132
53-4
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 53 Configuring Connection Settings
Licensing Requirements for Connection Settings
connection?) and assigning it to either the session management path (a new connection SYN packet), the
fast path (an established connection), or the control plane path (advanced inspection). See the
Inspection Overview” section on page 1-27
for more detailed information about the stateful firewall.
TCP packets that match existing connections in the fast path can pass through the ASA without
rechecking every aspect of the security policy. This feature maximizes performance. However, the
method of establishing the session in the fast path using the SYN packet, and the checks that occur in
the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing solutions:
both the outbound and inbound flow of a connection must pass through the same ASA.
For example, a new connection goes to ASA 1. The SYN packet goes through the session management
path, and an entry for the connection is added to the fast path table. If subsequent packets of this
connection go through ASA 1, then the packets will match the entry in the fast path, and are passed
through. But if subsequent packets go to ASA 2, where there was not a SYN packet that went through
the session management path, then there is no entry in the fast path for the connection, and the packets
are dropped.
shows an asymmetric routing example where the outbound traffic goes through
a different ASA than the inbound traffic:
Figure 53-1
Asymmetric Routing
If you have asymmetric routing configured on upstream routers, and traffic alternates between two
ASAs, then you can configure TCP state bypass for specific traffic. TCP state bypass alters the way
sessions are established in the fast path and disables the fast path checks. This feature treats TCP traffic
much as it treats a UDP connection: when a non-SYN packet matching the specified networks enters the
ASA, and there is not an fast path entry, then the packet goes through the session management path to
establish the connection in the fast path. Once in the fast path, the traffic bypasses the fast path checks.
Licensing Requirements for Connection Settings
ISP A
Inside
network
Outbound?Traffic
Return?Traffic
ISP B
251155
Security
appliance 1
Security
appliance 2
Model
License Requirement
All models
Base License.