Guidelines and limitations, Tcp state bypass guidelines and limitations, Default settings – Cisco ASA 5505 User Manual

53-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 53 Configuring Connection Settings

Guidelines and Limitations

Guidelines and Limitations

This section includes the following guidelines and limitations:

•

TCP State Bypass Guidelines and Limitations, page 53-5

TCP State Bypass Guidelines and Limitations

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent mode.

Failover Guidelines

Failover is supported.

Unsupported Features

The following features are not supported when you use TCP state bypass:

•

Application inspection—Application inspection requires both inbound and outbound traffic to go
through the same ASA, so application inspection is not supported with TCP state bypass.

•

AAA authenticated sessions—When a user authenticates with one ASA, traffic returning via the
other ASA will be denied because the user did not authenticate with that ASA.

•

TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The
ASA does not keep track of the state of the connection, so these features are not applied.

•

TCP normalization—The TCP normalizer is disabled.

•

SSM and SSC functionality—You cannot use TCP state bypass and any application running on an
SSM or SSC, such as IPS or CSC.

NAT Guidelines

Because the translation session is established separately for each ASA, be sure to configure static NAT
on both ASAs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session
on ASA 1 will differ from the address chosen for the session on ASA 2.

Default Settings

TCP State Bypass

TCP state bypass is disabled by default.

TCP Normalizer

The default configuration includes the following settings:

no check-retransmission

no checksum-verification