Cisco ASA TCP Connection Flags

I got asked to look into a problem where two servers where not able to communicate with each other, ping didnt work and the application could not connect to the server. Firewall rules and routing was fine and my colleague spend already over an hour but couldnt find something. The first thing I asked, do you see a TCP connection? He told me yes over the ASDM logging I see something…. I double check and connect to the console and run:

show conn address 10.20.100.21

Show conn output:

TCP DMZ 10.10.127.29:2222 TRANSFER 10.20.100.21:42799, idle 0:00:00, bytes 0, flags saA
TCP DMZ 10.10.127.29:2223 TRANSFER 10.20.100.21:63554, idle 0:00:00, bytes 0, flags saA
TCP DMZ 10.5.63.29:2220 TRANSFER 10.20.100.21:59274, idle 0:00:00, bytes 0, flags saA
TCP DMZ 10.5.63.29:2221 TRANSFER 10.20.100.21:55782, idle 0:00:00, bytes 0, flags saA

I saw directly that the TCP connection was not open because the connection flag was “saA” what means outbound SYN was send and a connection is reserved but no SYN ACK came back. The problem in the end was that between these two servers was a VPN and that the IP network was missing in both crypto map’s what was then easy to find and solve in the end.

The command “show conn ?” give you enough information and when it comes to troubleshooting that you need to know basic troubleshooting skills because some stuff is not easy to find out over the ASDM and to use the command line instead.

Here the overview over the ASA TCP connection flags which are important to know or at least to know where to look them up đŸ˜‰

Here the document from Cisco: ASA TCP Connection Flags (Connection build-up and teardown)

 

Cisco ASA Virtual Context Mode

A single Cisco ASA or a cluster of two ASAs can be partition into multiple virtual firewalls known as security contexts. Each context has it’s own independent firewall, with its own security policy, interfaces, and administrators. These contexts are similar to having multiple standalone ASA devices. In combination with failover groups you can run a ASA cluster in active/active state and utilize both devices. Don’t forget when a failover happens that both failover groups need to run on a single device, keep enough ressources free on both devices and do not oversubscribe too much.

You have to look because there are limitation what features are supported in context mode. In version 8 is unsupport to use dynamic routing protocols, VPN, Threat Detection and Quality of Service. In version 9 are some changes and now dynamic routing protocols (not RIP or OSPFv3) and site-to-site IPsec VPNs are supported.

Here the configuration example how to set-up an Cisco ASA 5580 with 10 Gigabit Ethernet interfaces.

Enabling the context mode

mode noconfirm multiple

Physical interface configuration

interface GigabitEthernet4/2 
  description Failover 
  no shutdown 
  exit 

interface GigabitEthernet4/3 
  description Stateful 
  no shutdown 
  exit 

interface TenGigabitEthernet5/0 
  description TeTrunk-1st 
  no shutdown 
  exit 

interface TenGigabitEthernet5/1 
  description TeTrunk-2nd 
  no shutdown 
  exit

Redundant interface configuration

interface Redundant 1
  description Redundant-Trunk
  member-interface TenGigabitEthernet5/0
  member-interface TenGigabitEthernet5/1
  exit

interface Redundant 1.800
  vlan 800
  description Link-Outside1
  exit

interface Redundant 1.801
  vlan 801
  description Link-Outside2
  exit

interface Redundant 1.100
  vlan 100
  description Link-Inside1
  exit

interface Redundant 1.101
  vlan 101
  description Link-Inside2
  exit

interface Redundant 1.500
  vlan 500
  description Link-Management
  exit

Here you need to start configuring the ASA failover settings. Like you see in the failover group configuration that I put group 1 to the primary device and group 2 to the seconday device for active/active set-up, when I create the virtual security context I join them to the different failover groups.

failover group 1
  primary
  polltime interface 1 holdtime 5
  exit

failover group 2
  secondary
  polltime interface 1 holdtime 5
  exit

failover

failover lan unit primary
failover lan interface failover GigabitEthernet4/2
failover interface ip failover 169.254.0.1 255.255.255.0 standby 169.254.0.2

failover link stateful GigabitEthernet4/3
failover interface ip stateful 169.254.1.1 255.255.255.0 standby 169.254.1.2

failover polltime unit 2 holdtime 6
failover polltime interface 1 holdtime 5
failover timeout 0:00:00

failover active

Failover configuration on the seconday device

interface GigabitEthernet4/2
  description Failover
  no shutdown
  exit

failover lan unit secondary
failover lan interface failover GigabitEthernet4/2
failover interface ip failover 169.254.0.1 255.255.255.0 standby 169.254.0.2

failover

copy running-config startup-config

Now you start to set-up the virtual contexts and add the interfaces I configured before

admin-context admin-asa-01

context admin-asa-01
  allocate-interface Redundant1.500 Link-Management
  config-url disk0:/admin-asa-01.conf
  join-failover-group 1
  exit

context virtual-asa-02
  allocate-interface Redundant1.800 Link-Outside1
  allocate-interface Redundant1.100 Link-Inside1
  config-url disk0:/virtual-asa-02.conf
  join-failover-group 1
  exit

context virtual-asa-03
  allocate-interface Redundant1.801 Link-Outside2
  allocate-interface Redundant1.101 Link-Inside2
  config-url disk0:/virtual-asa-03.conf
  join-failover-group 2
  exit

In the end save the configuration

write memory all

Afterwards you can change to the configured contexts with the command

changeto context virtual-asa-02

and start configuring your virtual firewalls.

Just tested new Cisco ASA 8.3 (Update)

It was a big suprise that Cisco changed so many things in the new IOS version for the ASA. Remember it is only an minor release update i would expect these changes for an major update but anyway they did a good work.

The new group objects what they implementent is very nice. It make the work much easier and you have a better overview about the NAT configuration like before because they move it to the actual network object.

Here an example how nat works in the network object:

object network web-01-external
host 24.0.0.1
exit

object network web-01-frontside
description Web Server Node 1
host 10.1.0.1
nat (inside,outside) static web-01-external
exit