Problem with Riverbed Steelhead probing via ASA(CSM)



ASA firewall by default allows only standard TCP options 0-5 and 8 which cause problems with probing between Riverbed devices which cause traffic is not optimized

Riverbed is using TCP options from 76 and 78 from unassigned type range 28-255.



  •  go to PIX/ASA/FWSM Platform/Service Policy Rules/IPS,QOS and Connection rules and create new policy(in my case "Riverbed probes"




  • Add "New row" under Riverbed probes - Mandatory(Empty)


 create new rule




click next , choose "Traffic class"  and click "Select" button to choose flow for checking


Below settings:


ACL(this is quite good because we see counts on ACL if any traffic is coming to ACL or not)


match tcp ports from 1-65535

 click next and go to "Connection Settings" tab

Enable Connection Settings For This Traffic and Enable TCP Normalization




 click "Select"button and create "TCP-map" by clicking "plus" button



fill in fields like below




 click "OK" to close tcp-map,choose "Steelhead-Probes tcp-map" in tcp-map selector and click OK.




 click "Finish" to close rule configuration.

  • Save settings,apply configuration to devices and deploy changes.
  • Reload SERVICE-POLICY onaAsa on both ends

(config)# no service-policy global_policy global
(config)# service-policy global_policy global



dzbanek 2012-11-16


This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.