Problem with Riverbed Steelhead probing via ASA(CSM)

 

Introduction

ASA firewall by default allows only standard TCP options 0-5 and 8 which cause problems with probing between Riverbed devices which cause traffic is not optimized

Riverbed is using TCP options from 76 and 78 from unassigned type range 28-255.

 

Configuration

  •  go to PIX/ASA/FWSM Platform/Service Policy Rules/IPS,QOS and Connection rules and create new policy(in my case "Riverbed probes"

 

Riverbed-asa-probbing1.png

 

  • Add "New row" under Riverbed probes - Mandatory(Empty)

 

 create new rule

 

Riverbed-asa-probbing2.png

 

click next , choose "Traffic class"  and click "Select" button to choose flow for checking


Riverbed-asa-probbing3.png

Below settings:

Riverbed-Asa-probbing3a.png

ACL(this is quite good because we see counts on ACL if any traffic is coming to ACL or not)

Riverbed-asa-probbing3b.png

match tcp ports from 1-65535

 click next and go to "Connection Settings" tab

Enable Connection Settings For This Traffic and Enable TCP Normalization

 

Riverbed-asa-probbing4.png

 

 click "Select"button and create "TCP-map" by clicking "plus" button

 

Riverbed-asa-probbing5.png


fill in fields like below

 

Riverbed-Asa-probbing6.png

 

 click "OK" to close tcp-map,choose "Steelhead-Probes tcp-map" in tcp-map selector and click OK.

 

Riverbed-asa-probbing7.png

 

 click "Finish" to close rule configuration.

  • Save settings,apply configuration to devices and deploy changes.
  • Reload SERVICE-POLICY onaAsa on both ends

(config)# no service-policy global_policy global
(config)# service-policy global_policy global



 

 

dzbanek 2012-11-16

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.