Problem with Riverbed Stelheed probing via ASA(CSM)

Problem with Riverbed Steelhead probing via ASA(CSM)

 

Introduction

ASA firewall by default allows only standard TCP options 0-5 and 8 which cause problems with probing between Riverbed devices which cause traffic is not optimized

Riverbed is using TCP options from 76 and 78 from unassigned type range 28-255.

 

Configuration

  • go to PIX/ASA/FWSM Platform/Service Policy Rules/IPS,QOS and Connection rules and create new policy(in my case “Riverbed probes”

 

Riverbed-asa-probbing1.png

 

  • Add “New row” under Riverbed probes – Mandatory(Empty)

 

create new rule

 

Riverbed-asa-probbing2.png

 

click next , choose “Traffic class”  and click “Select” button to choose flow for checking

 

Riverbed-asa-probbing3.png

Below settings:

Riverbed-Asa-probbing3a.png

ACL(this is quite good because we see counts on ACL if any traffic is coming to ACL or not)

Riverbed-asa-probbing3b.png

match tcp ports from 1-65535

click next and go to “Connection Settings” tab

Enable Connection Settings For This Traffic and Enable TCP Normalization

 

Riverbed-asa-probbing4.png

 

click “Select”button and create “TCP-map” by clicking “plus” button

 

Riverbed-asa-probbing5.png

 

fill in fields like below

 

Riverbed-Asa-probbing6.png

 

click “OK” to close tcp-map,choose “Steelhead-Probes tcp-map” in tcp-map selector and click OK.

 

Riverbed-asa-probbing7.png

 

click “Finish” to close rule configuration.

  • Save settings,apply configuration to devices and deploy changes.
  • Reload SERVICE-POLICY onaAsa on both ends

(config)# no service-policy global_policy global
(config)# service-policy global_policy global

 

 

dzbanek 2012-11-16