Problem with Riverbed Steelhead probing via ASA(CSM)
ASA firewall by default allows only standard TCP options 0-5 and 8 which cause problems with probing between Riverbed devices which cause traffic is not optimized
Riverbed is using TCP options from 76 and 78 from unassigned type range 28-255.
- go to PIX/ASA/FWSM Platform/Service Policy Rules/IPS,QOS and Connection rules and create new policy(in my case “Riverbed probes”
- Add “New row” under Riverbed probes – Mandatory(Empty)
create new rule
click next , choose “Traffic class”Â and click “Select” button to choose flow for checking
ACL(this is quite good because we see counts on ACL if any traffic is coming to ACL or not)
match tcp ports from 1-65535
click next and go to “Connection Settings” tab
Enable Connection Settings For This Traffic and Enable TCP Normalization
click “Select”button and create “TCP-map” by clicking “plus” button
fill in fields like below
click “OK” to close tcp-map,choose “Steelhead-Probes tcp-map” in tcp-map selector and click OK.
click “Finish” to close rule configuration.
- Save settings,apply configuration to devices and deploy changes.
- Reload SERVICE-POLICY onaAsa on both ends
(config)# no service-policy global_policy global
(config)# service-policy global_policy global