Problem with Riverbed Steelhead probing via ASA(CSM)
Introduction
ASA firewall by default allows only standard TCP options 0-5 and 8 which cause problems with probing between Riverbed devices which cause traffic is not optimized
Riverbed is using TCP options from 76 and 78 from unassigned type range 28-255.
Configuration
- go to PIX/ASA/FWSM Platform/Service Policy Rules/IPS,QOS and Connection rules and create new policy(in my case “Riverbed probes”
- Add “New row” under Riverbed probes – Mandatory(Empty)
create new rule
click next , choose “Traffic class” and click “Select” button to choose flow for checking
Below settings:
ACL(this is quite good because we see counts on ACL if any traffic is coming to ACL or not)
match tcp ports from 1-65535
click next and go to “Connection Settings” tab
Enable Connection Settings For This Traffic and Enable TCP Normalization
click “Select”button and create “TCP-map” by clicking “plus” button
fill in fields like below
click “OK” to close tcp-map,choose “Steelhead-Probes tcp-map” in tcp-map selector and click OK.
click “Finish” to close rule configuration.
- Save settings,apply configuration to devices and deploy changes.
- Reload SERVICE-POLICY onaAsa on both ends
(config)# no service-policy global_policy global
(config)# service-policy global_policy global
dzbanek 2012-11-16