Guest

Preview Tool

Cisco Bug: CSCul10453 - ASA ENH cluster performance: disabling syn cookie

Last Modified

Jul 11, 2017

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(3)

Description (partial)

Symptom:
Normally ASA uses syn-cookies when reaching tcp embrionic connection limits.

In the cluster ASA with the owner role is generating TCP ISN always using syn-cookies.
That is used by the forwarder to guess who is the owner without contacting director.

But the drawback of syn-cookies usage is the inability to negotiate window scaling or SACK options (because not enough space in sequence number to safely encode all options). Many servers need to use SACK/window scale to achieve high TCP throughput.

Also when having proper traffic balancing arriving on  cluster we will not have any forwarders - and then using syn-cookies does not provide any benefits while providing performance degradation.

Workaround is to disable tcp randomization (which disables syn cookie) but that is a security risk which allows the attacker to guess ISN (still many operating systems do not generate fully random ISN). Also OS fingerprinting is easier with disabled randomization. 

This enchancement is created to add command "cluster syn-cookie disable" which will disable syn-cookie usage for cluster (when below embrionic limits) but still use tcp randomization.

Conditions:
cluster running
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.