Cisco Bug: CSCuw38101 - TCP sessions aborted due to ASA sequence randomization - Hardware Bypass
Nov 09, 2016
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: TCP based sessions were getting aborted due to ASA sequence randomization when the Hyperlite device was going into hardware bypass triggered either manually or automatically. This was observed on ISA-3000-2C2F using the 9.4.1 load. Other protocols like UDP or ICMP will not have this issue as ASA will not change those packets. By default he ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions to prevent any session hijack by predicting the next sequence number. Raising this bug to provide a software solution instead of disabling the feature. Conditions: Steps to Reproduce ================ 1. Have a telnet connection going on across the Hyperlite with L1 bypass disabled 2. Enable the bypass manually 3. Observe the connection stalled because the server on the other side started receiving packets out of order (mismatched sequence numbers).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases