Preview Tool

Cisco Bug: CSCuw38101 - TCP sessions aborted due to ASA sequence randomization - Hardware Bypass

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

TCP based sessions were getting aborted due to ASA sequence randomization when the Hyperlite device was going into hardware bypass triggered either manually or automatically. This was observed on ISA-3000-2C2F using the 9.4.1 load. Other protocols like UDP or ICMP will not have this issue as ASA will not change those packets. By default he ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions to prevent any session hijack by predicting the next sequence number. Raising this bug to provide a software solution instead of disabling the feature.

Steps to Reproduce
1. Have a telnet connection going on across the Hyperlite with L1 bypass disabled
2. Enable the bypass manually 
3. Observe the connection stalled because the server on the other side started receiving packets out of order (mismatched sequence numbers).
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.