As I mentioned in a previous post, this third part of the series about parallel features of the Cisco ASA and IPS covers the topic of asymmetric packet flow.
This is a highly specialized exception condition (to be deliberately avoided, if possible!) where either (or both!) the ASA and IPS appliances see traffic in one direction only. We’ll briefly examine how this situation can be handled and the implications of its use.
Both the Cisco Adaptive Security Appliance and the Intrusion Prevention System have the capability of checking the state of TCP connections by examining sequence and acknowledgement numbers, flags, ports, and IP addresses. In the case of the ASA, this “stateful inspection” has been optimized to allow many connections to utilize the “fast path” for virtual wire-speed packet delivery. It has further been enhanced to provide granular control of both open and half-open connection limits, a feature not present on the IPS.
One scenario in which asymmetric routing of packets is frequently seen is with topologies designed for load balancing. For a pair of ASA appliances deployed in an Active-Active failover implementation, a session could potentially be initiated through the first firewall and be returned via the second. The unintended consequence of this behavior would be connectivity problems due to dropped packets not matching the device state table. Fortunately, beginning in OS release 8.2, support was added for asymmetric routing groups as shown in the ASDM screenshot below:
When properly configured, a pair of ASA appliances in Active-Active failover will redirect an asymmetrically routed return packet to the other ASA for proper stateful inspection. As Cisco IPS 7.0 — Signature Engines indicates, the Cisco IPS allows for stateful inspection of sensors deployed in a parallel load sharing topology as long as EtherChannel is used.
Now that we have shown how load balancing can be implemented while retaining stateful inspection, let’s examine the configuration support on both platforms for disabling it. Again with OS version 8.2, a new feature entitled TCP State Bypass was introduced as detailed in the Cisco ASA 8.2 Configuration Guide — Configuring TCP State Bypass. Supported in both the CLI and in ASDM, once bypass is enabled for a flow it is exempt from any connection limits as well as any further examination by an SSM module; therefore, as a best practice this should only be done for the most trusted set of endpoints.
The screenshot below illustrates how this analogous function is supported on the IPS. The reassembly of TCP streams is part of the function of the normalizer signature engines on the sensor and can be set to asymmetric if it is predetermined that the sensor will only see flow in one direction.
Configuring IPS High Bandwidth Using EtherChannel Load Balancing
ASAE – ASA Essentials