Acceleration Does Not Work After Cisco ASA 8.x is Configured to Allow TCP Options

Description

Installed Citrix CloudBridge as INLINE in two sites, which are connected through an IPSec VPN using Cisco ASA firewall. The TCP option policy, as suggested in CTX112401 – Acceleration Does Not Take Place for Configured Traffic Types, is applied to ASA, but acceleration still does not work.

The network connection is as depicted below:
LAN — CloudBridge — ASA – ((Internet)) — ASA — CloudBridge — LAN

Resolution

The TCP/IP option configuration changes in the ASA are ASA version-specific. ASA versions below 8.2(2) for example: 8.2(1), 7.2(4), 8.0(4), and so on, employ only the configuration referenced in CTX112401 – Acceleration Does Not Take Place for Configured Traffic Types.

However ASA(s) that are running ASA version 8.2.2 or higher employ the following configuration, in addition to the configuration mentioned in CTX112401:

hostname(config)# policy-map type inspect ip-options ip-options-map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# eool action allow
hostname(config-pmap-p)# nop action allow
hostname(config-pmap-p)# router-alert action allow

It is important to note that sometimes when these tcp-options and ip-options are applied to ASA policy-map global they do not work well because of ASA policy-map priorities. It is better to apply these TCP/IP options to policy-map interface outside (or appropriate interface name) to give the policy-map greater priority.

Notes:

If done through the ASDM, inspect ip-options is configured by opening the default global policy under Rule Actions > Protocol Inspection > check IP-Options.

Acceleration in CloudBridge would not start immediately. ASA seems to take a while (a few minutes) to make inspect ip-options effective.

Problem Cause

Cloud Bridge inserts its own TCP Options for auto-detect and to apply acceleration rules. If TCP Options are stripped by Intermediate devices like firewalls , Cloud Bridge Devices cannot accelerate TCP connections.

Issue/Introduction

Acceleration does not work after Cisco ASA 8.x is configured to allow TCP options.

Additional Information

CTX112401 – Acceleration Does Not Take Place for Configured Traffic Types.This article applies only to ASA 7.x.

The inspect ip-options feature is explained in Cisco’s Release Notes for the Cisco ASA 5500 Series, 8.2(x) – Release Notes for the Cisco ASA 5500 Series, 8.2(x).

Troubleshooting Methodology

The article CTX112401 – Acceleration Does Not Take Place for Configured Traffic Types was used to configure ASA to pass through CloudBridge's TCP options 24 – 31.
The traffic was shown as an un-accelerated connection with UR:2, meaning that no partner unit was detected. This was confirmed in the traces which showed that the TCP options were actually stripped off.

Browsing the Cisco’s Web site, it was found in ASA release notes that a new feature was introduced in ASA to allow IP options through since version 8.2(2). ASA denied most IP options by default and a CLI command to inspect IP-options was not available until ASA was upgraded to the correct version. Following is a snapshot of Cisco ASA 8.2(x) release note:

"New Features in Version 8.2(2)

You can now control which IP packets with specific IP options should be allowed through the adaptive security appliance. You can also clear IP options from an IP packet, and then allow it through the adaptive security appliance. Previously, all IP options were denied by default, except for some special cases.

Note: This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the adaptive security appliance allows RSVP traffic that contains packets with the Router Alert option (option 20) when the adaptive security appliance is in Routed mode.

The following commands were introduced: policy-map type inspect ip-options, inspect ip-options, eool, nop."

Welcome to "KB Articles"