53-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter53 Configuring Connection Settings
Guidelines and Limitations
Guidelines and Limitations
This section includes the following guidelines and limitations:
TCP State Bypass Guidelines and Limitations, page 53-5
TCP State Bypass Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent mode.
Failover Guidelines
Failover is supported.
Unsupported Features
The following features are not supported when you use TCP state bypass:
Application inspection—Application inspection requires both inbound and outbound traffic to go
through the same ASA, so application inspection is not supported with TCP state bypass.
AAA authenticated sessions—When a user authenticates with one ASA, traffic returning via the
other ASA will be denied because the user did not authenticate with that ASA.
TCP Intercept, maximum embryonic connection limit, TCP sequence number randomization—The
ASA does not keep track of the state of the connection, so these features are not applied.
TCP normalization—The TCP normalizer is disabled.
SSM and SSC functionality—You cannot use TCP state bypass and any application running on an
SSM or SSC, such as IPS or CSC.
NAT Guidelines
Because the translation session is established separately for each ASA, be sure to configure static NAT
on both ASAs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session
on ASA 1 will differ from the address chosen for the session on ASA 2.
Default Settings
TCP State Bypass
TCP state bypass is disabled by default.
TCP Normalizer
The default configuration includes the following settings:
no check-retransmission
no checksum-verification