Overview

Sometimes, when doing acceleration, it is possible for other devices to strip off information that the remote Exinda needs to successfully accelerate traffic. Cisco ASA Firewalls are known to do this. This article demonstrates how to add configuration to an ASA to allow for these settings to go through unhindered.

Information

• When performing acceleration, the Exinda utilizes 'TCP Options' which is an optional section in a packet header, and it allows for specific instructions to be done when these flags are seen.
  
  
• Some of these are common to particular items that might be necessary for some traffic, while others are universally defined, which is the case of Exinda.
  
  
• TCP Option 30 and 230 are used for acceleration purposes (30 was initially used, and has since been updated by 230 due to clashes with other types of packets).
  
  Sometimes, network devices can strip out these TCP Options if they do not consider them necessary, or can block traffic that includes unknown options such as the above.
• Cisco ASA Firewalls are known to do this, based on access-control (ACL) lists that have been set up on the firewall. These devices can be configured to allow this traffic by adding TCP Options to an allow ACL.
  
  
• Below are the commands you will need to configure the Cisco ASA Firewalls. Note that it may be necessary to tweak them a bit because of the current ACLs on the device. However, this is a generic template to follow:
  
  

conf t
access-list tcpmap extended permit tcp any any
tcp-map tcpmap
tcp-options range 30 30 allow tcp-options range 230 230 allow exit
class-map tcpmap
match access-list tcpmap
exit
policy-map global_policy
class tcpmap
set connection advanced-options tcpmap

NOTE: The above commands can be pasted all at once into the Cisco ASA Firewall in a console or SSH/Telnet session.