A couple of weeks ago, a CLN Member Posted a question with the heading Does ASA drop active session.
The specific question was as follows–
I have a time based ACL configured on a Cisco ASA. I need to know if the active sessions are dropped by the ASA when the time limit is over.
For example, users are allowed to connect between 12 and 1 PM. If there are any active connections just before 1 PM then will they be dropped at 1 PM?
Many network and security administrators would blindly assume that a time-based ACL would block or allow traffic based on the time-range attached to the individual ACE. Having quite a lot of experience with the ASA, I was skeptical and assumed that any ongoing connections would continue to allow the flow of traffic. I decided to do a little testing and here is what I found.
- Viewing the ACL, the time based ACE (line in the ACL) switched from active to inactive about 60-70 seconds after I expected it to
- When testing with sessionized ICMP (fixup protocol icmp–to enable ICMP inspection), ICMP Echoes were blocked as soon as the ACE switched to inactive
- Testing with TCP, a connection through the ASA would continue to permit traffic flow even after the ACE switched to inactive
I had expected an established TCP connection to continue to allow traffic. Unlike a router, the ASA only evaluates the ACL when an connection is being established. What really surprised me was that the ICMP behaved differently.
After seeing the behavior with ICMP, I had initially changed my assumption with TCP and expected it to behave in a similar way. To fully appreciate the differences with sessionized ICMP, I need to do a little more testing. My thought now is that an ICMP connection is initiated by an “ECHO Request” and immediately terminated with the associated “ECHO Reply”. In other words, Host A pinging Host B may actually be 5 connections from an ASA perspective.
The reason I bring this scenario up is that it illustrates the need to test things that we regard as important. If an organization has no critical use case around time-based ACL’s on the ASA, there might be no reason to get this deep into the operation. If there is a critical need to tear down an active TCP connection at a given point in time, verifying that the control works is important. It’s not a safe assumption to believe a tool works as expected or even as advertised. Validation testing is very important when a given function is critical to the operation of our network or business.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.