Cisco ASA: setup firewall sessions #5331
Conversation
|
This change is |
Codecov Report
@@ Coverage Diff @@
## master #5331 +/- ##
============================================
- Coverage 73.44% 73.4% -0.04%
+ Complexity 32054 32000 -54
============================================
Files 2624 2624
Lines 129258 129029 -229
Branches 15564 15520 -44
============================================
- Hits 94929 94713 -216
- Misses 26807 26810 +3
+ Partials 7522 7506 -16
|
There was a problem hiding this comment.
Reviewed 2 of 3 files at r1, 2 of 2 files at r2.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @progwriter and @sfraint)
a discussion (no related file):
It's simpler to test the new firewall sessions in the forward TraceAndReverseFlow directly -- we should have enough coverage for how the traceroute engine uses sessions.
Please also test the session action, etc
There was a problem hiding this comment.
Reviewable status: 2 of 4 files reviewed, 1 unresolved discussion (waiting on @anothermattbrown and @progwriter)
a discussion (no related file):
Previously, anothermattbrown (Matt Brown) wrote…
It's simpler to test the new firewall sessions in the forward
TraceAndReverseFlowdirectly -- we should have enough coverage for how the traceroute engine uses sessions.Please also test the session action, etc
Updated to just do a simple, conversion test like we discussed
There was a problem hiding this comment.
Reviewed 2 of 3 files at r3.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @anothermattbrown and @progwriter)
Previously, Cisco ASA VS->VI conversion did not setup firewall sessions allowing return traffic for successful forward flows, which caused bidirectional checks to incorrectly report failures for return flows.
This PR adds sessions for ASA devices, allowing bidirectional checks to succeed (note: some more detail on ASA packet forwarding in Cisco docs).