-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cisco ASA: setup firewall sessions #5331
Conversation
Codecov Report
@@ Coverage Diff @@
## master #5331 +/- ##
============================================
- Coverage 73.44% 73.4% -0.04%
+ Complexity 32054 32000 -54
============================================
Files 2624 2624
Lines 129258 129029 -229
Branches 15564 15520 -44
============================================
- Hits 94929 94713 -216
- Misses 26807 26810 +3
+ Partials 7522 7506 -16
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 2 of 3 files at r1, 2 of 2 files at r2.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @progwriter and @sfraint)
a discussion (no related file):
It's simpler to test the new firewall sessions in the forward TraceAndReverseFlow
directly -- we should have enough coverage for how the traceroute engine uses sessions.
Please also test the session action, etc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 2 of 4 files reviewed, 1 unresolved discussion (waiting on @anothermattbrown and @progwriter)
a discussion (no related file):
Previously, anothermattbrown (Matt Brown) wrote…
It's simpler to test the new firewall sessions in the forward
TraceAndReverseFlow
directly -- we should have enough coverage for how the traceroute engine uses sessions.Please also test the session action, etc
Updated to just do a simple, conversion test like we discussed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 2 of 3 files at r3.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @anothermattbrown and @progwriter)
Previously, Cisco ASA VS->VI conversion did not setup firewall sessions allowing return traffic for successful forward flows, which caused bidirectional checks to incorrectly report failures for return flows.
This PR adds sessions for ASA devices, allowing bidirectional checks to succeed (note: some more detail on ASA packet forwarding in Cisco docs).