ACE with 'no normalization' - bug or feature?

Unanswered Question
Jul 24th, 2007
User Badges:


our customer has typical ACE configuration in routed mode with enabled direct access from client side to server side. ok. access to server port is enabled. when I try telnet to server_ip:service_port, I can see 'established' connection on the ACE. that's ok.

but, when I set iptables (fw) to service_port with action drop (not reject) on the server, connection wouldn't established. sure? (tcp connection is not established, because SYN packet is dropped on the server side).

and now my discovery (customer environment and my lab):

1. with normalization enabled (default) at both interfaces is connection on the ACE in 'SYNSEEN' state. that's ok. after tcp timeout embryonic is connection on the ACE cleared.

2. but with 'no normalization' at the server side interface is connection in 'ESTABLISHED' state. why?? I can see in sniffer trace only SYN from client and no response from server (because fw dropped it). connection on the client and server is not established (that's ok).

it's a bug or 'feature'?

sw release: 3.0(0)A1(5a)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Gilles Dufour Sun, 07/29/2007 - 23:44
User Badges:
  • Cisco Employee,


not a bug.

Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to consider the state as ESTABLISHED.



This Discussion