Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
5
Helpful
1
Replies

ACE with 'no normalization' - bug or feature?

Martin Kyrc
Level 3
Level 3

‎07-24-2007 02:56 PM

Hello,

our customer has typical ACE configuration in routed mode with enabled direct access from client side to server side. ok. access to server port is enabled. when I try telnet to server_ip:service_port, I can see 'established' connection on the ACE. that's ok.

but, when I set iptables (fw) to service_port with action drop (not reject) on the server, connection wouldn't established. sure? (tcp connection is not established, because SYN packet is dropped on the server side).

and now my discovery (customer environment and my lab):

1. with normalization enabled (default) at both interfaces is connection on the ACE in 'SYNSEEN' state. that's ok. after tcp timeout embryonic is connection on the ACE cleared.

2. but with 'no normalization' at the server side interface is connection in 'ESTABLISHED' state. why?? I can see in sniffer trace only SYN from client and no response from server (because fw dropped it). connection on the client and server is not established (that's ok).

it's a bug or 'feature'?

sw release: 3.0(0)A1(5a)

martin

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎07-29-2007 11:44 PM

Martin,

not a bug.

Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to consider the state as ESTABLISHED.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents