Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
0
Helpful
1
Replies

Enabling the Asymmetric mode processing, IPS 6.0(4)E1 Release

cmhcsecurity
Level 1
Level 1

‎06-19-2008 05:22 AM - edited ‎03-10-2019 04:09 AM

I was wondering if someone tried to implement this fix provided in 6.0.4 to relax the normilizer engine for asymmetric mode processing.

Does this fix impact the functionality of active signatures ??

Allow inline Asymmetric traffic (CSCsi72263)

The AnalysisEngine was modified to allow asymmetric traffic to be tracked and analyzed

by allowing for a relaxed Normalization process versus using the standard Normalizer.

This results in the ability to install the sensor inline in situations where the Normalizer would block or delay traffic due to the strict nature of stream processing and “normalization” by not doing any protocol checking or packet reordering.

Labels:
0 Helpful
1 Reply 1

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-19-2008 05:56 AM

I never implemented it, but I'm assuming it works because they have introduced this as a CLI command in 6.1.

This is the readme text:

"To support inline asymmetric traffic in earlier 6.0(x) releases, a

manual workaround was documented in the 6.0(4) readme file (refer

to the Resolved Caveats section of the 6.0(4) readme for details).

In the IPS 6.1 release, this functionality is now configurable via

the sensor CLI or IDM. If you utilized the workaround to enable

asymmetric traffic, the manual setting should be removed and

asymmetric traffic should be re-enabled as in the following example

using the CLI:

sensor-xyz(config)# ser analysis-engine

sensor-xyz(config-ana)# vi vs0

sensor-xyz(config-ana-vir)# inline-TCP-evasion-protection-mode ?

strict Full TCP ordering and sequence checking will be applied to

all TCP sessions on this virtual sensor.

asymmetric Relaxed TCP ordering and sequence checking will be

applied to all TCP sessions on this virtual sensor.

For more details regarding asymmetric traffic, refer to the

"Configuring the Cisco IPS Sensor Using the CLI IPS 6.1" on-line

user guide available at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html

Note: If the manual entry in the sensorApp.conf file is not removed,

the following main.log warning will be generated each time the sensor

is rebooted:

NormalizerSettings in sensorApp.conf (AsynchMode and AsymmetricFlows)

have been removed. Use Service AnalysisEngine - VS -

inline-TCP-evasion-protection-mode."

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card