Enabling the Asymmetric mode processing, IPS 6.0(4)E1 Release

Unanswered Question
Jun 19th, 2008

I was wondering if someone tried to implement this fix provided in 6.0.4 to relax the normilizer engine for asymmetric mode processing.

Does this fix impact the functionality of active signatures ??

Allow inline Asymmetric traffic (CSCsi72263)

The AnalysisEngine was modified to allow asymmetric traffic to be tracked and analyzed

by allowing for a relaxed Normalization process versus using the standard Normalizer.

This results in the ability to install the sensor inline in situations where the Normalizer would block or delay traffic due to the strict nature of stream processing and “normalization” by not doing any protocol checking or packet reordering.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 06/19/2008 - 05:56

I never implemented it, but I'm assuming it works because they have introduced this as a CLI command in 6.1.

This is the readme text:

"To support inline asymmetric traffic in earlier 6.0(x) releases, a

manual workaround was documented in the 6.0(4) readme file (refer

to the Resolved Caveats section of the 6.0(4) readme for details).

In the IPS 6.1 release, this functionality is now configurable via

the sensor CLI or IDM. If you utilized the workaround to enable

asymmetric traffic, the manual setting should be removed and

asymmetric traffic should be re-enabled as in the following example

using the CLI:

sensor-xyz(config)# ser analysis-engine

sensor-xyz(config-ana)# vi vs0

sensor-xyz(config-ana-vir)# inline-TCP-evasion-protection-mode ?

strict Full TCP ordering and sequence checking will be applied to

all TCP sessions on this virtual sensor.

asymmetric Relaxed TCP ordering and sequence checking will be

applied to all TCP sessions on this virtual sensor.

For more details regarding asymmetric traffic, refer to the

"Configuring the Cisco IPS Sensor Using the CLI IPS 6.1" on-line

user guide available at:


Note: If the manual entry in the sensorApp.conf file is not removed,

the following main.log warning will be generated each time the sensor

is rebooted:

NormalizerSettings in sensorApp.conf (AsynchMode and AsymmetricFlows)

have been removed. Use Service AnalysisEngine - VS -





This Discussion