Guys I have a little and stupid question.
Is there any problem with TCP when using VLAN Pairs. Does the IPS reset the connections? Problem is that I'm doing a PAIR for example from vlan 50 do VLAN 51 when the trafic is originated from vlan 50 it will inspect the traffic and sent it to VLAN 51 let say that was a SYN packet.
I have my switch configured to route the traffic originated from vlan 50 so the IPS can watch it. But I do not have a route map configured for the returned traffic from VLAN 51.. So the IPS will never see the SYN ACK comming.
Is that a problem?
What is connecting the devices on VLAN 50 to the devices on VLAN 51 in your network?
If the only Layer 2 path between these two VLANs is through your in-line IPS sensor, then the sensor will see all inter-VLAN traffic.
The sensor has some signatures set to drop and some to issue a reset, but you can change those default responses if you desire.
For inline VLAN pairing, if the sensor will not be seeing the full TCP stream, this can be an issue for the sensor as it may determine this is traffic attempting to evade the IDS and in turn deny the traffic. This can in turn cause the sensor to deny the traffic.
You can instruct the sensor to operate in an asymmetric processing mode which will relax the TCP normalizer as outlined here: