Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE with 'no normalization' - bug or feature?

Hello,

our customer has typical ACE configuration in routed mode with enabled direct access from client side to server side. ok. access to server port is enabled. when I try telnet to server_ip:service_port, I can see 'established' connection on the ACE. that's ok.

but, when I set iptables (fw) to service_port with action drop (not reject) on the server, connection wouldn't established. sure? (tcp connection is not established, because SYN packet is dropped on the server side).

and now my discovery (customer environment and my lab):

1. with normalization enabled (default) at both interfaces is connection on the ACE in 'SYNSEEN' state. that's ok. after tcp timeout embryonic is connection on the ACE cleared.

2. but with 'no normalization' at the server side interface is connection in 'ESTABLISHED' state. why?? I can see in sniffer trace only SYN from client and no response from server (because fw dropped it). connection on the client and server is not established (that's ok).

it's a bug or 'feature'?

sw release: 3.0(0)A1(5a)

martin

1 REPLY
Cisco Employee

Re: ACE with 'no normalization' - bug or feature?

Martin,

not a bug.

Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to consider the state as ESTABLISHED.

Gilles.

1029
Views
5
Helpful
1
Replies