Hopefully someone from Cisco can chime in on this. When TCP intercept is enacted via embryonic connection limits and SYN cookies are used, does the ASA act as a full proxy, with separate front and back end connections, or does it 'splice' the connections together and perform sequence number manipulation (similar to sequence number randomization)?
I would imagine that it would simply perform the sequence number manipulation but it's difficult to test as I cannot easily simulate a half open connection to reach the embryonic limits.
Also, I'm assuming that the ASA performs the SYN cookie sequence number mathematics via the CPU as opposed to a ASIC or FPGA given the significant CPU hit when TCP intercept is enabled for large amounts of traffic. Can anyone confirm?
Any input to either of these topics is greatly appreciated
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...