Depending on how the load-balancing is operating, and having the sensors operating in inline mode could cause potential issues due to the functionality provided by the IPS normalizer engine. This engine attempts to correct traffic that is potentially evading IPS detection (sending traffic out of order, heavily fragmented, etc). If the single sensor cannot see the entire conversation, the normalizer may begin denying packets for these flows. You can determine if the normalizer is actively detecting issues by looking for high signature counts for signatures in the range 1300-1399. The easiest method to see this is to issue "sh stat virt | inc Sig" (this is case sensitive).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...