I have a 6500, PIX, VPN concentrator and IDSM. Using a VACL, I am capturing and forwarding traffic to the IDSM. My capture is for VLAN 998. For the most part only the mentioned devices are in VLAN 998. Both inside interfaces of the PIX and VPN concentrator are directly connected to the 6500. When VPN client users connect to the concentrator and visit web pages (any TCP traffic), the IDSM generates an alarm on a TCP SYN sweep (sig 3030). According to the PIX syslog messages the web traffic is valid and passes as expected. This leads me to believe the IDSM is only seeing half of the traffic (or half the TCP connection). According to documentation, when using VACL to send traffic to the IDSM, data is capture on the ingress of the VLAN (defined in the configuration). VLAN 998 is the network that connects all internal users/networks to the internet. No other network traffic is generating signature 3030 alarms.
For traffic to get from the PIX (return internet traffic) to the concentrator (VPN clients) the data has to travel to the 6500. Is there something about the 6500 that would cause traffic to bypass IDSM inspection?