Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP Intercept cause problem

Dear Cisco Community,

We implement TCP Intercept in intercept mode, unfortunately we discovered connection problems to the servers, we changed the mode to watch, the connection problems did not disappear unless we removed the feature completely.

1. -> TCP Intercept mode intercept: Caused connection problems

2. -> TCP Intercept mode watch: Caused connection problems

3. -> TCP Intercept mode watch, exclude the subnet from the ACL: Caused still connection problems for the removed subnet

4. -> Removal of the whole config actually stopped the connection problems.

Well, we are not 100% sure about the watch mode and removal of the ACL because we did not reproduce the problem. But what I can 100% say that the intercept mode caused problems for messaging, clarify, citrix services.

Who can tell us if we did a failure or did we run into bug?

We have Catalysts 6506, Sup720 with IOS version 12.2(17d)SBX in place. The bug tool did not show me any problems related to this feature and IOS version.

Thank you.

Cheers Alex

New Member

Re: TCP Intercept cause problem

Do you have packet captures that show problems with session negotiation?


New Member

Re: TCP Intercept cause problem

Hi Paul,

No unfortunately not. I had no time to do a debug of the problem, I had immediately to react since critical services were impacted. I changed the mode from intercept to watch and then I disabled the service totally. But I will get the chance on the November 19th to do a test. So, I will be able to capture the session then. I hope you will come back and check.

Thank you.

New Member

Re: TCP Intercept cause problem


The TCP Intercept feature relies on traffic flow going in/out through the same link, but this is not the case. We did a test, where we discovered this asymmetric traffic flow.

This features handles in intercept mode and monitors in watch mode the 3-way handshake (syn, syn-ack, ack) and limits the amount of half open connections (DOS, syn attacks), if the traffic takes another way in/out, the feature can't operate correct. The TCP Intercept feature received from certain subnets only incoming traffic or only outgoing traffic, it started to drop traffic earlier (mode intercept) or a later (mode watch) after the implementation. This asymmetric traffic flow behaviour isn't a problem until security features being implemented, which rely on traffic going in/out the same link.



CreatePlease login to create content