We implement TCP Intercept in intercept mode, unfortunately we discovered connection problems to the servers, we changed the mode to watch, the connection problems did not disappear unless we removed the feature completely.
3. -> TCP Intercept mode watch, exclude the subnet from the ACL: Caused still connection problems for the removed subnet
4. -> Removal of the whole config actually stopped the connection problems.
Well, we are not 100% sure about the watch mode and removal of the ACL because we did not reproduce the problem. But what I can 100% say that the intercept mode caused problems for messaging, clarify, citrix services.
Who can tell us if we did a failure or did we run into bug?
We have Catalysts 6506, Sup720 with IOS version 12.2(17d)SBX in place. The bug tool did not show me any problems related to this feature and IOS version.
No unfortunately not. I had no time to do a debug of the problem, I had immediately to react since critical services were impacted. I changed the mode from intercept to watch and then I disabled the service totally. But I will get the chance on the November 19th to do a test. So, I will be able to capture the session then. I hope you will come back and check.
The TCP Intercept feature relies on traffic flow going in/out through the same link, but this is not the case. We did a test, where we discovered this asymmetric traffic flow.
This features handles in intercept mode and monitors in watch mode the 3-way handshake (syn, syn-ack, ack) and limits the amount of half open connections (DOS, syn attacks), if the traffic takes another way in/out, the feature can't operate correct. The TCP Intercept feature received from certain subnets only incoming traffic or only outgoing traffic, it started to drop traffic earlier (mode intercept) or a later (mode watch) after the implementation. This asymmetric traffic flow behaviour isn't a problem until security features being implemented, which rely on traffic going in/out the same link.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :