Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

When Sensors see only Half of the Conversation

Currently we have two border routers running BGP for simple failover to a secondary WAN link, and HSRP running on the Ethernet ports. I use two sensors, one for each router so I lose no data if a router is shut down.

Next week the routers will be reconfigured to load balance the two WAN links. This could create a situation where a server is sending data to router A due to HSRP, but the return traffic will be coming from router B because router B is getting the data on its WAN port. Seperate egress and ingress paths is the complicating factor.

In essence, then, each sensor would be watching only half of the conversation between the two hosts. What happens to my IDS besides a million half-open attacks? We can't be the only ones facing this issue, so any assistance y'all could provide is VERY welcome.

Cisco Employee

Re: When Sensors see only Half of the Conversation

First, I'd recommend opening a TAC case to get some tailored help. You are correct in that they have dealt with this before. The Cisco Secure IDSM (Cat6K blade) documentation contains information on monitoring uni-directional traffic (half-duplex was the term mistakenly used). The link is

Note that this is technically for the IDSM and that signature specifics may differ; however, it is a good start.


CreatePlease to create content