https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425541#M67827 <P>Hello,</P><P></P><P>One of our customers have a 4240 IPS on which there is one inline pair and 2 promiscuous interfaces.</P><P>The inline pair is used between an internet router and a switch on which is connected a pair of ASAs.</P><P>The problem happens when we connect the inline pair, sudeenly and after a random period of time ranging from 2 to 4 hours, and although the upload trafic on the internet router is limited by the ISP to 500 Kbps, we see bursts of 6 Mbps and disconnection for the internet link</P><P></P><P>I have tried to set the virtual sensor inline-TCP-evasion-protection-mode to asymmetric instead of the default set to strict, I think this has solved the problem untill now( first day of monitoring) but I need to know how it resolved it??????</P><P>What does the asymmetric mode exactly do? ( Please provide additional information than the original documentation whihc is not very informative)</P><P>And how could it solve the problem in my case?</P><P>btw I'm using multiple virtual sensors for each of the inline pair and the rest of the two promiscuous interfaces</P><P></P><P>Regards</P> Sun, 10 Mar 2019 11:55:41 GMT k.abillama 2019-03-10T11:55:41Z https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425541#M67827 <P>Hello,</P><P></P><P>One of our customers have a 4240 IPS on which there is one inline pair and 2 promiscuous interfaces.</P><P>The inline pair is used between an internet router and a switch on which is connected a pair of ASAs.</P><P>The problem happens when we connect the inline pair, sudeenly and after a random period of time ranging from 2 to 4 hours, and although the upload trafic on the internet router is limited by the ISP to 500 Kbps, we see bursts of 6 Mbps and disconnection for the internet link</P><P></P><P>I have tried to set the virtual sensor inline-TCP-evasion-protection-mode to asymmetric instead of the default set to strict, I think this has solved the problem untill now( first day of monitoring) but I need to know how it resolved it??????</P><P>What does the asymmetric mode exactly do? ( Please provide additional information than the original documentation whihc is not very informative)</P><P>And how could it solve the problem in my case?</P><P>btw I'm using multiple virtual sensors for each of the inline pair and the rest of the two promiscuous interfaces</P><P></P><P>Regards</P> Sun, 10 Mar 2019 11:55:41 GMT https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425541#M67827 k.abillama 2019-03-10T11:55:41Z https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425542#M67829 <HTML><HEAD></HEAD><BODY><P>When you set the "inline-TCP-evasion-protection-mode" to asymmetric, it does not enforce a receipt of the TCP ACK before analysing/inspecting and transmitting the TCP traffic.</P><P></P><P>When the mode is set to strict, the engine buffers the connection and waits for the ACK packet before starting to analyse/inspect and transmit the TCP traffic.</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 18 Mar 2010 04:39:00 GMT https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425542#M67829 Jennifer Halim 2010-03-18T04:39:00Z https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425543#M67830 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thx a lot for the info! Is there a drawback to keep it in asymmetric mode in my scenario( internet facing IPS) What do I lose exactly?</P><P></P><P>Thx</P></BODY></HTML> Thu, 18 Mar 2010 07:07:35 GMT https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425543#M67830 k.abillama 2010-03-18T07:07:35Z https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425544#M67831 <HTML><HEAD></HEAD><BODY><P>Unfortunately there is always trade-off between security vs performance.</P><P>By turning the inline-TCP-evasion-protection-mode to asymmetric, it is essentially turning off the TCP normalizer engine which leaves the network vulnerable to evasion techniques (specific to TCP protocol), ie: the 1300 range signatures.</P></BODY></HTML> Thu, 18 Mar 2010 08:21:32 GMT https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425544#M67831 Jennifer Halim 2010-03-18T08:21:32Z https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425545#M67832 <HTML><HEAD></HEAD><BODY><P>Ok! thx </P><P>Do you know how in my case we had this burst of upload trafic and disconnection when the mode was set to strict, the customer need some explanantions <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/sad.gif"></SPAN></P></BODY></HTML> Thu, 18 Mar 2010 11:57:38 GMT https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425545#M67832 k.abillama 2010-03-18T11:57:38Z https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425546#M67833 <HTML><HEAD></HEAD><BODY><P>There are possibilities that those TCP traffic does not comply to normal TCP standard, and it is being picked up by the normalizer engine, and they are either being dropped, OR/ due to the nature of "strict" mode, it waited for the ACK before it performs the inspection hence the burst of traffic.</P></BODY></HTML> Thu, 18 Mar 2010 12:01:55 GMT https://community.cisco.com/t5/network-security/ips-4240-virtual-sensor-asymmetric-mode/m-p/1425546#M67833 Jennifer Halim 2010-03-18T12:01:55Z