Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1379
Views
5
Helpful
1
Replies

ACE with 'no normalization' - bug or feature?

Martin Kyrc
Level 3
Level 3

‎07-24-2007 02:56 PM

Hello,

our customer has typical ACE configuration in routed mode with enabled direct access from client side to server side. ok. access to server port is enabled. when I try telnet to server_ip:service_port, I can see 'established' connection on the ACE. that's ok.

but, when I set iptables (fw) to service_port with action drop (not reject) on the server, connection wouldn't established. sure? (tcp connection is not established, because SYN packet is dropped on the server side).

and now my discovery (customer environment and my lab):

1. with normalization enabled (default) at both interfaces is connection on the ACE in 'SYNSEEN' state. that's ok. after tcp timeout embryonic is connection on the ACE cleared.

2. but with 'no normalization' at the server side interface is connection in 'ESTABLISHED' state. why?? I can see in sniffer trace only SYN from client and no response from server (because fw dropped it). connection on the client and server is not established (that's ok).

it's a bug or 'feature'?

sw release: 3.0(0)A1(5a)

martin

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎07-29-2007 11:44 PM

Martin,

not a bug.

Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to consider the state as ESTABLISHED.

Gilles.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Top