Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
3
Replies

How ASA handle non-load-balancing traffic

johnsonyu
Level 1
Level 1

‎09-20-2012 07:32 PM

                   Hi,

Can anyone explain how the ASA to handle non-load-balancing traffic (not classified with class-map)? It will be dropped or forwarded?

Thanks

Labels:
0 Helpful
3 Replies 3

Jorge Bejarano
Level 4
Level 4

‎09-20-2012 09:07 PM

ACE should forward the traffic

As you should be able about this feature to make sure about a better performance of that type of traffic.

Configuring the Switch Mode Feature

Use the switch mode feature to change the way that the ACE handles TCP  connections that are not destined to a particular VIP and those  connections that do not have any policies associated with their traffic.  When you enable this feature, the ACE still creates connection objects  for those TCP sessions that are not destined to the VIP. The ACE  processes these connections as stateless connections, which means that  they do not undergo any TCP normalization checks (for example, TCP  window, TCP state, TCP sequence number, and other normalization checks).

The ACE also creates stateless connections for non-SYN TCP packets if  they satisfy all other configured requirements, for example, ACLs and  other policies. This process ensures that a long-lived persistent  connection passes through the ACE successfully (even if it times out) by  being reestablished by any incoming packet related to the connection.

By default, these stateless connections time out after 2 hours and 15  minutes unless you configure the timeout otherwise. When a stateless  connection times out, the ACE does not send a TCP RST packet but instead  closes the connection silently. Even though these connections are  stateless, the TCP RST and FIN-ACK flags are honored and the connections  are closed when the ACE sees these flags in the received packets.

To change the default timeout for these stateless connections, use the set timeout inactivity command in parameter map connection configuration mode. For details about this command, see theCisco Application Control Engine Module Security Configuration Guide.

The SYN cookie feature still operates normally for these stateless connections that are not destined to any VIP.

The default timeout value of 2 hours and 15 minutes is also applicable to the UDP connections that are not destined to any VIP.

To enable the switch mode feature, use the switch-mode command in configuration mode. The syntax of this command is as follows:

switch-mode

For example, to enable the switch mode feature, enter the following command: 

host1/Admin(config)# switch-mode

Hope this helps
Jorge
0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to Jorge Bejarano

‎09-20-2012 09:10 PM

Additionally, in case you need it you can configure the ACE to drop the traffic. Here you have a link about it:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1153095

Hope you find this is useful

Jorge

0 Helpful

Cesar Roque
Level 4
Level 4

‎09-21-2012 02:44 PM

Hi Tao,

It should route the traffic.  You just need and ACL on the interfaces to permit the traffic.

-----------------------------

Cesar R

--------------------- Cesar R ANS Team
0 Helpful
Customers Also Viewed These Support Documents