09-20-2012 07:32 PM
Hi,
Can anyone explain how the ASA to handle non-load-balancing traffic (not classified with class-map)? It will be dropped or forwarded?
Thanks
09-20-2012 09:07 PM
ACE should forward the traffic
As you should be able about this feature to make sure about a better performance of that type of traffic.
Use the switch mode feature to change the way that the ACE handles TCP connections that are not destined to a particular VIP and those connections that do not have any policies associated with their traffic. When you enable this feature, the ACE still creates connection objects for those TCP sessions that are not destined to the VIP. The ACE processes these connections as stateless connections, which means that they do not undergo any TCP normalization checks (for example, TCP window, TCP state, TCP sequence number, and other normalization checks).
The ACE also creates stateless connections for non-SYN TCP packets if they satisfy all other configured requirements, for example, ACLs and other policies. This process ensures that a long-lived persistent connection passes through the ACE successfully (even if it times out) by being reestablished by any incoming packet related to the connection.
By default, these stateless connections time out after 2 hours and 15 minutes unless you configure the timeout otherwise. When a stateless connection times out, the ACE does not send a TCP RST packet but instead closes the connection silently. Even though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the connections are closed when the ACE sees these flags in the received packets.
To change the default timeout for these stateless connections, use the set timeout inactivity command in parameter map connection configuration mode. For details about this command, see theCisco Application Control Engine Module Security Configuration Guide.
The SYN cookie feature still operates normally for these stateless connections that are not destined to any VIP.
The default timeout value of 2 hours and 15 minutes is also applicable to the UDP connections that are not destined to any VIP.
To enable the switch mode feature, use the switch-mode command in configuration mode. The syntax of this command is as follows:
switch-mode
For example, to enable the switch mode feature, enter the following command:
host1/Admin(config)# switch-mode
Hope this helps
Jorge
09-20-2012 09:10 PM
Additionally, in case you need it you can configure the ACE to drop the traffic. Here you have a link about it:
Hope you find this is useful
Jorge
09-21-2012 02:44 PM
Hi Tao,
It should route the traffic. You just need and ACL on the interfaces to permit the traffic.
-----------------------------
Cesar R
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide