switch-mode or no normalization for assymetric traffic and what

pweichmann · ‎01-21-2013

We have to use no normalization, no icmp-guard on ACE 5(2.0) to allow a One-Arm config to allow asymmetric traffic, i.e. everything of some rservers needs to go through the alias ip.

Now this works but the connection table fills up pretty quickly and could reach the maximum within a minute.

I don't know what happens if the concurrent connection table is full, i.e. reaches the max -> some aggressive timout?

The connections have all the standard default 3600 seconds. I have a case open but the TAC engineer says the timeout of those connections cannot be controlled. And I just saw on this forum someone talking about a switch-mode and it's default timeout of 2 hours 15 minutes for everything, but it is configurable. And I read something about that normalization is disabled on those connections if switch-mode is enabled.

So can I use either "no normalization, no icmp-guard" OR "switch-mode"?

What are the differences, what are the other effects, if any?

And if using switch-mode I could configure "switch-mode timeout 30" or less? But I don't really know which long lasting connections we might face.

Would it be possible to set up some class-map that matches traffic of the alias IP and assign a different inactivity timeout?

mwinnett · ‎02-14-2013

Patrick, switch-mode is specifically for connections that do match any class-maps (vips). I see no problem with setting the timeout low (30s). I haven't tested in the lab, but I would expect that any packet (not just the 3 way handshake) would create an entry. ie: if a connection under the control of switch-mode was cleared by timeout, the next packet would create a new entry. You can setup class-map to match on various trafifc types and assign a different timeout. Can you share the config and the conection details (src/dst ip and port) that you are concerned about. Matthew

switch-mode or no normalization for assymetric traffic and what about inactivity timeout?