We have to use no normalization, no icmp-guard on ACE 5(2.0) to allow a One-Arm config to allow asymmetric traffic, i.e. everything of some rservers needs to go through the alias ip.
Now this works but the connection table fills up pretty quickly and could reach the maximum within a minute.
I don't know what happens if the concurrent connection table is full, i.e. reaches the max -> some aggressive timout?
The connections have all the standard default 3600 seconds. I have a case open but the TAC engineer says the timeout of those connections cannot be controlled. And I just saw on this forum someone talking about a switch-mode and it's default timeout of 2 hours 15 minutes for everything, but it is configurable. And I read something about that normalization is disabled on those connections if switch-mode is enabled.
So can I use either "no normalization, no icmp-guard" OR "switch-mode"?
What are the differences, what are the other effects, if any?
And if using switch-mode I could configure "switch-mode timeout 30" or less? But I don't really know which long lasting connections we might face.
Would it be possible to set up some class-map that matches traffic of the alias IP and assign a different inactivity timeout?