Re: Timeouts on non load balanced traffic thru ACE

k-bragg · ‎09-09-2008

I have a backend server creating a connection to a db server outside the ACE environment. This traffic is using the L3 function of the ACE and is not being load balanced. The connection is timing out after 1 hour. I have normalization disabled on the backend server VLAN but not on the front side VLAN of the ACE.

2 Questions:

- With normalization disabled do I still need to change the tcp inactivity timeout for this traffic? Or with normalization disabled shouldn't the non load balanced traffic be L3 routed and not effected by the tcp timeout value?

- Also do I need to disable normalization on the front side VLAN of the ACE?

thanks,

kurt

Syed Iftekhar Ahmed · ‎09-09-2008

As per

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/tcpipnrm.html#wp1075741

"Disabling TCP normalization affects only Layer 4 traffic. TCP normalization is always enabled for Layer 7 traffic."

By disabling TCP normalization the following Layer 4 connection parameters are ignored.

exceed-mss-----Configure behavior if a packet exceeds MSS

random-seq-num-disable----Disable TCP sequence number randomization

reserved-bits-----Configure Reserved bits in TCP header

syn-data-----Configure behavior for a SYN packet containing data

tcp-options-----Configure TCP header options

urgent-flag-----Allow/Clear Urgent flag

I think you will need "Set timeout inactivity xxxx" command even if "no normalization" command is defined.

Syed Iftekhar Ahmed