Solved: Re: need to turn off IDS normalization engine.

syjeon · ‎02-18-2011

Hi all.

I would like to know how can we turn off cisco ids nomalization engine? Is it complicated one or not?

We have some issue when we enable cisco nomalization engine on ids which is inline mode. some of assymetric traffic will be dropped.

So, we are going to disable cisco nomalization, now.

please give us any advice for us.

Thanks you.

Justin Teixeira · ‎02-18-2011

Hi Syjeon,

You can set the normalizer mode for the virtual sensor in question to "Asymmetric Mode Protection" to relax the TCP normalization if the sensor is inspecting asymmetric traffic:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_virtual_sensors.html#wp1034136

You'll want to change the "inline-TCP-evasion-protection-mode" option from "strict" to "asymmetric" for each of the virtual sensors seeing asymmetric traffic.

-Justin

View solution in original post

Justin Teixeira · ‎02-18-2011

Hi Syjeon,

You can set the normalizer mode for the virtual sensor in question to "Asymmetric Mode Protection" to relax the TCP normalization if the sensor is inspecting asymmetric traffic:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_virtual_sensors.html#wp1034136

You'll want to change the "inline-TCP-evasion-protection-mode" option from "strict" to "asymmetric" for each of the virtual sensors seeing asymmetric traffic.

-Justin