Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
0
Helpful
1
Replies

ASA SYN cookies - full proxy?

Patrick0711
Level 3
Level 3

‎02-10-2012 03:20 PM - edited ‎03-11-2019 03:28 PM

Hopefully someone from Cisco can chime in on this.  When TCP intercept is enacted via embryonic connection limits and SYN cookies are used, does the ASA act as a full proxy, with separate front and back end connections, or does it 'splice' the connections together and perform sequence number manipulation (similar to sequence number randomization)?

I would imagine that it would simply perform the sequence number manipulation but it's difficult to test as I cannot easily simulate a half open connection to reach the embryonic limits.

Also, I'm assuming that the ASA performs the  SYN cookie sequence number mathematics via the CPU as opposed to a ASIC or FPGA given the significant CPU hit when TCP intercept is enabled for large amounts of traffic.  Can anyone confirm?

Any input to either of these topics is greatly appreciated

Labels:
0 Helpful
1 Reply 1

Patrick0711
Level 3
Level 3

‎02-16-2012 12:27 PM

Anyone? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card