Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
3
Replies

TCP Intercept cause problem

adosedla
Level 1
Level 1

‎11-04-2005 12:12 AM - edited ‎03-09-2019 12:55 PM

Dear Cisco Community,

We implement TCP Intercept in intercept mode, unfortunately we discovered connection problems to the servers, we changed the mode to watch, the connection problems did not disappear unless we removed the feature completely.

1. -> TCP Intercept mode intercept: Caused connection problems

2. -> TCP Intercept mode watch: Caused connection problems

3. -> TCP Intercept mode watch, exclude the subnet from the ACL: Caused still connection problems for the removed subnet

4. -> Removal of the whole config actually stopped the connection problems.

Well, we are not 100% sure about the watch mode and removal of the ACL because we did not reproduce the problem. But what I can 100% say that the intercept mode caused problems for messaging, clarify, citrix services.

Who can tell us if we did a failure or did we run into bug?

We have Catalysts 6506, Sup720 with IOS version 12.2(17d)SBX in place. The bug tool did not show me any problems related to this feature and IOS version.

Thank you.

Cheers Alex

1 person had this problem
Labels:
0 Helpful
3 Replies 3

paul.werner
Level 1
Level 1

‎11-05-2005 07:19 AM

Do you have packet captures that show problems with session negotiation?

pw

0 Helpful

adosedla
Level 1
Level 1
In response to paul.werner

‎11-06-2005 11:32 PM

Hi Paul,

No unfortunately not. I had no time to do a debug of the problem, I had immediately to react since critical services were impacted. I changed the mode from intercept to watch and then I disabled the service totally. But I will get the chance on the November 19th to do a test. So, I will be able to capture the session then. I hope you will come back and check.

Thank you.

0 Helpful

adosedla
Level 1
Level 1
In response to paul.werner

‎11-16-2005 01:24 PM

Hello,

The TCP Intercept feature relies on traffic flow going in/out through the same link, but this is not the case. We did a test, where we discovered this asymmetric traffic flow.

This features handles in intercept mode and monitors in watch mode the 3-way handshake (syn, syn-ack, ack) and limits the amount of half open connections (DOS, syn attacks), if the traffic takes another way in/out, the feature can't operate correct. The TCP Intercept feature received from certain subnets only incoming traffic or only outgoing traffic, it started to drop traffic earlier (mode intercept) or a later (mode watch) after the implementation. This asymmetric traffic flow behaviour isn't a problem until security features being implemented, which rely on traffic going in/out the same link.

Cheers

Alex

0 Helpful
Customers Also Viewed These Support Documents