Guest

Preview Tool

Cisco Bug: CSCvu52879 - show conn output must flag "trusted" flows

Last Modified

Jun 16, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

6.4(0)

Description (partial)

Symptom:
FTD running with ACP rules that contain "Trust" as the action will not show a connection flag in the "show conn" output on LINA.  

The connection gets accounted as one inspected by SNORT whereas, after whitelisting the flow, LINA would process the flow.

In a scenario where dynamic flow offload is enable, the data flow is offloaded to CRUZ and an offload flag on the connection "o" will distinguish this flow.

When dynamic flow offload is disabled, the connection simply has "N1" as it's flag and this may lead to incorrect accounting of the load on SNORT.

Conditions:
FTD with "Trust" action configured for ACP rules.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.