Cisco Bug: CSCvu65337 - Doc: DCD doesn't work when Flow is offloaded
Jul 02, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: The DCD and flow-offload both are not compatible with each other, if upgraded to 6.3.0+ with DCD feature this can lead to an outage as the lina doesn't see the pkt and DCD kicks in and since the connection is offloaded it sends pkt with incorrect sequence number(seq number of the last pkt that was seen), which is then ignored/discarded by the client/server. We performed test cases and found two results: 1. Some connections that are being offloaded are teared down as soon as it reaches 10 second idle connectivity(where ideally a DCD probe should fire up), removing the DCD fixes this. 2. Under very rare condition, the connections are not teared down within 10 second and we see DCD firing up with incorrect sequence number with the sequence number that lina witnessed last and not the correct sequence number, we also see some errors in the debug for flow-offload ?Driver block is NULL flow 192.168.2.101:443 -> 192.168.3.101:50588 tcp flags 0x10? and then it tears down after sometime. Attaching the session log. I will upload the captures taken on the lina as soon as possible. Conditions: DCD in conjuction with the Flow offload feature.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases