Guest

Preview Tool

Cisco Bug: CSCvu65337 - Doc: DCD doesn't work when Flow is offloaded

Last Modified

Jul 02, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.10(1.3) 9.12(1.6)

Description (partial)

Symptom:
The DCD and flow-offload both are not compatible with each other, if upgraded to 6.3.0+ with DCD feature this  can lead to an outage as the lina doesn't see the pkt and DCD kicks in and since the connection is offloaded  it sends pkt with incorrect sequence number(seq  number of the last  pkt  that was seen), which is then ignored/discarded by the client/server.

We performed test cases  and found two results:

1. Some connections that are being offloaded are teared down as soon as it reaches 10 second idle connectivity(where ideally a DCD probe should fire up), removing the DCD fixes this.

2. Under very rare condition, the connections are not teared down within 10 second and we see DCD firing up with incorrect sequence number with the sequence number that lina witnessed last and not the correct sequence number, we also see some errors in the debug for flow-offload ?Driver block is NULL flow 192.168.2.101:443 -> 192.168.3.101:50588 tcp flags 0x10? and then it tears down after sometime. Attaching the session log. I will upload the captures taken on the lina as soon as possible.

Conditions:
DCD in conjuction with the Flow offload feature.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.