Flow Timeouts & TCP FIN/RST
I've been reading for a few hours, both the docs and the web, and I can't seem to definitively answer if the CSS cleans flows internally or if it closes them to the server too. It seems to be a local cleanup process from what I've read. I also wonder if there's a way to have the CSS send FINs or RSTs to the server for old flows. Basically, I'm about to help on an issue where the servers are not having their connections closed properly and they end up out of ports. I don't know if it's the app or the lb but I am curious anyway if there's a way to have the CSS send FINs or RSTs to the server for old entries. If I understand properly, the CSS proxies requests between the client and server and there should be nothing to stop FINs or RSTs from being sent back and forth. Thanks!
the CSS does not send any RESET when deleting a flow.
The reset is sent to the client when a flow was deleted AND the client sends a packet that would have matched that flow.
I believe there is a feature request to reset client and server on flow deletion but not yet implemented.
You should look for a solution on the server side.
Reduce the tcp idle timeout or something equivalent.
Also, I know some server do not like the RESET sent by CSS keepalive when using tcp keepalive.
There is a command 'tcp-close-fin' to change the reset into a fin.
If you think the kal could be part of the problem, I would recommend to use this command.
Regards,
Gilles.
Similar Messages
-
Tcp-flow-timeout on outgoing connections
Hello,
We have clients connecting to a server, through a CSS.
The server, on some specific cases, has to connect to the clients (different port).
Since IP adresses are the same, the connection has to go through the CSS, which in this case is acting as gateway.
We're facing issues, because of teared down flows at CSS level ; we'd like to change the inactivity timeout, but can't find an easy way.
So far, the only thing I found, is to set a permanent port, but it's not really the best solution, as connections which were not closed correctly would accumulate in the system.
Would there be an easy way (I'd prefer to avoid having to create contents) for the outgoing flows, on a specific port, to have a different inactivity timeout than the default one ?
Thanks in advance for your help.
Cheers
MaelHi Mael,
CSS will not break routed connections just going through it.
Here's what happens:
1) CSS gets a packet directed towards an IP which is not configured as VS. When it does, it creates a connection for that flow even if the packet is not the original SYN of the three way handshake.
2) If no data is received on this connection for 16 seconds, it is moved to the free-flows list. Once it is there, the CSS will continue to use the information located in it to forward traffic but the connection will be removed as soon as we need some room for new entries.
3) Once the connection is removed even from the free-flows list and that we get a new packet for the connection, you got back to point #1. Since the CSS doesn't check for stateful information (AKA doesn't check if the first packet is a SYN).
So even if the idle timeout of the connections going through it are 16 seconds, a routed TCP flow through the CSS *will never time out*.
For changing inctivity timeouts for loabbalanced connnections you can use the below command which needs to be applied to Content rule/source groups.
flow-timeout multiplier
Note: If you give number as 2, CSS will multiply it by 16 and actual timeout would be 32.
The permanent option is also good one but can be a problem if you have high traffic for that port. You can also use cmd-scheduler along with permanent port to clear the flows periodically.
Regards,
Kanwal -
CSS11506 - flow-timeout-multiplier
Hello,
I have a pair of Sun Directory Proxy servers behind our CSS with the following config...
<<< START CONFIG >>>
!************************** SERVICE **************************
service DirProxy_mmcdif22_636
keepalive type tcp
keepalive tcp-close fin
keepalive port 636
ip address 172.16.30.72
active
service DirProxy_mmcdif62_636
keepalive type tcp
keepalive tcp-close fin
keepalive port 636
ip address 172.16.30.76
active
!*************************** OWNER ***************************
owner Security
content DirProxy_pdd4_636
add service DirProxy_mmcdif22_636
add service DirProxy_mmcdif62_636
protocol tcp
port 636
vip address 123.123.102.201
balance aca
flow-timeout-multiplier 200
active
!*************************** GROUP ***************************
group v4DirProxy_group
add destination service DirProxy_mmcdif22_636
add destination service DirProxy_mmcdif62_636
vip address 172.16.30.12
active
<<< END CONFIG >>>
During a recent outage of mmcdif62, all existing connections appear to have been 'orphaned' on the CSS for approximately 53 minutes... which correlates with the 'flow-timeout-multiplier 200' config on this content rule.
Is there any way to overcome these 'orphaned' connections during a failure scenario as shown above?
Also, is it possible to configure the CSS to act upon source IP address info? If so, perhaps this would be a solution to our problem.
Thanks,
-AdamAdam,
we consider the application should recover from this by itself.
If the client keeps retransmitting and the server does not respond, the application should reset the connection and open a new one which would then be loadbalanced to a working server.
The ACE module has a feature to automatically kill connections linked to a dead server.
Unfortunately this feature does not exist on the CSS.
Regarding the client ip address, you have configured a group to do client nat.
The server will therefore lose the client info.
This is however not related to the connection hang issue.
Gilles. -
General query on CSM and CSS flow timeout values
Hi all,
i have a SLB Application Processor Complex module on my Cisco 6504 which basically does some load balancing work. I am pretty new to this device but the configurations and setup looks somewhat similar to the Cisco ACE but i only have some experience with the Cisco CSS.
What i would like to know is what the equivalent command to the CSS "flow timeout" is on the CSM. Would that be the "idle timeout" command? I understand that the "pending timeout" is more to governing how long it takes to setup a 3 way handshake from client to server and the "idle timeout" is what i am looking for. Please correct me if i am wrong...
On the CSS, a flow timeout is on 16secs for most standard ports and 8 secs for HTTP. I would like to know what the default setting is for the CSM idle timeout?? Thanks alot!!
DanielHi Daniel,
For Idle Timeout the the default is 1 hour/ 3600 sec.
As you know for Cicso CSM thare are 2 timers per vserver.
Idle timeout
Pending timeout.
If a connection is timed out it's because of one of these timers.
Idle timeout per vserver - If there is no traffic neither from client nor server. Idle connection timer duration in seconds; the range is from 0 (connection remains open indefinitely) to 13500000. The default is 1 hour. If you do not specify a duration value, the default value is applied.
Examples
This example shows how to specify an idle timer duration of 4000:
Cat6k-2(config-slb-vserver)# idle 4000
Pending timeout per vserver - is the max time allowed to complete the 3-way handshake.The default is 30 sec.Range is from 1 to 65535. This is a SLB virtual server configuration submode command. The pending connection timeout sets the response time for terminating connections if a switch becomes flooded with traffic. If the 3-way handshake does not complete within this time, the connection is dropped.
The CSM expect to see 2-way traffic within the pending timeout. If no traffic is received from the server, the session is removed.
Examples
This example shows how to set the number to wait for a connection to be made to the server:
Cat6k-2(config-slb-vserver)# pending 300
These are not counted as failures.
A failure is when the server does not respond or respond with a reset.
The CSM can hold 1 million connections in memory at the max.
So, if you set the idle timeout to 10 hours, your max connection rate is 1 M / 10 * 3600 = ~250 conn/sec.
Assuming they would all be open and then idle.
When the number of pending connections exceeds a configurable threshold, the CSM begins using the SYN cookies feature, encrypting all of the connection state information in the sequence numbers that it generates. This action prevents the CSM from consuming any flow state for pending (not fully established) TCP connections. This behavior is fully implemented in hardware and provides a good protection against SYN attacks.
Generic TCP termination
Some connections may not require TCP termination for Layer 7 load balancing. You can configure any virtual server to terminate all incoming TCP connections before load balancing those connections to the real servers. This configuration allows you to take advantage of all the CSM DoS features located in Layer 4 load-balancing environments.
To select the traffic type and appropriate timeout value, use the unidirectional command in the SLB virtual server submode.
[no | default] unidirectional
some protocol automatically set the 'unidirectional' function.
For example : UDP.
You can see if a vserver is unidirectional or bidirectional by doing a 'sho mod csm X vser name detail'
When a virtual server is configured as unidirectional, it no longer uses the pending timer. Instead, the idle timer will determine when to close idle or errant flows. Because the idle timer has a much longer default duration than the pending timer, be sure to set the idle timer to an appropriate value.
Use the command "show module csm slot# stats" to get the details of connection.
The statistics counters are 32-bit. Totals are accumulated since the last time the counters were cleared.
Examples
This example shows how to display SLB statistics:
Cat6k-2# show module csm 4 stats
Connections Created: 180
Connections Destroyed: 180
Connections Current: 0
Connections Timed-Out: 0
Connections Failed: 0
Server initiated Connections:
Created:0, Current:0, Failed:0
L4 Load-Balanced Decisions:180
L4 Rejected Connections: 0
L7 Load-Balanced Decisions:0
L7 Rejected Connections:
Total:0, Parser:0,
Reached max parse len:0, Cookie out of mem:0,
Cfg version mismatch:0, Bad SSL2 format:0
L4/L7 Rejected Connections:
No policy:0, No policy match 0,
No real:0, ACL denied 0,
Server initiated:0
Checksum Failures: IP:0, TCP:0
Redirect Connections:0, Redirect Dropped:0
FTP Connections: 0
MAC Frames:
Tx:Unicast:1506, Multicast:0, Broadcast:50898,
Underflow Errors:0
Rx:Unicast:2385, Multicast:6148349, Broadcast:53916,
Overflow Errors:0, CRC Errors:0
Table mentioned below describes the fields in the display.
Table for "show module csm stats" Command Field Information
Field
Description
Connections Created
Number of connections that have been created on the CSM.
Connections Destroyed
Number of connections that have been destroyed on the CSM.
Connections Current
Number of current connections at the time the command was issued.
Connections Timed-Out
Number of connections that have timed out, which can occur for the following reasons:
•connection has been idle (in one or both directions) for longer than the configured idle timeout.
•TCP connection setup not completed successfully.
Connections Failed
Number of connections failed because the server did not respond within the timeout period, or the server replied with a reset.
Server initiated Connections
Number of connections created by real servers, the number of current connections, and the number of connections that failed (because the destination is unreachable).
L4 Load-Balanced Decisions
Number of Layer 4 load-balancing decisions attempted.
L4 Rejected Connections
Number of Layer 4 connections rejected because no real server was available
L7 Load-Balanced Decisions
Number of Layer 7 load-balancing decisions attempted.
L7 Rejected Connections: Total
Number of Layer 7 connections rejected.
L7 Rejected Connections: Parser
Number of Layer 7 connections rejected because the Layer 7 processor in the CSM ran out of session buffers to save the parsing state for multi-packet HTTP headers. The show module csm tech-support proc 3 command will show detailed buffer usage.
L7 Rejected Connections: Reached max parse len
Number of Layer 7 connections rejected because the HTTP header in the packet is longer than max-parse-len. When a virtual server is configured with HTTP persistent rebalancing or cookie matching/sticky, the CSM must parse to the end of HTTP header. The default max-parse-len value is 2000 bytes.
L7 Rejected Connections: Cookie out of mem:
Number of Layer 7 connections rejected because of no memory to store cookies. When a virtual server is configured with cookie matching, the CSM must save the cookie contents in memory.
L7 Rejected Connections: Cfg version mismatch
Number of Layer 7 connections rejected because part of the request was processed with an older version of the configuration. This counter should only increase after configuration changes.
L7 Rejected Connections: Bad SSL2 format:
Number of Layer 7 connections rejected because the request is using an unsupported SSL format or the format is not valid SSL.
L4/L7 Rejected Connections
Number of Layer 4 and Layer 7 connections rejected for policy related reasons:
No policy: connection rejected because the request matched a virtual server, but this virtual server did not have a policy configured.
No policy match: connection rejected because the request matched a virtual server, but the request did not match any policy configured on the virtual server.
No real: connection rejected because no real server was available to service the request
ACL denied: connection rejected because a request matched a policy with a client-access-list entry and the entry is configured to deny the request.
Server Initiated: connection initiated by a real server is rejected.
Checksum Failures
Number of checksum failures detected (there are separate counters for IP and TCP failures).
Redirect Connections
Number of connections redirected, and the number of redirect connections dropped.
FTP Connections
Number of FTP connections opened.
MAC Frames
Number of MAC frames received and transmitted on the CSM backplane connection.
For getting details on all of these commands kindy refer Catalyst 6500 Series Switch Content Switching Module Command Reference, 4.2 URL mentioned below:
http://cisco.biz/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/command/reference/cmdrfIX.html
Kindly Rate.
HTH
Sachin Garg -
ACE- 4710 graceful disconnect timeout (no FIN ACK)
I have below 4 real servers into a single serverfarm and serverfarm is being reported by huge number of drop. Below is the log coming in the ACE buffer.Please suggest what may be the pobable reason for such behavior.
Sep 13 2011 11:31:47 : %ACE-3-251010: Health probe failed for server 172.18.104.128 on port 8001, graceful disconnect timeout (no FIN ACK)
Sep 13 2011 11:32:05 : %ACE-3-251010: Health probe failed for server 172.18.104.126 on port 8001, graceful disconnect timeout (no FIN ACK)
Sep 13 2011 11:32:08 : %ACE-3-251010: Health probe failed for server 172.18.104.125 on port 8001, graceful disconnect timeout (no FIN ACK)
Sep 13 2011 11:32:09 : %ACE-3-251010: Health probe failed for server 172.18.104.127 on port 8001, graceful disconnect timeout (no FIN ACK)Hi Plz find required config,
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.14 13:37:31 =~=~=~=~=~=~=~=~=~=~=~=
APP-ACE/Admin# sh serverfarm App_MIS
serverfarm : App_MIS, type: HOST
total rservers : 9
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: Application-Server-123
172.18.104.123:8001 8 OPERATIONAL 135 65809 460
rserver: Application-Server-124
172.18.104.124:8001 8 OPERATIONAL 135 69809 124
rserver: Application-Server-125
172.18.104.125:8001 8 PROBE-FAILED 135 69956 56
rserver: Application-Server-126
172.18.104.126:8001 8 OPERATIONAL 135 71015 27
rserver: Application-Server-127
172.18.104.127:8001 8 OPERATIONAL 135 73187 33
rserver: Application-Server-128
172.18.104.128:8001 8 OPERATIONAL 135 69613 33
rserver: Application-Server-129
172.18.104.129:8001 8 OPERATIONAL 135 75545 74
rserver: Application-Server-42
172.18.104.42:8001 8 OPERATIONAL 134 73487 35
rserver: Application-Server-46
172.18.104.46:8001 8 OPERATIONAL 134 78237 48
APP-ACE/Admin# sh serverfarm App_MIS detail
serverfarm : App_MIS, type: HOST
total rservers : 9
active rservers: 8
description : Application Zone Load Balancer for Weblogic
state : ACTIVE
predictor : LEASTCONNS
slowstart : 0 secs
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
ICMP-ICMP-Probe, type = ICMP
TCP-8001, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: Application-Server-123
172.18.104.123:8001 8 OPERATIONAL 133 65812 460
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-124
172.18.104.124:8001 8 OPERATIONAL 134 69810 124
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-125
172.18.104.125:8001 8 PROBE-FAILED 135 69956 56
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-126
172.18.104.126:8001 8 OPERATIONAL 133 71015 27
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-127
172.18.104.127:8001 8 OPERATIONAL 135 73187 33
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-128
172.18.104.128:8001 8 OPERATIONAL 133 69622 33
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-129
172.18.104.129:8001 8 OPERATIONAL 131 75553 74
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-42
172.18.104.42:8001 8 OPERATIONAL 133 73489 35
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
rserver: Application-Server-46
172.18.104.46:8001 8 OPERATIONAL 133 78244 48
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
serverfarm host App_MIS
description Application Zone Load Balancer for Weblogic
predictor leastconns
probe ICMP-ICMP-Probe
probe TCP-8001
rserver Application-Server-123 8001
inservice
rserver Application-Server-124 8001
inservice
rserver Application-Server-125 8001
inservice
rserver Application-Server-126 8001
inservice
rserver Application-Server-127 8001
inservice
rserver Application-Server-128 8001
inservice
rserver Application-Server-129 8001
inservice
rserver Application-Server-42 8001
inservice
rserver Application-Server-46 8001
inservice
APP-ACE/Admin#sh running-config probe
Generating configuration....
probe icmp ICMP-ICMP-Probe
interval 2
faildetect 2
passdetect interval 60
probe tcp TCP-8001
port 8001
interval 2
faildetect 2
passdetect interval 15
passdetect count 2
open 1 -
New parameter "timeout tcp-proxy-reassembly" in ASA 8.2
I couldn't find much in the config guide or web site for this. Can someone tell me which situations this would come into play? Here is the CLI help:
"Configure idle timeout after which buffered packets waiting for reassembly in tcp-proxy are dropped"Hi.
I've had a very interesting discussion with a TAC engineer about this command.
The engineer mentions that, with this command, ASA behaves in the following way:
When the ASA receive a fragmented data, it puts the fragments in the buffer to be able to reassemble it and then sent it. When the buffer exceed the limit, the ASA start dropping the reassemble packets so the reason for the packet drop is always the buffer limit exceed . by using the command “tcp-proxy-reassembly”, the ASA wait for an idle time which is determined by this command, the reason why we need this idle time is that the ASA after dropping the fragmented packet still keeps the connection in the conn table open waiting to reassemble the fragments and send it , but this will not happen as the fragment was dropped , so this will keep the connection in the conn table and exhaust the ASA memory by a lot of connections that are not really used. After dropping the fragment the ASA waits for the timeout specified by the tcp-proxy-reassembly to delete the connection from the connection table.
So in summary the ASA uses this command not to delete the fragment after the timeout , it uses this command to delete the connection after the drop of the fragment (which is caused by the buffer limit) with the time.
So keep in mind when you use it.
Best regards,
Ernesto. -
Why Sound.close() doesn't send a tcp.FIN?
Hello guys...
Like topic says... I got my mp3 audio streaming loaded with Sound.load method.
when i'm done i call the close() method but no FIN is received from server side.
Since i manage the server too, i can see the latter keep on pumping data through the socket that never shutdown.
Someone knows why?
This run on Flex 3.5 and Air 3.1
Thanks in advance
DavideThat is very strange indeed, drnick48z! I just tried it by sending a text to myself and it worked great. Sometimes, the service experiences issues if the browser you're using is unable to support it. If you're still unable to use this service, please let me know. I can help!
-
ACE Exception during conversation
After upgrading ACE module from A2(3.1) to A2(3.2) we started getting complaints about the ablity to upload a file in one of our applications. We are able to recreate the problem and noticed that when there is a failure, the ACE sends a TCP RST in both directions and closes the connection with the Exception reason. This is in the middle of a prefectly good conversation and there does not appear to be an external reason for it. I noticed a couple of other discussions with a similar problem but with no conclusions. Looking at the caveats in the release notes does not give any clues to this being a known bug. Has anyone else dealt with this problem and found a fix?
Here is some information to illustrate.
Sep 16 2010 13:48:27 Core-FWSM : %FWSM-6-302013: Built outbound TCP connection 145057001608450058 for inside:10.3.66.209/3605 (10.3.66.209/3605) to Burnet_dmz:10.2.0.56/443 (10.2.0.56/443)
Sep 16 2010 13:48:26 DMZ: %ACE-6-302022: Built TCP connection 0x21280c for vlan120:10.3.66.209/3605 (10.3.66.209/3605) to vlan130:10.2.0.56/443 (10.2.0.151/443)
Sep 16 2010 13:49:22 DMZ: %ACE-6-302023: Teardown TCP connection 0x21280c for vlan120:10.3.66.209/3605 (10.3.66.209/3605) to vlan130:10.2.0.56/443 (10.2.0.151/443) duration 0:00:55 bytes 2554818 Exception
Sep 16 2010 13:49:22 Core-FWSM : %FWSM-6-302014: Teardown TCP connection 145057001608450058 for inside:10.3.66.209/3605 to Burnet_dmz:10.2.0.56/443 duration 0:00:55 bytes 2641677 TCP Reset-O
ACE error message 302023
Error Message %ACE-6-302023: Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason]
Explanation This informational message is logged when a TCP connection slot between two hosts is terminated.
The reason variable presents the action that causes the connection to terminate. Table 2-1 lists the TCP termination causes.
Table 2-1 TCP Termination Reasons
Reason Description
TCP FINs Normal close down sequence.
TCP Reset A TCP reset is received.
Idle Timeout TCP connection is timed out.
FIN Timeout TCP FIN timeout.
SYN Timeout TCP SYN timeout.
Exception Connection setup error.
Policy Close A policy closes the TCP connection.
Voluntary Close TCP connection is closed voluntarily by a user.
Rebalance HTTP rebalance.
Reuse Conn. Connection is reused.
Reap Conn. Connection is closed due to control plane reap messages.
Xlate clear Connection is closed due to execution of a clear xlate command.
Conn clear Connection is closed due to execution of a clear conn command.
Recommended Action None required.Thanks for the reply Joel. You are correct we were experincing the noted bug. We opened a TAC case and worked with Jim Sirstin to identify that this was our problem. We implemented the suggested work around and it solved the problem. Here is the detail for the bug, which is in the ACE release notes.
Symptom:
ACE resets TCP based client connection in case there is packet loss from client end and ACE is waiting to re-assemble client traffic.
Conditions:
In an environment where:
(1) ACE is configured with a L7 load-balance policy where ACE proxies the client side TCP connection before making a load-balancing decision,
(2) Client side connection experiences packet loss and
(3) "TCP TX racing messages (data) " counter from ACE CLI command "show np X me-stats -stcp" output is incrementing.
Note: This problem can also occur with secure (SSL) terminated connections.
Workaround:
Configure an "empty" connection parameter-map and add it to multi-match policy-map under class-map configured for the VIP experiencing the problem.
Example:
parameter-map type connection TCPReassembly
policy-map multi-match MultiMatch_PolicyMap
class HTTP_VIP_80
loadbalance vip inservice
loadbalance policy L7_HTTP_PolicyMap
loadbalance vip icmp-reply active
connection advanced-options TCPReassembly -
We have a new secure site where we are using the ACE as a ssl-proxy. I see connections make it all the way to the servers, but the session eventually times out (Browser responds with "The connection has timed out"). I haven't been able to grab a packet capture yet, but I am looking for some input since I am new to the ACE. We are also set up for sticky connections using cookies.
I see connections to the server but no response back. I also see the cookie places in my browser. Once I close the browser window, the current connection drops.
sh serverfarm SECUREMAIL
serverfarm : SECUREMAIL, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: E01
10.0.0.95:8080 8 OPERATIONAL 1 4 0
rserver: E02
10.0.0.98:8080 8 OPERATIONAL 0 1
I verified the cert and keys match with the verify cryto command. If I bypass https and connect via http, I am able to hit the server test page. I attached the scrubbed config.
Any info is appreciated.Make sure clock on supervisor/device has correct date to avoid not before not after check of cert.
Once the configuration is complete, check to make sure the VIP address can be accessed via HTTPS in a web browser. If any certificate errors are shown, this indicates a problem with the certificate, not with the Cisco ACE configuration. The above commands can be used to verify that SSL sessions are being terminated successfully.
When a client’s web browser connects to an SSL server on any device, the browser and server negotiate which encryption cipher to use for the session. The list and order of ciphers presented by the ACE in a default configuration are as follows.
1. CM_SSL_RSA_WITH_RC4_128_MD5
2. CM_SSL_RSA_WITH_RC4_128_SHA
3. CM_SSL_RSA_WITH_DES_CBC_SHA
4. CM_SSL_RSA_WITH_3DES_EDE_CBC_SHA
5. CM_SSL_RSA_WITH_AES_128_CBC_SHA
6. CM_SSL_RSA_WITH_AES_256_CBC_SHA
7. CM_SSL_RSA_EXPORT_WITH_RC4_40_MD5
8. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
9. CM_SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
10. CM_SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
11. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
If this list is not desirable or the order needs to be changed, an SSL parameter map can be configured to make such changes.
Can you send the output of the following commands to suggest more on your config
ACE-1/routed#show crypto authgroup all
ACE-1/routed# show conn display 1000 detail
ACE-1/routed# show crypto files
ACE-1/routed# show crypto certificate all
ACE-1/routed# show crypto key all
ACE-1/routed# show crypto session
ACE-1/routed# show crypto hardware
ACE-1/routed# show service-policy detail
Please Display client SSL statistics by entering the the following command and also attach it here so that I can also see what is happening in your ace device:
ACE_module5/Admin# show stats crypto client
+----------------------------------------------+
+---- Crypto client termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto client alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto client authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto client cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
To Display SSL server statistics by entering the following command and send the results to us for further suggestions:
ACE_module5/Admin# show stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Also you can Display the number of SSL data messages sent and SSL FIN/RST messages sent by entering the following command and send the output from your ACE devices:
ACE_module5/Admin# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0 <-------
sent
TCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0
SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 0 <-------
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
Lastly to Display session cache statistics for the current context by entering the following command:
switch/Admin# show crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
Please send the output of all the commands requested to see in more detail for your issue.
HTH
Sachin -
SPA901 doesn't accept HTTP anymore, only ping
Hi everybody,
we bought 2 SPA901 phones about 10 months ago.
Now, one of them doesn't connect to the VOIP service provider anymore. The red light is flashing constantly.
Also, I'm unable to access the configuration menu with a browser.
The phone answers ping messages, but all attempts to connect via a browser (Opera, lynx) get a TCP FIN-RST packet response, so the browser says "Unable to connect to remote host."
The phone also doesn't react to key "****" presses anymore.
So. the phone is basically working, doing Ethernet and ping, but the higher application including key presses and Web server seem to hang. Powering off even for hours doesn't help.
Is there any cure like an internal reset or is it possible to get a new firmware somehow via downlaod or with a new chip?We have set up an IP PBX system using an SPA9000 as server and 5 Linksys IP Phones (2 SPA941 and 3 SPA901). Actually we are having problems with 2 SPA 901.
On the SPA9000, the pbx status shows that all 5 phones are correctly registered. However from time to time, the red light (NOT the status LED) on the SPA901 flashes and we are unable to process calls.
Sometimes this problem is solved without any intervention from our side. At times we have to reconnect the ethernet cable to the phone for it to stop flashing. And very often the red light does not stop flashing making it impossible to make or receive calls.
We have checked the datapoints to which the SPA901 phones are connected and there are no problems with them whatsoever.
Is it possible that the SPA901 have some kind of bug?
Please advise. -
Ip flow-cache timeout active 2
Good afternoon. On my 1841 when i enter the "ip flow-cache timeout active 2" command it accepts this command with no errors. But when i look at my running-config this does not list.
I did the same thing on my 2811's and 3745 and it shows up in the running-config.
Should I assume if it doesnt' show up in my config file than it is not applied?
How can I verify that it is or isn't?
Thanks...Use the show commands "sh ip cache flow" and "sh ip flow export" to verify the NetFlow configurations. If the output of show command shows the active flow timeout to be 2, it has been applied.
Regards,
Don Thomas Jacob
ManageEngine NetFlow Analyzer -
Hello
I have a pair of 11503's configured in one arm mode runnig version 08.10.1.06. Everything works well, but some clients connect to Oracle databases and run queries that last for 5 - 6 hours. The session is OK for 3-4 hours then the CSS issues a RST and kills the connection. The same config (not in one arm mode) on a 11150 with version 6.10 works fine and doesn't issue a RST. Any ideas ?
ThanksHere's the config for the content
content B****
redundant-index 202
add service EA***1
add service EA***2
advanced-balance sticky-srcip
sticky-inact-timeout 720
protocol tcp
vip address 10.xx.xx.xx
flow-timeout-multiplier 100
active
And here's the last packet from the CSS to the client.
Transmission Control Protocol, Src Port: 9015 (9015), Dst Port: aspen-services (1749), Seq: 55217, Len: 0
Source port: 9015 (9015)
Destination port: aspen-services (1749)
Sequence number: 55217 (relative sequence number)
Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set
Header length: 20 bytes
Flags: 0x04 (RST)
This is after 3.5 hours of the session becoming idle and before the flow-timeout-multiplier 100 command went in.
the command does not appear to have made any difference.
Again many thanks
Peter -
Hi,
does anyone has experience with ip tcp intercept configuration on cisco 6500 for protecting network against TCP SYN flooding.
Which mode is recommended to configure (intercept or watch) and how can affect CPU on cisco 6500?
Any infos regarding that would be much appreciated.
Thank you
SaljaHey Salja,
In Sup720 for TCP Intercept the support is as follows:
Watch mode: Initial TCP packets (SYN, SYN-ACK and ACK of SYN-ACK) and terminating TCP packets (FIN, RST) of a TCP flow is sent to RP for processing in SW. All other TCP packets of the flow are handled in HW using netflow (if TCP packets come in before the netflow entry is created it will get punted to SW). Note that the rate of netflow entry creation is limited and if new TCP connections come in at a rate faster than the rate at which netflow entries can be created in HW there will be large number of packets hitting the CPU.
Intercept Mode: For Intercept mode without timeout the behavior is similar to Watch mode mentioned above. Intercept mode with timeout all packets of a TCP flow is handled in SW by the RP.
So its not advised to use TCP intercept on 6500 as it may degrade box performance. I would suggest using firewall for this feature.
HTH.
Regards,
RS. -
ACE VIP OK HTTP, NOK other TCP port
Hi,
we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
Here goes the relevant config:
probe http PROBE-HTTP
interval 5
passdetect interval 2
passdetect count 1
request method get url /idc/
expect status 200 200
probe tcp PROBE-TCP
port 4444
interval 5
passdetect interval 10
rserver host PRD1
ip address 10.10.10.1
inservice
rserver host PRD2
ip address 10.10.10.2
inservice
serverfarm host SF-HTTP
probe PROBE-HTTP
rserver PRD1 80
inservice
rserver PRD2 80
inservice
serverfarm host SF-TCP
probe PROBE-TCP
rserver PRD1 4444
inservice
rserver PRD2 4444
inservice
sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
timeout 10
serverfarm SF-HTTP
class-map match-all NAT-VIP-HTTP
2 match virtual-address 10.10.35.1 any
class-map match-all NAT-VIP-TCP
2 match virtual-address 10.10.35.1 tcp eq 4444
policy-map type loadbalance first-match LB-VIP-HTTP
class class-default
sticky-serverfarm SC-IP-PRD-HTTP
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match LB-NAT-VIP-TCP
class class-default
serverfarm SF-TCP
policy-map multi-match POLICY-RSERVER-VIP
class NAT-VIP-TCP
loadbalance vip inservice
loadbalance policy LB-NAT-VIP-TCP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
class NAT-VIP-HTTP
loadbalance vip inservice
loadbalance policy LB-VIP-HTTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
description SERVER-SIDE
ip address 10.10.14.2 255.255.255.0
alias 10.10.14.1 255.255.255.0
peer ip address 10.10.14.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
service-policy input AllowICMP
service-policy input POLICY-RSERVER-VIP
no shutdown
The probe are OK, but nothing seems to get to the VIP:
ACE/CTX# show probe PROBE-TCP
probe : PROBE-TCP
type : TCP
state : ACTIVE
port : 4444 address : 0.0.0.0 addr type : -
interval : 5 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : SF-TCP
real : PRD1[4444]
10.10.10.1 8853 1 8852 SUCCESS
real : PRD2[4444]
10.10.10.2 8853 1 8852 SUCCESS
ACE/CTX# show serverfarm SF-TCP detail
serverfarm : SF-TCP, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
PROBE-TCP, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: PRD1
10.10.10.1:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: PRD2
10.10.10.2:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
ACE/CTX# show service-policy POLICY-RSERVER-VIP
Status : ACTIVE
Interface: vlan 1 200
service-policy: POLICY-RSERVER-VIP
class: NAT-VIP-TCP
nat:
nat dynamic 1 vlan 200
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: LB-NAT-VIP-TCP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
I see a lot of this messages in the logging of the ACE:
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
Thank you.
Best regardsHi Norberto,
The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
Let me know if you have any other questions.
Best regards,
Ahmad -
Hello Everyone,
I have ACE10 Module in my switch core 6509, my context "Proxy" was criated for balance connections to Forefront TMG Servers, this balance needs original client IP Address connections end to end in the solution.
My problem is: The clients are complaining of slowness connection to the internet, i captured the traffic in the ace capture feature and i see some RST packets and severals checksum error packets in pcap file.
The topology is:
Client -> ACE VIP VLAN 81 -> RSERVERS VLAN 80
Vlan 80 is in L2 mode(no interface vlan in the switch core 6509, route occurs through the ace appliance).
The IP address 10.96.200.6 is the gw for rservers.
system: Version A2(3.4) [build 3.0(0)A2(3.4)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_4.bin
rserver host PANFPRXP301A
ip address 10.96.200.11
inservice
rserver host PANFPRXP301B
ip address 10.96.200.12
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SF-PANPROXY
replicate sticky
serverfarm SF-PAN-PROXY
interface vlan 80
ip address 10.96.200.4 255.255.255.0
alias 10.96.200.6 255.255.255.0
peer ip address 10.96.200.5 255.255.255.0
no normalization
no icmp-guard
access-group input all-access
access-group output all-access
service-policy input ACCESS
no shutdown
interface vlan 81
ip address 10.96.201.4 255.255.255.0
alias 10.96.201.6 255.255.255.0
peer ip address 10.96.201.5 255.255.255.0
no normalization
no icmp-guard
access-group input all-access
access-group output all-access
service-policy input ACCESS
service-policy input INTVLAN80
no shutdown
policy-map multi-match INTVLAN80
class VIP-SF-PANPROXY
loadbalance vip inservice
loadbalance policy SLB-SF-PANPROXY
loadbalance vip icmp-reply active primary-inservice
appl-parameter http advanced-options PARAMETER-HTTP
Logs
====================================================================
Aug 15 2012 10:24:09 : %ACE-6-302023: Teardown TCP connection 0xb9fec for vlan81
:10.93.15.69/1439 (10.93.15.69/1439) to vlan80:10.96.201.10/8080 (10.96.200.12/8
080) duration 0:01:28 bytes 13741 TCP FINs
Aug 15 2012 10:24:09 : %ACE-6-302022: Built TCP connection 0x1121b8 for vlan81:1
0.93.15.69/1443 (10.93.15.69/1443) to vlan80:10.96.201.10/8080 (10.96.200.12/808
0)
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc400b for vlan81:10
.93.7.69/4863 (10.93.7.69/4863) to vlan80:10.96.201.10/8080 (10.96.200.11/8080)
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc676f for vlan81:10
.93.15.29/2173 (10.93.15.29/2173) to vlan80:10.96.201.10/8080 (10.96.200.12/8080
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc3621 for vlan81:10
.93.7.84/54169 (10.93.7.84/54169) to vlan80:10.96.201.10/8080 (10.96.200.11/8080
Aug 15 2012 10:24:10 : %ACE-6-302025: Teardown UDP connection 0x110764 for vlan8
0:10.96.200.11/32230 (10.96.200.11/32230) to vlan81:172.17.2.35/53 (172.17.2.35/
53) duration 0:00:11 bytes 126 Idle Timeout
Aug 15 2012 10:24:10 : %ACE-6-302023: Teardown TCP connection 0x111c70 for vlan8
1:10.93.15.69/1441 (10.93.15.69/1441) to vlan80:10.96.201.10/8080 (10.96.200.12/
8080) duration 0:00:02 bytes 1759 TCP FINs
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0x5fc51 for vlan81:10
.93.7.69/4864 (10.93.7.69/4864) to vlan80:10.96.201.10/8080 (10.96.200.11/8080)
Aug 15 2012 10:24:11 : %ACE-6-302022: Built TCP connection 0xc5282 for vlan81:10
.93.5.157/1522 (10.93.5.157/1522) to vlan80:10.96.201.10/8080 (10.96.200.11/8080
Aug 15 2012 10:24:11 : %ACE-6-302022: Built TCP connection 0x10e7a2 for vlan81:1
0.93.15.29/2174 (10.93.15.29/2174) to vlan80:10.96.201.10/8080 (10.96.200.12/808
0)
Aug 15 2012 10:24:11 : %ACE-6-302023: Teardown TCP connection 0x102c48 for vlan8
1:10.84.34.23/1130 (10.84.34.23/1130) to vlan80:10.96.201.10/8080 (10.96.200.12/
====================================================================
If needed, i can send the pcap file for analyse.
Tks a Lot.
RafaelHi Rafael,
Are RST's coming from ACE? What if you access the server directly? If you could raise a TAC case we would do in-depth analysis of the problem.
Regards,
Siva
Maybe you are looking for
-
The right side of the screen of my MacBook Air a yellow line appears very thin and dotted. What can I do to eliminate it? Marco
-
How do i get the "part of project not played" error to stop?
My garageband app lately has been absolutely awful and everytime i do any recording will not let me play it back if im playing multiple tracks over eachother. In one project I have there is only one real acoustic track and when trying to record over
-
From my local machine I am running a Java code which fetches values from DB and writes it into a TXT file and save the TXT file into a different server say 'A'. This part is working fine if I run the Java code from my local machine. I tried deploying
-
Can I associate signatures with aliases in the Maverick Mail app?
Is there any way to have Mail include a specific signature when writing a message using an alias? For example, I would like to always include Signature #1 when using Alias #1, Signature #2 when using Alias #2, etc. I know it's possible to choose the
-
Why does motion unexpectedly quit
when i open up motion, it will all the sudden say "motion had to quit"... does anyone know what is wrong?