ACE TCP connection timeout

Unanswered Question
Jul 3rd, 2007
User Badges:

Hello,


our customer has a problem with correct closing TCP connections on the ACE. TCP session (HTTP protocol) is closed _correctly_ (we can see it in the sniffer output), but 'sh conn' on the ACE shows it as 'established' (session is already closed). TCP timeout is set to default (60min).


Any new connection from the same src port (because many connection to the service) is closed after TCP session is established.


When I try generate 200 concurrent sessions TCP sessions in my lab, this are on the ACE closed correctly. Customer's traffic is around 20-30.000 concurrent session, but I can't generate so much traffic.


SW version on the ACE: 3.0(0)A1(3b)


thx

--

martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 07/03/2007 - 05:42
User Badges:
  • Cisco Employee,

I know there is a ddts about this but just can't locate it right now.

Your customer MUST upgrade to A1.5


got it :

CSCsi15461

tcp conns are not closing properly causing new syns to drop silently


Gilles.

Martin Kyrc Tue, 07/03/2007 - 05:57
User Badges:

Thanks Gilles!


The problem occurs only with traffic from WAP nodes (too many short HTTP requests).


We try it upgrade to A1(5b), but I'm not sure, if this is our problem...


Bug description:


Symptom:

With L7 LB configuration, Some times connections do not close.


Conditions:

SYN sent to Real server may result in ACK coming from server. ACE TCP module was not handling this ACK correctly.


...but our traffic is only L4 LB and we have a problem with connection state on the ACE from both sides (client and server). on the client and server side is connection closed properly, but on the ACE module ('sh conn') we can see it in 'established' state. It's closed after TCP timeout and that is not correct.


martin

Gilles Dufour Tue, 07/03/2007 - 06:49
User Badges:
  • Cisco Employee,

if you see the same problem in A1(5) you'll need to capture a trace, the 'show conn det' showing the status of the connection.


Also from the 'show conn' you should get the NP id [1 or 2] and the connection id.

Then issue the command 'show np [1|2] me-stat "-c "'


Do it for both side of the connection.


Then open a service request and send all your data.

We'll need to review all this and if necessary create a new bug to fix your problem.


Regards,


Gilles.

Martin Kyrc Wed, 07/25/2007 - 13:32
User Badges:

after upgrade... the same situation. problem was solved with enabling 'normalization' (normalization was turned off on client side interface).


description about this is post to this forum, subject 'ACE with 'no normalization' - bug or feature?', jul 24, 2007.


martin

Actions

This Discussion