CSS ACK client's SYN when L4 LB?

Unanswered Question
Sep 13th, 2007

IF I configure CSS do L4 LB (say, tcp-22 for SSH) and NAT as well, does CSS ACK client's SYN? or just forward client SYN to server? and does CSS changes sequence numbers? thanks a lot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Vargas Thu, 09/13/2007 - 08:43

If the CSS is doing layer 4, it should not be spoofing, so pretty much will look at the SYN and based on the packet data decide which server should handle the request and pass the SYN to the server.

It will then wait for the server's SYN/ACK and pass it to the client.

The sequence number will remain the same when doing layer 4 LB.

a12288 Thu, 09/13/2007 - 09:09

Thanks. That's what I thought, somehow, all of our servers (web, smtp) which are not load-balanced are having outstanding SYN_RECV connections (netstat -na | grep SYN_RECV), but those load-balanced servers (web, imap) does not show those SYN_RECV connections, it makes me wonder CSS is doing something, and all of servers, include CSS are behind FWSM, and we have configured embryonic limit to 1 to turn on TCP Intercept but so far have not seen any hits on TCP Intercept, any thoughts?

Gilles Dufour Fri, 09/14/2007 - 00:54

If the server not-loadbalanced do not show too many SYN-RECV connections, I would say this is a good thing.

Why do you suspect the CSS ?

I would say capture a sniffer trace on the servers showing the SYN_RECV and try to match a SYN-RECV status to what you see in the trace.

You will then understand what is going on.

One more thing, if this was the opposite - loadbalancer server show lot of SYN_RECV, that could be CSS probes.

But you would see the src ip address being the CSS ?

Gilles.

a12288 Fri, 09/14/2007 - 03:31

Of course not suspect CSS, just wonder if CSS would something more to protect the backend servers, and your guys just confirm that L4 would not do delay bind.

So if the NetPros did not see similar scenario here, I would say our non load balanced server is the target.

Gilles Dufour Fri, 09/14/2007 - 04:35

ok, the CSS does something to protect the servers.

There is the dos feature.

If the tcp handshake does not complete in 16sec, the connection is reset.

You can do a 'show dos' to see if the CSS had to clean up connections.

Gilles.

Actions

This Discussion