What is TCP Splicing on a CSM Vserver

Unanswered Question
Sep 11th, 2009

I'm having an issue with a service on my CSM where the server log is showing "An error occurred receiving data from (10.129.53.250) over TCP/IP. This may

be due to a communications failure". That address is the CSM NAT Address. When I do a packet capture I see a good number of lost segments and retransmissions (TCP segment of a reassembled PDU) between the CSM and the server. When the CSM is removed from the equation and the server is directly accessed the issue goes away. We are not seeing issues with other VIP's. What is the TCP splicing feature and could it help with this issue? The manual has no real explaination of this feature. If this can't help does anyone have any other ideas?

Thanks,

Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinga.hcl Fri, 09/11/2009 - 11:16

Hi Carlsond,

Ip splicing/hijacking => is the process of a hacker that will predict a session number and use it to take over a legitimate session (usually TCP). The target station will not know that the peer has been changed.

TCP splicing is a technique to splice two TCP connections by segment translation, so that data relaying between the two connections can be run at near router speeds. This technique can be used to speed up layer-7 switching, web proxy and application firewall running in the user space.

TCP splicing is a technique to interconnection two separate TCP connections for fast data relay. A TCP splicer changes values in the IP and TCP headers: source and destination IP addresses, port numbers, sequence and acknowledgement numbers, and checksums.

TCP splicing has been commonly used for increasing the performance of serving web content through proxies. Web server architectures built using TCP splicing suffer from two limitations: all traffic between clients and servers typically passes through the proxy, thus making the proxy scalability and performance bottlenecks; and this architecture cannot tolerate proxy failures.

The CSM provides support for fragmented TCP packets. The TCP fragment feature only works with VIPs that have Level 4 policies defined and will not work for SYN packets or for Layer 7 policies. To support fragmented TCP packets, the CSM matches the TCP fragments to existing data flows or by matching the bridging VLAN ID. The CSM will not reassemble fragments for Layer 7 parsing. Because the CSM has a finite number of buffers and fragment ID buckets, packet resending is required when there are hash collisions.

When enabling TCP splicing, you must designate a virtual server as a Layer 7 device even when it does not have a Layer 7 policy. This option is only valid for the TCP protocol.

To configure TCP splicing, perform this task:

Step 1 Router(config-module-csm)# vserver virtserver-name

Purpose

Identifies the virtual server and enters the virtual server configuration mode.

Step 2 Router(config-slb-vserver)# vserver tcp-protect

Purpose

Designates the virtual server for TCP splicing2.

Step 3 Router(config-slb-vserver)# virtual 100.100.100.100 tcp any service tcp-termination

Purpose

Enables TCP splicing.

Kindly see the reference for this as follows:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/3.2/configuration/guide/mapolcy.html#wp1038073

Sachin Garg

Actions

This Discussion