TCP Splicing

Unanswered Question
Oct 1st, 2009

Hi

Please can you tell me what is TCP splicing and how it works / helps.

I am having issue in HTTP redirect using CSM.

After my investigation I suspect the CSM takes age to reply SYN_ACK for SYN packets because of that internmittently redirect is not working.

I hope some one should have had the same issue, can you please share with how to fix this?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 10/02/2009 - 03:43

TCP Splicing is explained here :

http://www.linuxvirtualserver.org/software/tcpsp/index.html

But it is not related to your issue.

Do you have a sniffer trace showing the problem ?

The only reason for the CSM not to respond immediately to a SYN is if it is overloaded.

It could also be because the SYN is dropped in the network.

Several 'show mod csm x tech' should show if the box is overloaded. Check counter with words like fifo, overflow, ...full.

Gilles.

mahendra.raj Fri, 10/02/2009 - 03:59

Hi - Thanks for your reply.

I have attached the sniff traffic (Public IP is hidden)...

when ever I get the page time out.. I am seeing a firewall (Nokia) log saying

"tcp packet out of state first packet isn't syn tcp_flags syn-ack"

At the same time I can see on the CSM Conns = 1 under Vserver

#######################################################

sh module csm 3 vservers name MY_WEB-RD detail

MY_WEB-RD, type = SLB, state = OPERATIONAL, v_index = 52

virtual = 10.10.10.10/32:80 bidir, TCP, service = NONE, advertise = FALSE

idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

max parse len = 2000, persist rebalance = TRUE

ssl sticky offset = 0, length = 32

conns = 1, total conns = 574

current load = 2, transition count = 0

Default policy:

server farm = HTTP_REDIRECT, backup =

sticky: timer = 0, subnet = 0.0.0.0, group id = 0

Policy Tot matches Client pkts Server pkts

-----------------------------------------------------

(default) 556 868 343

######################################################

Please advice this CSM is on our core, how safe it is to run the tech-support on this? I am bit afraid to run tech-support....!!!

In addition to that... I have bypassed the Nokia firewall and I tried it works perfectly no drops at all.. But I have this issue only when I go through the Nokia Firewall...!!!

Thanks for your help in advance...

Attachment: 
Gilles Dufour Fri, 10/02/2009 - 04:07

do you have active and standby firewall ?

Is it possible that the CSM response goes to the wrong firewall ?

I know nokia firewalls use multicast mac-address which the CSM does not like very much...is the csm directly connected to the firewall ? Could you put the MSFC in between and route between msfc and firewall ?

G.

mahendra.raj Fri, 10/02/2009 - 04:11

well.. the CSM is in Bridge mode and MSFC routes all the traffic to NOKIA...!!

Actions

This Discussion