TCP Splicing

Unanswered Question
Oct 1st, 2009
User Badges:

Hi


Please can you tell me what is TCP splicing and how it works / helps.


I am having issue in HTTP redirect using CSM.


After my investigation I suspect the CSM takes age to reply SYN_ACK for SYN packets because of that internmittently redirect is not working.


I hope some one should have had the same issue, can you please share with how to fix this?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Fri, 10/02/2009 - 03:43
User Badges:
  • Cisco Employee,

TCP Splicing is explained here :


http://www.linuxvirtualserver.org/software/tcpsp/index.html


But it is not related to your issue.


Do you have a sniffer trace showing the problem ?

The only reason for the CSM not to respond immediately to a SYN is if it is overloaded.

It could also be because the SYN is dropped in the network.


Several 'show mod csm x tech' should show if the box is overloaded. Check counter with words like fifo, overflow, ...full.


Gilles.


mahendra.raj Fri, 10/02/2009 - 03:59
User Badges:

Hi - Thanks for your reply.


I have attached the sniff traffic (Public IP is hidden)...


when ever I get the page time out.. I am seeing a firewall (Nokia) log saying


"tcp packet out of state first packet isn't syn tcp_flags syn-ack"


At the same time I can see on the CSM Conns = 1 under Vserver


#######################################################

sh module csm 3 vservers name MY_WEB-RD detail

MY_WEB-RD, type = SLB, state = OPERATIONAL, v_index = 52

virtual = 10.10.10.10/32:80 bidir, TCP, service = NONE, advertise = FALSE

idle = 3600, replicate csrp = none, vlan = ALL, pending = 30, layer 4

max parse len = 2000, persist rebalance = TRUE

ssl sticky offset = 0, length = 32

conns = 1, total conns = 574

current load = 2, transition count = 0

Default policy:

server farm = HTTP_REDIRECT, backup =

sticky: timer = 0, subnet = 0.0.0.0, group id = 0

Policy Tot matches Client pkts Server pkts

-----------------------------------------------------

(default) 556 868 343


######################################################


Please advice this CSM is on our core, how safe it is to run the tech-support on this? I am bit afraid to run tech-support....!!!



In addition to that... I have bypassed the Nokia firewall and I tried it works perfectly no drops at all.. But I have this issue only when I go through the Nokia Firewall...!!!




Thanks for your help in advance...



Attachment: 
Gilles Dufour Fri, 10/02/2009 - 04:07
User Badges:
  • Cisco Employee,

do you have active and standby firewall ?

Is it possible that the CSM response goes to the wrong firewall ?

I know nokia firewalls use multicast mac-address which the CSM does not like very much...is the csm directly connected to the firewall ? Could you put the MSFC in between and route between msfc and firewall ?


G.

mahendra.raj Fri, 10/02/2009 - 04:11
User Badges:

well.. the CSM is in Bridge mode and MSFC routes all the traffic to NOKIA...!!




mahendra.raj Mon, 10/05/2009 - 23:35
User Badges:

Hi All,


Any further lights on this for me to fix this...please?


Thanks


Actions

This Discussion